From 3a75570ff1f29932465174d676a191addac99b10 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Thu, 18 Nov 2021 10:54:01 +0100 Subject: [PATCH] [filebeat] Threat intel sync (#29014) * abusemalware changes * abuseurl changes * malwarebazaar changes * anomali changes * otx changes * threatq changes * misp changes * anomalithreatstream changes * recordedfuture changes * Change dashboards field names and fields files * Change base to '' in field definition * Add changelog entry * Add threat.feed.name and threat.feed.dashboard_id --- CHANGELOG.next.asciidoc | 2 + filebeat/docs/fields.asciidoc | 951 +-- filebeat/docs/modules/threatintel.asciidoc | 127 +- .../module/threatintel/_meta/docs.asciidoc | 127 +- .../module/threatintel/_meta/fields.yml | 387 +- .../021ba940-de96-11eb-8f2b-753caedf727d.json | 4 +- .../028175a0-ff74-11eb-acb2-2960a7069ed1.json | 4 +- .../037e2af0-df50-11eb-8f2b-753caedf727d.json | 4 +- .../06744e90-df52-11eb-8f2b-753caedf727d.json | 6 +- .../0db62ee0-72e6-11eb-a3e3-b3cc7c78a70f.json | 10 +- .../1136ceb0-de95-11eb-8f2b-753caedf727d.json | 4 +- .../139c7da0-df51-11eb-8f2b-753caedf727d.json | 4 +- .../36f61650-de96-11eb-8f2b-753caedf727d.json | 4 +- .../3c40f4d0-de97-11eb-8f2b-753caedf727d.json | 4 +- .../3c996410-df52-11eb-8f2b-753caedf727d.json | 4 +- .../5e76ef90-df51-11eb-8f2b-753caedf727d.json | 4 +- .../5ef7b430-de94-11eb-8f2b-753caedf727d.json | 4 +- .../790cd040-df51-11eb-8f2b-753caedf727d.json | 4 +- .../7d9c70f0-de95-11eb-8f2b-753caedf727d.json | 4 +- .../7ec83f60-de98-11eb-8f2b-753caedf727d.json | 4 +- .../8a6f7b20-de94-11eb-8f2b-753caedf727d.json | 4 +- .../8fb01a00-df51-11eb-8f2b-753caedf727d.json | 4 +- .../9282afc0-72d9-11eb-a3e3-b3cc7c78a70f.json | 10 +- .../949bc180-df52-11eb-8f2b-753caedf727d.json | 4 +- .../976620a0-de98-11eb-8f2b-753caedf727d.json | 4 +- .../9c78ade0-de95-11eb-8f2b-753caedf727d.json | 4 +- .../a0a31740-df51-11eb-8f2b-753caedf727d.json | 4 +- .../aac00bc0-de98-11eb-8f2b-753caedf727d.json | 4 +- .../ae5934e0-de94-11eb-8f2b-753caedf727d.json | 4 +- .../b0837690-df52-11eb-8f2b-753caedf727d.json | 4 +- .../bd28cb00-de96-11eb-8f2b-753caedf727d.json | 4 +- .../bfd2bfe0-de97-11eb-8f2b-753caedf727d.json | 4 +- .../c2a5c180-df51-11eb-8f2b-753caedf727d.json | 6 +- .../c91fcd10-de95-11eb-8f2b-753caedf727d.json | 4 +- .../cf4b4e40-ff69-11eb-acb2-2960a7069ed1.json | 6 +- .../d991e510-de96-11eb-8f2b-753caedf727d.json | 4 +- .../dd4a3da0-df50-11eb-8f2b-753caedf727d.json | 4 +- .../e5f07800-de94-11eb-8f2b-753caedf727d.json | 4 +- .../f37f8350-df50-11eb-8f2b-753caedf727d.json | 4 +- .../f52a9720-de93-11eb-8f2b-753caedf727d.json | 4 +- .../f5f18940-de96-11eb-8f2b-753caedf727d.json | 4 +- .../63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json | 4 +- .../ec5aa090-df42-11eb-8f2b-753caedf727d.json | 10 +- .../01c261b0-7aa9-11eb-ac13-d5ca87cb8fa2.json | 8 +- .../02294f80-73c7-11eb-a3e3-b3cc7c78a70f.json | 8 +- .../0ccdda50-76ce-11eb-a3e3-b3cc7c78a70f.json | 8 +- .../142fb6c0-82a8-11eb-ac13-d5ca87cb8fa2.json | 8 +- .../1a0d5250-72e5-11eb-a3e3-b3cc7c78a70f.json | 14 +- .../1a1c60c0-72d5-11eb-a3e3-b3cc7c78a70f.json | 8 +- .../1adff580-72ee-11eb-a3e3-b3cc7c78a70f.json | 8 +- .../1c969990-73c7-11eb-a3e3-b3cc7c78a70f.json | 8 +- .../1d8002d0-82a7-11eb-ac13-d5ca87cb8fa2.json | 8 +- .../21ff17c0-82a6-11eb-ac13-d5ca87cb8fa2.json | 8 +- .../302cd5b0-76cd-11eb-a3e3-b3cc7c78a70f.json | 8 +- .../302d0850-ff7b-11eb-acb2-2960a7069ed1.json | 4 +- .../346136f0-76d5-11eb-a3e3-b3cc7c78a70f.json | 8 +- .../40d61ab0-72e6-11eb-a3e3-b3cc7c78a70f.json | 4 +- .../41100be0-72e5-11eb-a3e3-b3cc7c78a70f.json | 14 +- .../49f0c060-76cd-11eb-a3e3-b3cc7c78a70f.json | 8 +- .../4e5d25c0-76ce-11eb-a3e3-b3cc7c78a70f.json | 8 +- .../57faae10-73c5-11eb-a3e3-b3cc7c78a70f.json | 8 +- .../5b4877b0-82a6-11eb-ac13-d5ca87cb8fa2.json | 8 +- .../5d395d80-ff71-11eb-acb2-2960a7069ed1.json | 4 +- .../5eb61d00-ff72-11eb-acb2-2960a7069ed1.json | 6 +- .../6077fd00-76d5-11eb-a3e3-b3cc7c78a70f.json | 8 +- .../62f6daa0-72ee-11eb-a3e3-b3cc7c78a70f.json | 8 +- .../7546ac40-82a6-11eb-ac13-d5ca87cb8fa2.json | 8 +- .../7582b030-73c6-11eb-a3e3-b3cc7c78a70f.json | 8 +- .../786546d0-82a5-11eb-ac13-d5ca87cb8fa2.json | 8 +- .../79da77d0-72e5-11eb-a3e3-b3cc7c78a70f.json | 14 +- .../7c7d3750-73c3-11eb-a3e3-b3cc7c78a70f.json | 8 +- .../7cbe5900-82ab-11eb-ac13-d5ca87cb8fa2.json | 8 +- .../87980f70-72ec-11eb-a3e3-b3cc7c78a70f.json | 8 +- .../8b2a64a0-82a8-11eb-ac13-d5ca87cb8fa2.json | 8 +- .../9047e8b0-72de-11eb-a3e3-b3cc7c78a70f.json | 4 +- .../9109e490-76cd-11eb-a3e3-b3cc7c78a70f.json | 8 +- .../92961600-7621-11eb-a3e3-b3cc7c78a70f.json | 6 +- .../95f384b0-76d8-11eb-a3e3-b3cc7c78a70f.json | 4 +- .../98d42ee0-76b6-11eb-a3e3-b3cc7c78a70f.json | 8 +- .../a09329d0-73c6-11eb-a3e3-b3cc7c78a70f.json | 8 +- .../a1616dd0-72eb-11eb-a3e3-b3cc7c78a70f.json | 14 +- .../a7b6e910-72ed-11eb-a3e3-b3cc7c78a70f.json | 10 +- .../a911a8b0-ff77-11eb-acb2-2960a7069ed1.json | 4 +- .../ad55b1e0-73c8-11eb-a3e3-b3cc7c78a70f.json | 6 +- .../aebde030-72d2-11eb-a3e3-b3cc7c78a70f.json | 10 +- .../b9533f50-72e5-11eb-a3e3-b3cc7c78a70f.json | 14 +- .../bc4790b0-82aa-11eb-ac13-d5ca87cb8fa2.json | 8 +- .../bf3dfde0-73c3-11eb-a3e3-b3cc7c78a70f.json | 8 +- .../c102b0f0-73c6-11eb-a3e3-b3cc7c78a70f.json | 8 +- .../c7d5db50-82a8-11eb-ac13-d5ca87cb8fa2.json | 8 +- .../c813c5d0-72dd-11eb-a3e3-b3cc7c78a70f.json | 8 +- .../d22c1090-82a5-11eb-ac13-d5ca87cb8fa2.json | 8 +- .../d5d76c60-72ee-11eb-a3e3-b3cc7c78a70f.json | 6 +- .../dbd199d0-82aa-11eb-ac13-d5ca87cb8fa2.json | 8 +- .../ea5879c0-72eb-11eb-a3e3-b3cc7c78a70f.json | 8 +- .../eba4ec60-72ea-11eb-a3e3-b3cc7c78a70f.json | 8 +- .../ec68c4a0-73c6-11eb-a3e3-b3cc7c78a70f.json | 8 +- .../ecf74b10-72ec-11eb-a3e3-b3cc7c78a70f.json | 8 +- .../f33125b0-76d8-11eb-a3e3-b3cc7c78a70f.json | 8 +- .../f91e9620-82a8-11eb-ac13-d5ca87cb8fa2.json | 8 +- .../f9c6ba80-72e5-11eb-a3e3-b3cc7c78a70f.json | 14 +- .../threatintel/abusemalware/_meta/fields.yml | 4 +- .../abusemalware/config/config.yml | 28 +- .../abusemalware/ingest/pipeline.yml | 101 +- .../threatintel/abusemalware/manifest.yml | 3 + .../abusechmalware.ndjson.log-expected.json | 518 +- .../threatintel/abuseurl/_meta/fields.yml | 2 +- .../threatintel/abuseurl/config/config.yml | 25 +- .../threatintel/abuseurl/ingest/pipeline.yml | 68 +- .../module/threatintel/abuseurl/manifest.yml | 2 + .../test/abusechurl.ndjson.log-expected.json | 4226 ++++++------- .../threatintel/anomali/_meta/fields.yml | 4 +- .../threatintel/anomali/config/config.yml | 23 +- .../threatintel/anomali/ingest/pipeline.yml | 86 +- .../module/threatintel/anomali/manifest.yml | 4 +- .../anomali_limo.ndjson.log-expected.json | 4190 ++++++------- .../anomalithreatstream/_meta/fields.yml | 2 +- .../anomalithreatstream/config/config.yml | 41 +- .../anomalithreatstream/ingest/pipeline.yml | 169 +- .../anomalithreatstream/manifest.yml | 6 +- .../test/generated.log-expected.json | 5302 +++++++++-------- x-pack/filebeat/module/threatintel/fields.go | 2 +- .../malwarebazaar/_meta/fields.yml | 2 +- .../malwarebazaar/config/config.yml | 28 +- .../malwarebazaar/ingest/pipeline.yml | 191 +- .../threatintel/malwarebazaar/manifest.yml | 2 + .../malwarebazaar.ndjson.log-expected.json | 412 +- .../module/threatintel/misp/config/config.yml | 52 +- .../threatintel/misp/ingest/pipeline.yml | 298 +- .../module/threatintel/misp/manifest.yml | 2 + .../test/misp_sample.ndjson.log-expected.json | 1192 ++-- ...th_ext_attributes.ndjson.log-expected.json | 2382 ++++---- .../module/threatintel/otx/config/config.yml | 21 +- .../threatintel/otx/ingest/pipeline.yml | 128 +- .../module/threatintel/otx/manifest.yml | 2 + .../test/otx_sample.ndjson.log-expected.json | 628 +- .../recordedfuture/config/config.yml | 31 +- .../recordedfuture/ingest/pipeline.yml | 119 +- .../threatintel/recordedfuture/manifest.yml | 2 + .../test/domain.ndjson.log-expected.json | 320 +- .../test/hash.ndjson.log-expected.json | 460 +- .../test/ip.ndjson.log-expected.json | 462 +- .../test/url.ndjson.log-expected.json | 500 +- .../threatintel/threatq/config/config.yml | 27 +- .../threatintel/threatq/ingest/pipeline.yml | 240 +- .../module/threatintel/threatq/manifest.yml | 4 +- .../threatq_sample.ndjson.log-expected.json | 320 +- 147 files changed, 12593 insertions(+), 12280 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index bd473812131..6bb189ee301 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -62,6 +62,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - All modules: Replace usages of deprecated ECS fields `process.ppid` and `log.original` with `process.parent.pid` and `event.original`. {pull}28620[28620] - Replace usages of `host.user.*` fields with `user.*` in `cisco`, `microsoft` and `oracle` modules. {pull}28620[28620] - Remove `docker` input. Please use `filestream` input with `container` parser or `container` input. {pull}28817[28817] +- Change `threatintel` module to use new `threat.