hello,
I integrated Virustotal with MISP and run virustotal on events and all virustotal attributes are saved in MISP.
also , I integrated MISP with Elastic using Filebeats.
the events are stored in Elastic and I can see them with Kibana, but I didn't find any attribute related to the virustotal results.
so, I run burp proxy to intercept the requests between Filebeats and Elastic and I found that Filebeats sent the virutstotal attributes also.
my problem now is how to make kibana and elastic see the virustotal attributes.
Thanks.
Welcome to our community!
Can you copy and paste one of your events from Discover, as json, here for us to take a look at?
{
"_index": "filebeat-7.14.0-2021.08.15-000001",
"_type": "_doc",
"_id": "1a840f39-ae12-482d-94c7-89fb1fffbfc0",
"_version": 1,
"_score": null,
"fields": {
"threatintel.misp.attribute.object_id": [
"0"
],
"event.category": [
"threat"
],
"threatintel.misp.attribute.distribution": [
5
],
"service.type": [
"threatintel"
],
"threatintel.misp.threat_level_id": [
1
],
"threatintel.misp.attribute.timestamp": [
"1970-01-19T20:53:24.369Z"
],
"threatintel.indicator.type": [
"file"
],
"agent.name": [
"UBSERVER.cosmosoc.io"
],
"threatintel.misp.attribute.comment": [
""
],
"event.kind": [
"enrichment"
],
"threatintel.misp.attribute.deleted": [
false
],
"threatintel.misp.org_id": [
"1"
],
"threatintel.misp.attribute.disable_correlation": [
false
],
"threatintel.misp.sharing_group_id": [
"0"
],
"fileset.name": [
"misp"
],
"threatintel.misp.attribute.id": [
"6786"
],
"input.type": [
"httpjson"
],
"agent.hostname": [
"UBSERVER.cosmosoc.io"
],
"tags": [
"threatintel-misp",
"forwarded"
],
"threatintel.misp.date": [
"2021-08-31T00:00:00.000Z"
],
"threatintel.misp.publish_timestamp": [
"1970-01-01T00:00:00.000Z"
],
"threatintel.misp.locked": [
false
],
"threatintel.misp.info": [
"test md5 file"
],
"agent.id": [
"aa1d73fb-d384-48fb-b103-0283d054bf14"
],
"threatintel.misp.id": [
"15"
],
"ecs.version": [
"1.10.0"
],
"threatintel.misp.uuid": [
"bbcbc76d-2b1d-4ba4-a541-6a0975de774c"
],
"threatintel.misp.disable_correlation": [
false
],
"event.created": [
"2021-08-31T11:27:45.659Z"
],
"agent.version": [
"7.14.0"
],
"threatintel.misp.attribute.event_id": [
"15"
],
"threatintel.misp.orgc.local": [
true
],
"threatintel.misp.extends_uuid": [
""
],
"threatintel.misp.orgc.uuid": [
"cc0b9a1e-7953-413d-87db-31385c7558a2"
],
"threatintel.misp.attribute_count": [
6
],
"threatintel.misp.orgc.id": [
"1"
],
"agent.type": [
"filebeat"
],
"event.module": [
"threatintel"
],
"threatintel.misp.proposal_email_lock": [
false
],
"threatintel.misp.event_creator_email": [
"admin@admin.test"
],
"threatintel.indicator.file.hash.md5": [
"0796f1c1ea0a142fc1eb7109a44c86cb"
],
"threatintel.misp.attribute.sharing_group_id": [
"0"
],
"threatintel.misp.published": [
false
],
"threatintel.indicator.provider": [
"misp"
],
"threatintel.misp.orgc.name": [
"ORGNAME"
],
"threatintel.misp.attribute.type": [
"md5"
],
"threatintel.misp.attribute.category": [
"Payload delivery"
],
"event.ingested": [
"2021-08-31T11:27:47.328Z"
],
"@timestamp": [
"2021-08-31T10:14:46.000Z"
],
"threatintel.misp.orgc_id": [
"1"
],
"event.type": [
"indicator"
],
"threatintel.misp.attribute.to_ids": [
false
],
"agent.ephemeral_id": [
"2c11aa1c-ab0b-4668-826a-d29c65212e3a"
],
"threatintel.indicator.scanner_stats": [
0
],
"threatintel.misp.distribution": [
"1"
],
"event.dataset": [
"threatintel.misp"
]
},
"sort": [
1630404886000
]
}
this is what I have in kibana . as you can see the event has md5 hash for a malware and I can't find the attributes that have the virustotal results.
up ...........
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.