After watching the recent elastic threat hunting Webex which mentioned URLHAUS, so I wanted to try to add a lookup to the haus csv data source.
Currently in my logstash conf Im connecting to a database which contains a urlpath field, I then want to check this against the URLs contained in the haus list(cvs). Ultimately return true or false and pull back corresponding info from the csv if matched ie related tags etc
I had a few unsuccessful attempts and wondered if anyone has some tips or examples to follow.
thanks bardie for the reply this is really helpful.
I've successfully pulled the data from haus and created an index called malware-* but I'm not clear on the second part i.e
filter {
elasticsearch {
hosts => ["elasticsearch"]
index => "malware-*"
query => 'url:"%{[url]}"'
fields => { "link" => "reference" }
}
}
Is this added to my existing conf that contain my urlpath field which I want to compare?
This is the conf output that populates my existing index which contains urlpath I want to match against:
output {
if [type] == "test-2-3" {
elasticsearch {
hosts => "http://xxx.xxx.xxx.xxx:9200"
user => "ELASTIC_USER"
password => "ELASTIC_PWD"
index => "test-main-controls-%{+YYYY.MM.dd}"
}
}
}
I've not had any exposure to using this compare\match method so would be great to get this working, thanks again
Also can I use regex in the query to check any part of the url for a match?
thanks. I now have it running. One last question regarding : query => 'url:"%{[url]}"'
So I'm clearly can I change "%{[url]}"' to "%{[urlpath]}" or do they have to match exactly?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.