*` ECS fields. {pull}29014[29014] *Heartbeat* @@ -183,6 +184,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Upgrade azure-eventhub sdk reference, contains potential checkpoint fixes. {pull}28919[28919] - Revert usageDetails api version to 2019-01-01. {pull}28995[28995] - Fix in `aws-s3` input regarding provider discovery through endpoint {pull}28963[28963] +- Fix `threatintel.misp` filters configuration. {issue}27970[27970] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index d89839516fe..34b05a0fd24 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -150641,385 +150641,8 @@ Threat intelligence Filebeat Module. -[float] -=== threatintel - -Fields from the threatintel Filebeat module. - - - -*`threatintel.indicator.first_seen`*:: -+ --- -The date and time when intelligence source first reported sighting this indicator. - - -type: date - --- - -*`threatintel.indicator.last_seen`*:: -+ --- -The date and time when intelligence source last reported sighting this indicator. - - -type: date - --- - -*`threatintel.indicator.sightings`*:: -+ --- -Number of times this indicator was observed conducting threat activity. - - -type: long - --- - -*`threatintel.indicator.type`*:: -+ --- -Type of indicator as represented by Cyber Observable in STIX 2.0. Expected values - * autonomous-system - * artifact - * directory - * domain-name - * email-addr - * file - * ipv4-addr - * ipv6-addr - * mac-addr - * mutex - * process - * software - * url - * user-account - * windows-registry-key - * x-509-certificate - - -type: keyword - --- - -*`threatintel.indicator.description`*:: -+ --- -Describes the type of action conducted by the threat. - - -type: keyword - --- - -*`threatintel.indicator.scanner_stats`*:: -+ --- -Count of AV/EDR vendors that successfully detected malicious file or URL. - - -type: long - --- - -*`threatintel.indicator.provider`*:: -+ --- -Identifies the name of the intelligence provider. - - -type: keyword - --- - -*`threatintel.indicator.confidence`*:: -+ --- -Identifies the confidence rating assigned by the provider using STIX confidence scales. Expected values - * Not Specified, None, Low, Medium, High - * 0-10 - * Admirality Scale (1-6) - * DNI Scale (5-95) - * WEP Scale (Impossible - Certain) - - -type: keyword - --- - -*`threatintel.indicator.module`*:: -+ --- -Identifies the name of specific module this data is coming from. - - -type: keyword - --- - -*`threatintel.indicator.dataset`*:: -+ --- -Identifies the name of specific dataset from the intelligence source. - - -type: keyword - --- - -*`threatintel.indicator.reference`*:: -+ --- -Reference URL linking to additional information about this indicator. - - -type: keyword - --- - -*`threatintel.indicator.ip`*:: -+ --- -Identifies a threat indicator as an IP address (irrespective of direction). - - -type: ip - --- - -*`threatintel.indicator.port`*:: -+ --- -Identifies a threat indicator as a port number (irrespective of direction). - - -type: long - --- - -*`threatintel.indicator.email.address`*:: -+ --- -Identifies a threat indicator as an email address (irrespective of direction). - - -type: keyword - --- - -*`threatintel.indicator.marking.tlp`*:: -+ --- -Traffic Light Protocol sharing markings. Expected values are: - * White - * Green - * Amber - * Red - - -type: keyword - --- - - -*`threatintel.indicator.matched.atomic`*:: -+ --- -Identifies the atomic indicator that matched a local environment endpoint or network event. - - -type: keyword - --- - -*`threatintel.indicator.matched.field`*:: -+ --- -Identifies the field of the atomic indicator that matched a local environment endpoint or network event. - - -type: keyword - --- - -*`threatintel.indicator.matched.type`*:: -+ --- -Identifies the type of the atomic indicator that matched a local environment endpoint or network event. - - -type: keyword - --- - - -*`threatintel.indicator.as.number`*:: -+ --- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - -type: long - -example: 15169 - --- - -*`threatintel.indicator.as.organization.name`*:: -+ --- -Organization name. - -type: keyword - -example: Google LLC - --- - -*`threatintel.indicator.as.organization.name.text`*:: -+ --- -type: text - --- - - -*`threatintel.indicator.registry.data.strings`*:: -+ --- -Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). - - -type: keyword - -example: ["C:\rta\red_ttp\bin\myapp.exe"] - --- - -*`threatintel.indicator.registry.path`*:: -+ --- -Full path, including hive, key and value - -type: keyword - -example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger - --- - -*`threatintel.indicator.registry.value`*:: -+ --- -Name of the value written. - -type: keyword - -example: Debugger - --- - -*`threatintel.indicator.registry.key`*:: -+ --- -Registry key value - -type: keyword - --- - - -*`threatintel.indicator.geo.city_name`*:: -+ --- -City name. - -type: keyword - -example: Montreal - --- - -*`threatintel.indicator.geo.continent_name`*:: -+ --- -Name of the continent. - -type: keyword - -example: North America - --- - -*`threatintel.indicator.geo.country_iso_code`*:: -+ --- -Country ISO code. - -type: keyword - -example: CA - --- - -*`threatintel.indicator.geo.country_name`*:: -+ --- -Country name. - -type: keyword - -example: Canada - --- - -*`threatintel.indicator.geo.location`*:: -+ --- -Longitude and latitude. - -type: geo_point - -example: { "lon": -73.614830, "lat": 45.505918 } - --- - -*`threatintel.indicator.geo.region_iso_code`*:: -+ --- -Region ISO code. - -type: keyword - -example: CA-QC - --- - -*`threatintel.indicator.geo.region_name`*:: -+ --- -Region name. - -type: keyword - -example: Quebec - --- - -*`threatintel.indicator.file.pe.imphash`*:: -+ --- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - -type: keyword - -example: 0c6803c4e922103c4dca5963aad36ddf - --- - - -*`threatintel.indicator.file.hash.tlsh`*:: +*`threat.indicator.file.hash.tlsh`*:: + -- The file's import tlsh, if available. @@ -151029,47 +150652,7 @@ type: keyword -- -*`threatintel.indicator.file.hash.ssdeep`*:: -+ --- -The file's ssdeep hash, if available. - - -type: keyword - --- - -*`threatintel.indicator.file.hash.md5`*:: -+ --- -The file's md5 hash, if available. - - -type: keyword - --- - -*`threatintel.indicator.file.hash.sha1`*:: -+ --- -The file's sha1 hash, if available. - - -type: keyword - --- - -*`threatintel.indicator.file.hash.sha256`*:: -+ --- -The file's sha256 hash, if available. - - -type: keyword - --- - -*`threatintel.indicator.file.hash.sha384`*:: +*`threat.indicator.file.hash.sha384`*:: + -- The file's sha384 hash, if available. @@ -151079,272 +150662,28 @@ type: keyword -- -*`threatintel.indicator.file.hash.sha512`*:: -+ --- -The file's sha512 hash, if available. - - -type: keyword - --- - -*`threatintel.indicator.file.type`*:: -+ --- -The file type. - - -type: keyword - --- - -*`threatintel.indicator.file.size`*:: -+ --- -The file's total size. - - -type: long - --- - -*`threatintel.indicator.file.name`*:: -+ --- -The file's name. - - -type: keyword - --- - -*`threatintel.indicator.file.extension`*:: -+ --- -The file's extension. - - -type: keyword - --- - -*`threatintel.indicator.file.mime_type`*:: -+ --- -The file's MIME type. - - -type: keyword - --- - - -*`threatintel.indicator.url.domain`*:: -+ --- -Domain of the url, such as "www.elastic.co". - - -type: keyword - --- - -*`threatintel.indicator.url.extension`*:: -+ --- -The field contains the file extension from the original request - - -type: keyword - --- - -*`threatintel.indicator.url.fragment`*:: -+ --- -Portion of the url after the `#`, such as "top". - - -type: keyword - --- - -*`threatintel.indicator.url.full`*:: -+ --- -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - - -type: keyword - --- - -*`threatintel.indicator.url.original`*:: -+ --- -Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. - - -type: keyword - --- - -*`threatintel.indicator.url.password`*:: -+ --- -Password of the request. - - -type: keyword - --- - -*`threatintel.indicator.url.path`*:: -+ --- -Path of the request, such as "/search". - - -type: keyword - --- - -*`threatintel.indicator.url.port`*:: -+ --- -Port of the request, such as 443. - - -type: long - -format: string - --- - -*`threatintel.indicator.url.query`*:: -+ --- -The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - - -type: keyword - --- - -*`threatintel.indicator.url.registered_domain`*:: -+ --- -The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - - -type: keyword - --- - -*`threatintel.indicator.url.scheme`*:: -+ --- -Scheme of the request, such as "https". - - -type: keyword - --- - -*`threatintel.indicator.url.subdomain`*:: -+ --- -The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - - -type: keyword - --- - -*`threatintel.indicator.url.top_level_domain`*:: -+ --- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - - -type: keyword - --- - -*`threatintel.indicator.url.username`*:: -+ --- -Username of the request. - - -type: keyword - --- - - -*`threatintel.indicator.x509.serial_number`*:: -+ --- -Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - -type: keyword - -example: 55FBB9C7DEBF09809D12CCAA - --- - -*`threatintel.indicator.x509.issuer`*:: -+ --- -Name of issuing certificate authority. Could be either Distinguished Name (DN) or Common Name (CN), depending on source. - -type: keyword - -example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA - --- - -*`threatintel.indicator.x509.subject`*:: -+ --- -Name of the certificate subject entity. Could be either Distinguished Name (DN) or Common Name (CN), depending on source. - -type: keyword - -example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - --- - -*`threatintel.indicator.x509.alternative_names`*:: +*`threat.feed.name`*:: + -- -List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - type: keyword -example: *.elastic.co - -- -*`threatintel.indicator.signature`*:: +*`threat.feed.dashboard_id`*:: + -- -Malware family of sample (if available). - - type: keyword -- [float] -=== abusemalware +=== abusech.malware Fields for AbuseCH Malware Threat Intel -*`threatintel.abusemalware.file_type`*:: +*`abusech.malware.file_type`*:: + -- File type guessed by URLhaus. @@ -151354,7 +150693,7 @@ type: keyword -- -*`threatintel.abusemalware.signature`*:: +*`abusech.malware.signature`*:: + -- Malware familiy. @@ -151364,7 +150703,7 @@ type: keyword -- -*`threatintel.abusemalware.urlhaus_download`*:: +*`abusech.malware.urlhaus_download`*:: + -- Location (URL) where you can download a copy of this file. @@ -151374,7 +150713,7 @@ type: keyword -- -*`threatintel.abusemalware.virustotal.result`*:: +*`abusech.malware.virustotal.result`*:: + -- AV detection ration. @@ -151384,7 +150723,7 @@ type: keyword -- -*`threatintel.abusemalware.virustotal.percent`*:: +*`abusech.malware.virustotal.percent`*:: + -- AV detection in percent. @@ -151394,7 +150733,7 @@ type: float -- -*`threatintel.abusemalware.virustotal.link`*:: +*`abusech.malware.virustotal.link`*:: + -- Link to the Virustotal report. @@ -151405,13 +150744,13 @@ type: keyword -- [float] -=== abuseurl +=== abusech.url Fields for AbuseCH Malware Threat Intel -*`threatintel.abuseurl.id`*:: +*`abusech.url.id`*:: + -- The ID of the url. @@ -151421,7 +150760,7 @@ type: keyword -- -*`threatintel.abuseurl.urlhaus_reference`*:: +*`abusech.url.urlhaus_reference`*:: + -- Link to URLhaus entry. @@ -151431,7 +150770,7 @@ type: keyword -- -*`threatintel.abuseurl.url_status`*:: +*`abusech.url.url_status`*:: + -- The current status of the URL. Possible values are: online, offline and unknown. @@ -151441,7 +150780,7 @@ type: keyword -- -*`threatintel.abuseurl.threat`*:: +*`abusech.url.threat`*:: + -- The threat corresponding to this malware URL. @@ -151451,7 +150790,7 @@ type: keyword -- -*`threatintel.abuseurl.blacklists.surbl`*:: +*`abusech.url.blacklists.surbl`*:: + -- SURBL blacklist status. Possible values are: listed and not_listed @@ -151461,7 +150800,7 @@ type: keyword -- -*`threatintel.abuseurl.blacklists.spamhaus_dbl`*:: +*`abusech.url.blacklists.spamhaus_dbl`*:: + -- Spamhaus DBL blacklist status. @@ -151471,7 +150810,7 @@ type: keyword -- -*`threatintel.abuseurl.reporter`*:: +*`abusech.url.reporter`*:: + -- The Twitter handle of the reporter that has reported this malware URL (or anonymous). @@ -151481,7 +150820,7 @@ type: keyword -- -*`threatintel.abuseurl.larted`*:: +*`abusech.url.larted`*:: + -- Indicates whether the malware URL has been reported to the hosting provider (true or false) @@ -151491,7 +150830,7 @@ type: boolean -- -*`threatintel.abuseurl.tags`*:: +*`abusech.url.tags`*:: + -- A list of tags associated with the queried malware URL @@ -151502,13 +150841,13 @@ type: keyword -- [float] -=== anomali +=== anomali.limo Fields for Anomali Threat Intel -*`threatintel.anomali.id`*:: +*`anomali.limo.id`*:: + -- The ID of the indicator. @@ -151518,7 +150857,7 @@ type: keyword -- -*`threatintel.anomali.name`*:: +*`anomali.limo.name`*:: + -- The name of the indicator. @@ -151528,7 +150867,7 @@ type: keyword -- -*`threatintel.anomali.pattern`*:: +*`anomali.limo.pattern`*:: + -- The pattern ID of the indicator. @@ -151538,7 +150877,7 @@ type: keyword -- -*`threatintel.anomali.valid_from`*:: +*`anomali.limo.valid_from`*:: + -- When the indicator was first found or is considered valid. @@ -151548,7 +150887,7 @@ type: date -- -*`threatintel.anomali.modified`*:: +*`anomali.limo.modified`*:: + -- When the indicator was last modified @@ -151558,7 +150897,7 @@ type: date -- -*`threatintel.anomali.labels`*:: +*`anomali.limo.labels`*:: + -- The labels related to the indicator @@ -151568,7 +150907,7 @@ type: keyword -- -*`threatintel.anomali.indicator`*:: +*`anomali.limo.indicator`*:: + -- The value of the indicator, for example if the type is domain, this would be the value. @@ -151578,7 +150917,7 @@ type: keyword -- -*`threatintel.anomali.description`*:: +*`anomali.limo.description`*:: + -- A description of the indicator. @@ -151588,7 +150927,7 @@ type: keyword -- -*`threatintel.anomali.title`*:: +*`anomali.limo.title`*:: + -- Title describing the indicator. @@ -151598,7 +150937,7 @@ type: keyword -- -*`threatintel.anomali.content`*:: +*`anomali.limo.content`*:: + -- Extra text or descriptive content related to the indicator. @@ -151608,7 +150947,7 @@ type: keyword -- -*`threatintel.anomali.type`*:: +*`anomali.limo.type`*:: + -- The indicator type, can for example be "domain, email, FileHash-SHA256". @@ -151618,7 +150957,7 @@ type: keyword -- -*`threatintel.anomali.object_marking_refs`*:: +*`anomali.limo.object_marking_refs`*:: + -- The STIX reference object. @@ -151629,13 +150968,13 @@ type: keyword -- [float] -=== anomalithreatstream +=== anomali.threatstream Fields for Anomali ThreatStream -*`threatintel.anomalithreatstream.classification`*:: +*`anomali.threatstream.classification`*:: + -- Indicates whether an indicator is private or from a public feed and available publicly. Possible values: private, public. @@ -151647,7 +150986,7 @@ example: private -- -*`threatintel.anomalithreatstream.confidence`*:: +*`anomali.threatstream.confidence`*:: + -- The measure of the accuracy (from 0 to 100) assigned by ThreatStream's predictive analytics technology to indicators. @@ -151657,7 +150996,7 @@ type: short -- -*`threatintel.anomalithreatstream.detail2`*:: +*`anomali.threatstream.detail2`*:: + -- Detail text for indicator. @@ -151669,7 +151008,7 @@ example: Imported by user 42. -- -*`threatintel.anomalithreatstream.id`*:: +*`anomali.threatstream.id`*:: + -- The ID of the indicator. @@ -151679,7 +151018,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.import_session_id`*:: +*`anomali.threatstream.import_session_id`*:: + -- ID of the import session that created the indicator on ThreatStream. @@ -151689,7 +151028,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.itype`*:: +*`anomali.threatstream.itype`*:: + -- Indicator type. Possible values: "apt_domain", "apt_email", "apt_ip", "apt_url", "bot_ip", "c2_domain", "c2_ip", "c2_url", "i2p_ip", "mal_domain", "mal_email", "mal_ip", "mal_md5", "mal_url", "parked_ip", "phish_email", "phish_ip", "phish_url", "scan_ip", "spam_domain", "ssh_ip", "suspicious_domain", "tor_ip" and "torrent_tracker_url". @@ -151699,7 +151038,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.maltype`*:: +*`anomali.threatstream.maltype`*:: + -- Information regarding a malware family, a CVE ID, or another attack or threat, associated with the indicator. @@ -151709,7 +151048,7 @@ type: wildcard -- -*`threatintel.anomalithreatstream.md5`*:: +*`anomali.threatstream.md5`*:: + -- Hash for the indicator. @@ -151719,7 +151058,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.resource_uri`*:: +*`anomali.threatstream.resource_uri`*:: + -- Relative URI for the indicator details. @@ -151729,7 +151068,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.severity`*:: +*`anomali.threatstream.severity`*:: + -- Criticality associated with the threat feed that supplied the indicator. Possible values: low, medium, high, very-high. @@ -151739,7 +151078,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.source`*:: +*`anomali.threatstream.source`*:: + -- Source for the indicator. @@ -151751,7 +151090,7 @@ example: Analyst -- -*`threatintel.anomalithreatstream.source_feed_id`*:: +*`anomali.threatstream.source_feed_id`*:: + -- ID for the integrator source. @@ -151761,7 +151100,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.state`*:: +*`anomali.threatstream.state`*:: + -- State for this indicator. @@ -151773,7 +151112,7 @@ example: active -- -*`threatintel.anomalithreatstream.trusted_circle_ids`*:: +*`anomali.threatstream.trusted_circle_ids`*:: + -- ID