Threatintel anomali error: the requested root field is empty

Hi,

I gave the threatintel module a try. Successfully ingesting abuseurl, abusemalware and otx. I've a problem with getting anomali to work.

First I figured, I have to uncomment the username/password fields to send default guest credentials.

But then I get:

Apr 21 12:14:47 ingester filebeat[29141]: 2021-04-21T12:14:47.524Z#011INFO#011[input.httpjson-cursor]#011v2/input.go:145#011Input stopped because context
 was cancelled with: context canceled#011{"input_source": "https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects", "input_url": "https://li
mo.anomali.com/api/v1/taxii2/feeds/collections/41/objects"}
Apr 21 12:14:50 ingester filebeat[3205]: 2021-04-21T12:14:50.228Z#011INFO#011[input.httpjson-cursor]#011v2/input.go:126#011Process another repeated reque
st.#011{"input_source": "https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects", "input_url": "https://limo.anomali.com/api/v1/taxii2/feeds
/collections/41/objects"}
Apr 21 12:14:50 ingester filebeat[3205]: 2021-04-21T12:14:50.938Z#011ERROR#011[input.httpjson-cursor]#011v2/request.go:186#011error processing response:
the requested root field is empty#011{"input_source": "https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects", "input_url": "https://limo.a
nomali.com/api/v1/taxii2/feeds/collections/41/objects"}
Apr 21 12:14:50 ingester filebeat[3205]: 2021-04-21T12:14:50.938Z#011INFO#011[input.httpjson-cursor]#011v2/request.go:209#011request finished: 0 events p
ublished#011{"input_source": "https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects", "input_url": "https://limo.anomali.com/api/v1/taxii2/
feeds/collections/41/objects"}

This is my threatinel module anomali section:

anomali:
    enabled: true
    var.input: httpjson
    var.url: https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects
    var.username: guest
    var.password: guest
    var.first_interval: 400h
    var.interval: 5m

I also tried a few other collections, but with no difference. Anything I'm doing wrong here?

Sebastian

I am having the same problem when trying to configure filebeat to work with my MISP instance. However, I am using an API key to access my site.

EDIT:
-Apologies, I was using the MISP.yml instead of threatintel...when I moved over to threatintel, ti worked correctly for me.