i'm using the below config to filters some attributes type, but when i look at my index i find all the attributes types , is something i'm doing it wrong ?
misp: enabled: true # Input used for ingesting threat intel data, defaults to JSON. var.input: httpjson # The URL of the MISP instance, should end with "/events/restSearch". var.url: https://SERVER/events/restSearch # The authentication token used to contact the MISP API. Found when looking at user account in the MISP UI. var.api_token: xxxxxxx # Configures the type of SSL verification done, if MISP is running on self signed certificates # then the certificate would either need to be trusted, or verification_mode set to none. var.ssl.verification_mode: none # Optional filters that can be applied to the API for filtering out results. This should support the majority of fields in a MISP context. # For examples please reference the filebeat module documentation. var.filters: # - threat_level: [4, 5] # - to_ids: true type: ["md5", "sha256", "url", "ip-src", "filename", "sha1", "ip-dst", "domain", "email-src", "email-dst", "imphash"] # How far back to look once the beat starts up for the first time, the value has to be in hours. Each request afterwards will filter on any event newer # than the last event that was already ingested. var.first_interval: 100h # The interval to poll the API for updates. var.interval: 15m