[threatintel Filebeat module] MISP , not filtering attributes. How can I solve it?

Elastic Stack Beats
1

Hi everyone,

I've been struggling with the problem indicated in question for several days and I haven't been able to find a solution.
I did a lot of research online and finally came across this link but unfortunately the proposed solution doesn't work: [threatintel Filebeat module] MISP , not filtering attribites
Please is there a way to make the filters work?
Without the filters the data from the MISP is imported but I would need to filter it as I don't need all the generic data.

Thank you all.

2

Hi @fabiodanzetta,

Welcome! Which version of Filebeat are you using?

It might be an issue with you filters. Can you share your config?

3

Hi @carly.richmond ,

the version of Filebeat is: filebeat version 7.17.21 (amd64), libbeat 7.17.21 [ba1f1c115316c2434bb0d713bc211d63bc899a14 built 2024-04-10 18:05:45 +0000 UTC]

This is my conf and where it says tags and type we also tried with in front -

misp:
    enabled: true

    # Input used for ingesting threat intel data, defaults to JSON.
    var.input: httpjson

    # The URL of the MISP instance, should end with "/events/restSearch".
    var.url: https://my_misp_instace_ip/events/restSearch

    # The authentication token used to contact the MISP API. Found when looking at user account in the MISP UI.
    var.api_token: my_api_token

    # Configures the type of SSL verification done, if MISP is running on self signed certificates
    # then the certificate would either need to be trusted, or verification_mode set to none.
    var.ssl.verification_mode: none

    # Optional filters that can be applied to the API for filtering out results. This should support the majority of fields in a MISP context.
    # For examples please reference the filebeat module documentation.
    var.filters:
      type: ["domain"]
      tags: ["Elastic-SIEM"]
    #  - threat_level: [4, 5]
    #  - to_ids: true

    # How far back to look once the beat starts up for the first time, the value has to be in hours. Each request afterwards will filter on any event newer
    # than the last event that was already ingested.
    var.first_interval: 240h

    # The interval to poll the API for updates.
    var.interval: 10m

Finally, this is the error when we restart the agent:

ERROR instance/beat.go:1027 Exiting: Failed to start crawler: creating module reloader failed: error checking input configuration: can not convert 'object' into 'string' accessing 'type'

Thank you very much for your help.