Indicator match rule not matched and Mapped with filebeat-* (MISP Module)

Elastic Security SIEM
1

Hi guys,

We are using ELK 7.11.1 version.

We have ingested threat intelligence feeds from MISP server and stored in Elasticsearch through Filebeat.(Using Module MISP) and we want to map and match with Zscalerlog.

Based on the above condition, we have created indicator match rule.

The following way we had tested.

  1. I took one malicious URL from MISP server attribute lists and get it browsed via browser (http://ww.gzcfr5axf6.com/) , In the filebeat-*-MISP indices : misp.threat_indicator.attack_pattern_kql and from kibana discover it is shown as misp.threat_indicator.attack_pattern_kql: source.domain: "ww.gzcfr5axf6.com" OR destination.domain: "ww.gzcfr5axf6.com".
  2. In the zscalerlog indice , url.destination shown as url.destination: http://ww.gzcfr5axf6.com/ where by this results will be shown once we accessed to it via web browser.

we have many times tested, but the results didn't match with filebeat-*-MISP and also we got alerts but incorrect results, it is only show first 100 Zscalerlog record without match and map with Filebeat-*-MISP, the rule run every 5 minutes scheduling .

Please see our rule:-
Rule1

Please see our result:-

Rule2
Rule21321×527 90.4 KB

Notes:-

  1. Filebeat-*- MISP don't have duplicate records.
  2. Filebeat-*- MISP current total records is 600k
  3. ZscalerLog is real-time logs.
  4. ZscalerLog, each 10 minutes once will receive 3k records.

Can you help me?

Thanks.

2

We try not to flood the system, so it stops at the first 100 matches.

Your indicator mapping is:

url.destination MATCHES misp.threat_indicator.attack_pattern_kql

What it will do is take the misp.threat_indicator.attack_pattern_kql and match them against your source index pattern which would be url.destination.

In your rows in your screenshot if you added the column of url.destination that will show you what which url.destination it matched against as those rows are a copy of the data it matched against in the red blocked out index you have in your screen shot.

It looks like misp.threat_indicator.attack_pattern_kql from your data set is KQL strings? Is that strings such as source.domain: "ww.gzcfr5axf6.com" OR destination.domain: "ww.gzcfr5axf6.com".?

You will want to try out matching with misp.threat_indicator.attack_pattern instead. The matching does not take a KQL string but rather data directly.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.