I'm trying to use Elastic's Threat Intelligence modules without having to use any kind of agents.
My elastic server is receiving parsed logs from logstash into specific indices. These indices have the fields 'ip' and 'from'; 'ip' contains IP address and 'from' contains the domain name of an email id. I want to write an elastic rule to determine if these two fields come from malicious sources, for which i want to use elastic's threat intelligence module (or MISP integration). Ideally without any elastic agent.
filebeat setup --pipelines --modules threatintel
Exiting: module threatintel is configured but has no enabled filesets
Inspite of enabling MISP in filebeat/modules.d/threatintel.yml
misp:
enabled: true
# Input used for ingesting threat intel data, defaults to JSON.
var.input: httpjson
# The URL of the MISP instance, should end with "/events/restSearch".
var.url: https://<server-ip>/events/restSearch
# The authentication token used to contact the MISP API. Found when looking at user account in the MISP UI.
var.api_token: <api-token>
# Configures the type of SSL verification done, if MISP is running on self signed certificates
# then the certificate would either need to be trusted, or verification_mode set to none.
var.ssl.verification_mode: none
# Optional filters that can be applied to the API for filtering out results. This should support the majority of fields in a MISP context.
# For examples please reference the filebeat module documentation.
#var.filters:
# - threat_level: [4, 5]
# - to_ids: true
# How far back to look once the beat starts up for the first time, the value has to be in hours. Each request afterwards will filter on any event newer
# than the last event that was already ingested.
var.first_interval: 300h
# The interval to poll the API for updates.
var.interval: 5m
hiding url and key here, they are populated in actual file
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.