Hi team,
i'm using the below config to filters some attributes type, but when i look at my index i find all the attributes types , is something i'm doing it wrong ?
Filebeat 7.17.3
misp:
enabled: true
# Input used for ingesting threat intel data, defaults to JSON.
var.input: httpjson
# The URL of the MISP instance, should end with "/events/restSearch".
var.url: https://SERVER/events/restSearch
# The authentication token used to contact the MISP API. Found when looking at user account in the MISP UI.
var.api_token: xxxxxxx
# Configures the type of SSL verification done, if MISP is running on self signed certificates
# then the certificate would either need to be trusted, or verification_mode set to none.
var.ssl.verification_mode: none
# Optional filters that can be applied to the API for filtering out results. This should support the majority of fields in a MISP context.
# For examples please reference the filebeat module documentation.
var.filters:
# - threat_level: [4, 5]
# - to_ids: true
type: ["md5", "sha256", "url", "ip-src", "filename", "sha1", "ip-dst", "domain", "email-src", "email-dst", "imphash"]
# How far back to look once the beat starts up for the first time, the value has to be in hours. Each request afterwards will filter on any event newer
# than the last event that was already ingested.
var.first_interval: 100h
# The interval to poll the API for updates.
var.interval: 15m
