Threat intel Filebeat module - I don't get any data From MISP and i don't know why

Elastic Stack Beats
,
1

Hello,

I'm trying to integrate MISP IOC's into Kibana via Threat intel Filebeat Module.

When i look at the analytics dicover view in kibana, i see every var.interval (set in the module config) a new hit with an event.original field empty. ({"response":[]} <-- see below picture)

Hit view on Kibana

image
image2730×1397 313 KB

I can't explain this result as I make the POST request on my host machine and get many events... See below:

MISP API Rest POST /events/restSearch

nicop@nicop-IdeaPad-5-Pro-14ARH7:~$ curl -k \                                                                                                           
 -H "Authorization: BEpdSXuPb2lRyhVjNy9nHiA7EApYdD9ajMRafBZQ" \
 -H "Accept: application/json" \
 -H "Content-type: application/json" \
 -X POST https://localhost/events/restSearch \
 -d '{"returnFormat":"json","page":"1","limit":"10","timestamp":"1678704229"}'

{"response": [{"Event":{"id":"2413","orgc_id":"9","org_id":"1","date":"2018-08-17","threat_level_id":"1","info":"Turla Outlook White Paper","published":true,"uuid":"5b773e07-e694-458b-b99c-27f30a016219","attribute_count":"57","analysis":"0","timestamp":"1679128999","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1679129000","sharing_group_id":"0", etc...

I deduce from the Preview API of the Elastic agent policies (In the Integration part of Kibana) that the following fields returnFormat | page | limit | timestamp was put in the request made to MISP instance to retrieve the data. (See below picture to see where i found it)
MISP integration Elastic-Agent policy setting

image
image2728×1561 210 KB

MISP Preview Kibana API Request transformation in Kibana Console
image
image2728×1561 422 KB

Can someone confirm that for filebeat the data fields above are well defined in the API request made to MISP to retrieve the data ?
Is there a way to modify these settings ?

Process followed to put Filebeat up

image
image1267×1565 151 KB

Filebeat Logs process events

{"log.level":"info","@timestamp":"2023-03-18T12:43:26.185+0100","log.logger":"input.httpjson-cursor","log.origin":{"file.name":"httpjson/input.go","file.line":132},"message":"Process another repeated request.","service.name":"filebeat","id":"6F488BAA3E80B30B","input_source":"https://localhost/events/restSearch","input_url":"https://localhost/events/restSearch","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-18T12:43:26.802+0100","log.logger":"input.httpjson-cursor","log.origin":{"file.name":"httpjson/request.go","file.line":445},"message":"request finished: 1657 events published","service.name":"filebeat","id":"6F488BAA3E80B30B","input_source":"https://localhost/events/restSearch","input_url":"https://localhost/events/restSearch","ecs.version":"1.6.0"}
2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.