Threat intel Filebeat module - I don't get any data From MISP and i don't know why


I'm trying to integrate MISP IOC's into Kibana via Threat intel Filebeat Module.

When i look at the analytics dicover view in kibana, i see every var.interval (set in the module config) a new hit with an event.original field empty. ({"response":[]} <-- see below picture)

Hit view on Kibana

I can't explain this result as I make the POST request on my host machine and get many events... See below:

MISP API Rest POST /events/restSearch

nicop@nicop-IdeaPad-5-Pro-14ARH7:~$ curl -k \                                                                                                           
 -H "Authorization: BEpdSXuPb2lRyhVjNy9nHiA7EApYdD9ajMRafBZQ" \
 -H "Accept: application/json" \
 -H "Content-type: application/json" \
 -X POST https://localhost/events/restSearch \
 -d '{"returnFormat":"json","page":"1","limit":"10","timestamp":"1678704229"}'

{"response": [{"Event":{"id":"2413","orgc_id":"9","org_id":"1","date":"2018-08-17","threat_level_id":"1","info":"Turla Outlook White Paper","published":true,"uuid":"5b773e07-e694-458b-b99c-27f30a016219","attribute_count":"57","analysis":"0","timestamp":"1679128999","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"1679129000","sharing_group_id":"0", etc...

I deduce from the Preview API of the Elastic agent policies (In the Integration part of Kibana) that the following fields returnFormat | page | limit | timestamp was put in the request made to MISP instance to retrieve the data. (See below picture to see where i found it)
MISP integration Elastic-Agent policy setting

MISP Preview Kibana API Request transformation in Kibana Console

Can someone confirm that for filebeat the data fields above are well defined in the API request made to MISP to retrieve the data ?
Is there a way to modify these settings ?

Process followed to put Filebeat up

Filebeat Logs process events

{"log.level":"info","@timestamp":"2023-03-18T12:43:26.185+0100","log.logger":"input.httpjson-cursor","log.origin":{"":"httpjson/input.go","file.line":132},"message":"Process another repeated request.","":"filebeat","id":"6F488BAA3E80B30B","input_source":"https://localhost/events/restSearch","input_url":"https://localhost/events/restSearch","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-18T12:43:26.802+0100","log.logger":"input.httpjson-cursor","log.origin":{"":"httpjson/request.go","file.line":445},"message":"request finished: 1657 events published","":"filebeat","id":"6F488BAA3E80B30B","input_source":"https://localhost/events/restSearch","input_url":"https://localhost/events/restSearch","ecs.version":"1.6.0"}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.