Virustotal Module MISP attributes don't store in ELK

hello,
I integrated Virustotal with MISP and run virustotal on events and all virustotal attributes are saved in MISP.
also , I integrated MISP with Elastic using Filebeats.
the events are stored in Elastic and I can see them with Kibana, but I didn't find any attribute related to the virustotal results.
so, I run burp proxy to intercept the requests between Filebeats and Elastic and I found that Filebeats sent the virutstotal attributes also.
my problem now is how to make kibana and elastic see the virustotal attributes.
Thanks.

Welcome to our community! :smiley:

Can you copy and paste one of your events from Discover, as json, here for us to take a look at?

{
  "_index": "filebeat-7.14.0-2021.08.15-000001",
  "_type": "_doc",
  "_id": "1a840f39-ae12-482d-94c7-89fb1fffbfc0",
  "_version": 1,
  "_score": null,
  "fields": {
    "threatintel.misp.attribute.object_id": [
      "0"
    ],
    "event.category": [
      "threat"
    ],
    "threatintel.misp.attribute.distribution": [
      5
    ],
    "service.type": [
      "threatintel"
    ],
    "threatintel.misp.threat_level_id": [
      1
    ],
    "threatintel.misp.attribute.timestamp": [
      "1970-01-19T20:53:24.369Z"
    ],
    "threatintel.indicator.type": [
      "file"
    ],
    "agent.name": [
      "UBSERVER.cosmosoc.io"
    ],
    "threatintel.misp.attribute.comment": [
      ""
    ],
    "event.kind": [
      "enrichment"
    ],
    "threatintel.misp.attribute.deleted": [
      false
    ],
    "threatintel.misp.org_id": [
      "1"
    ],
    "threatintel.misp.attribute.disable_correlation": [
      false
    ],
    "threatintel.misp.sharing_group_id": [
      "0"
    ],
    "fileset.name": [
      "misp"
    ],
    "threatintel.misp.attribute.id": [
      "6786"
    ],
    "input.type": [
      "httpjson"
    ],
    "agent.hostname": [
      "UBSERVER.cosmosoc.io"
    ],
    "tags": [
      "threatintel-misp",
      "forwarded"
    ],
    "threatintel.misp.date": [
      "2021-08-31T00:00:00.000Z"
    ],
    "threatintel.misp.publish_timestamp": [
      "1970-01-01T00:00:00.000Z"
    ],
    "threatintel.misp.locked": [
      false
    ],
    "threatintel.misp.info": [
      "test md5 file"
    ],
    "agent.id": [
      "aa1d73fb-d384-48fb-b103-0283d054bf14"
    ],
    "threatintel.misp.id": [
      "15"
    ],
    "ecs.version": [
      "1.10.0"
    ],
    "threatintel.misp.uuid": [
      "bbcbc76d-2b1d-4ba4-a541-6a0975de774c"
    ],
    "threatintel.misp.disable_correlation": [
      false
    ],
    "event.created": [
      "2021-08-31T11:27:45.659Z"
    ],
    "agent.version": [
      "7.14.0"
    ],
    "threatintel.misp.attribute.event_id": [
      "15"
    ],
    "threatintel.misp.orgc.local": [
      true
    ],
    "threatintel.misp.extends_uuid": [
      ""
    ],
    "threatintel.misp.orgc.uuid": [
      "cc0b9a1e-7953-413d-87db-31385c7558a2"
    ],
    "threatintel.misp.attribute_count": [
      6
    ],
    "threatintel.misp.orgc.id": [
      "1"
    ],
    "agent.type": [
      "filebeat"
    ],
    "event.module": [
      "threatintel"
    ],
    "threatintel.misp.proposal_email_lock": [
      false
    ],
    "threatintel.misp.event_creator_email": [
      "admin@admin.test"
    ],
    "threatintel.indicator.file.hash.md5": [
      "0796f1c1ea0a142fc1eb7109a44c86cb"
    ],
    "threatintel.misp.attribute.sharing_group_id": [
      "0"
    ],
    "threatintel.misp.published": [
      false
    ],
    "threatintel.indicator.provider": [
      "misp"
    ],
    "threatintel.misp.orgc.name": [
      "ORGNAME"
    ],
    "threatintel.misp.attribute.type": [
      "md5"
    ],
    "threatintel.misp.attribute.category": [
      "Payload delivery"
    ],
    "event.ingested": [
      "2021-08-31T11:27:47.328Z"
    ],
    "@timestamp": [
      "2021-08-31T10:14:46.000Z"
    ],
    "threatintel.misp.orgc_id": [
      "1"
    ],
    "event.type": [
      "indicator"
    ],
    "threatintel.misp.attribute.to_ids": [
      false
    ],
    "agent.ephemeral_id": [
      "2c11aa1c-ab0b-4668-826a-d29c65212e3a"
    ],
    "threatintel.indicator.scanner_stats": [
      0
    ],
    "threatintel.misp.distribution": [
      "1"
    ],
    "event.dataset": [
      "threatintel.misp"
    ]
  },
  "sort": [
    1630404886000
  ]
}

this is what I have in kibana . as you can see the event has md5 hash for a malware and I can't find the attributes that have the virustotal results.

up ...........

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.