of the trusted circle that imported the indicator. @@ -151783,7 +151122,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.update_id`*:: +*`anomali.threatstream.update_id`*:: + -- Update ID. @@ -151793,7 +151132,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.url`*:: +*`anomali.threatstream.url`*:: + -- URL for the indicator. @@ -151803,7 +151142,7 @@ type: keyword -- -*`threatintel.anomalithreatstream.value_type`*:: +*`anomali.threatstream.value_type`*:: + -- Data type of the indicator. Possible values: ip, domain, url, email, md5. @@ -151814,13 +151153,13 @@ type: keyword -- [float] -=== malwarebazaar +=== abusech.malwarebazaar Fields for Malware Bazaar Threat Intel -*`threatintel.malwarebazaar.file_type`*:: +*`abusech.malwarebazaar.file_type`*:: + -- File type guessed by Malware Bazaar. @@ -151830,7 +151169,7 @@ type: keyword -- -*`threatintel.malwarebazaar.signature`*:: +*`abusech.malwarebazaar.signature`*:: + -- Malware familiy. @@ -151840,7 +151179,7 @@ type: keyword -- -*`threatintel.malwarebazaar.tags`*:: +*`abusech.malwarebazaar.tags`*:: + -- A list of tags associated with the queried malware sample. @@ -151851,7 +151190,7 @@ type: keyword -- -*`threatintel.malwarebazaar.intelligence.downloads`*:: +*`abusech.malwarebazaar.intelligence.downloads`*:: + -- Number of downloads from MalwareBazaar. @@ -151861,7 +151200,7 @@ type: long -- -*`threatintel.malwarebazaar.intelligence.uploads`*:: +*`abusech.malwarebazaar.intelligence.uploads`*:: + -- Number of uploads from MalwareBazaar. @@ -151872,7 +151211,7 @@ type: long -- -*`threatintel.malwarebazaar.intelligence.mail.Generic`*:: +*`abusech.malwarebazaar.intelligence.mail.Generic`*:: + -- Malware seen in generic spam traffic. @@ -151882,7 +151221,7 @@ type: keyword -- -*`threatintel.malwarebazaar.intelligence.mail.IT`*:: +*`abusech.malwarebazaar.intelligence.mail.IT`*:: + -- Malware seen in IT spam traffic. @@ -151892,7 +151231,7 @@ type: keyword -- -*`threatintel.malwarebazaar.anonymous`*:: +*`abusech.malwarebazaar.anonymous`*:: + -- Identifies if the sample was submitted anonymously. @@ -151902,7 +151241,7 @@ type: long -- -*`threatintel.malwarebazaar.code_sign`*:: +*`abusech.malwarebazaar.code_sign`*:: + -- Code signing information for the sample. @@ -151919,7 +151258,7 @@ Fields for MISP Threat Intel -*`threatintel.misp.id`*:: +*`misp.id`*:: + -- Attribute ID. @@ -151929,7 +151268,7 @@ type: keyword -- -*`threatintel.misp.orgc_id`*:: +*`misp.orgc_id`*:: + -- Organization Community ID of the event. @@ -151939,7 +151278,7 @@ type: keyword -- -*`threatintel.misp.org_id`*:: +*`misp.org_id`*:: + -- Organization ID of the event. @@ -151949,7 +151288,7 @@ type: keyword -- -*`threatintel.misp.threat_level_id`*:: +*`misp.threat_level_id`*:: + -- Threat level from 5 to 1, where 1 is the most critical. @@ -151959,7 +151298,7 @@ type: long -- -*`threatintel.misp.info`*:: +*`misp.info`*:: + -- Additional text or information related to the event. @@ -151969,7 +151308,7 @@ type: keyword -- -*`threatintel.misp.published`*:: +*`misp.published`*:: + -- When the event was published. @@ -151979,7 +151318,7 @@ type: boolean -- -*`threatintel.misp.uuid`*:: +*`misp.uuid`*:: + -- The UUID of the event object. @@ -151989,7 +151328,7 @@ type: keyword -- -*`threatintel.misp.date`*:: +*`misp.date`*:: + -- The date of when the event object was created. @@ -151999,7 +151338,7 @@ type: date -- -*`threatintel.misp.attribute_count`*:: +*`misp.attribute_count`*:: + -- How many attributes are included in a single event object. @@ -152009,7 +151348,7 @@ type: long -- -*`threatintel.misp.timestamp`*:: +*`misp.timestamp`*:: + -- The timestamp of when the event object was created. @@ -152019,7 +151358,7 @@ type: date -- -*`threatintel.misp.distribution`*:: +*`misp.distribution`*:: + -- Distribution type related to MISP. @@ -152029,7 +151368,7 @@ type: keyword -- -*`threatintel.misp.proposal_email_lock`*:: +*`misp.proposal_email_lock`*:: + -- Settings configured on MISP for email lock on this event object. @@ -152039,7 +151378,7 @@ type: boolean -- -*`threatintel.misp.locked`*:: +*`misp.locked`*:: + -- If the current MISP event object is locked or not. @@ -152049,7 +151388,7 @@ type: boolean -- -*`threatintel.misp.publish_timestamp`*:: +*`misp.publish_timestamp`*:: + -- At what time the event object was published @@ -152059,7 +151398,7 @@ type: date -- -*`threatintel.misp.sharing_group_id`*:: +*`misp.sharing_group_id`*:: + -- The ID of the grouped events or sources of the event. @@ -152069,7 +151408,7 @@ type: keyword -- -*`threatintel.misp.disable_correlation`*:: +*`misp.disable_correlation`*:: + -- If correlation is disabled on the MISP event object. @@ -152079,7 +151418,7 @@ type: boolean -- -*`threatintel.misp.extends_uuid`*:: +*`misp.extends_uuid`*:: + -- The UUID of the event object it might extend. @@ -152089,7 +151428,7 @@ type: keyword -- -*`threatintel.misp.org.id`*:: +*`misp.org.id`*:: + -- The organization ID related to the event object. @@ -152099,7 +151438,7 @@ type: keyword -- -*`threatintel.misp.org.name`*:: +*`misp.org.name`*:: + -- The organization name related to the event object. @@ -152109,7 +151448,7 @@ type: keyword -- -*`threatintel.misp.org.uuid`*:: +*`misp.org.uuid`*:: + -- The UUID of the organization related to the event object. @@ -152119,7 +151458,7 @@ type: keyword -- -*`threatintel.misp.org.local`*:: +*`misp.org.local`*:: + -- If the event object is local or from a remote source. @@ -152129,7 +151468,7 @@ type: boolean -- -*`threatintel.misp.orgc.id`*:: +*`misp.orgc.id`*:: + -- The Organization Community ID in which the event object was reported from. @@ -152139,7 +151478,7 @@ type: keyword -- -*`threatintel.misp.orgc.name`*:: +*`misp.orgc.name`*:: + -- The Organization Community name in which the event object was reported from. @@ -152149,7 +151488,7 @@ type: keyword -- -*`threatintel.misp.orgc.uuid`*:: +*`misp.orgc.uuid`*:: + -- The Organization Community UUID in which the event object was reported from. @@ -152159,7 +151498,7 @@ type: keyword -- -*`threatintel.misp.orgc.local`*:: +*`misp.orgc.local`*:: + -- If the Organization Community was local or synced from a remote source. @@ -152169,7 +151508,7 @@ type: boolean -- -*`threatintel.misp.attribute.id`*:: +*`misp.attribute.id`*:: + -- The ID of the attribute related to the event object. @@ -152179,7 +151518,7 @@ type: keyword -- -*`threatintel.misp.attribute.type`*:: +*`misp.attribute.type`*:: + -- The type of the attribute related to the event object. For example email, ipv4, sha1 and such. @@ -152189,7 +151528,7 @@ type: keyword -- -*`threatintel.misp.attribute.category`*:: +*`misp.attribute.category`*:: + -- The category of the attribute related to the event object. For example "Network Activity". @@ -152199,7 +151538,7 @@ type: keyword -- -*`threatintel.misp.attribute.to_ids`*:: +*`misp.attribute.to_ids`*:: + -- If the attribute should be automatically synced with an IDS. @@ -152209,7 +151548,7 @@ type: boolean -- -*`threatintel.misp.attribute.uuid`*:: +*`misp.attribute.uuid`*:: + -- The UUID of the attribute related to the event. @@ -152219,7 +151558,7 @@ type: keyword -- -*`threatintel.misp.attribute.event_id`*:: +*`misp.attribute.event_id`*:: + -- The local event ID of the attribute related to the event. @@ -152229,7 +151568,7 @@ type: keyword -- -*`threatintel.misp.attribute.distribution`*:: +*`misp.attribute.distribution`*:: + -- How the attribute has been distributed, represented by integer numbers. @@ -152239,7 +151578,7 @@ type: long -- -*`threatintel.misp.attribute.timestamp`*:: +*`misp.attribute.timestamp`*:: + -- The timestamp in which the attribute was attached to the event object. @@ -152249,7 +151588,7 @@ type: date -- -*`threatintel.misp.attribute.comment`*:: +*`misp.attribute.comment`*:: + -- Comments made to the attribute itself. @@ -152259,7 +151598,7 @@ type: keyword -- -*`threatintel.misp.attribute.sharing_group_id`*:: +*`misp.attribute.sharing_group_id`*:: + -- The group ID of the sharing group related to the specific attribute. @@ -152269,7 +151608,7 @@ type: keyword -- -*`threatintel.misp.attribute.deleted`*:: +*`misp.attribute.deleted`*:: + -- If the attribute has been removed from the event object. @@ -152279,7 +151618,7 @@ type: boolean -- -*`threatintel.misp.attribute.disable_correlation`*:: +*`misp.attribute.disable_correlation`*:: + -- If correlation has been enabled on the attribute related to the event object. @@ -152289,7 +151628,7 @@ type: boolean -- -*`threatintel.misp.attribute.object_id`*:: +*`misp.attribute.object_id`*:: + -- The ID of the Object in which the attribute is attached. @@ -152299,7 +151638,7 @@ type: keyword -- -*`threatintel.misp.attribute.object_relation`*:: +*`misp.attribute.object_relation`*:: + -- The type of relation the attribute has with the event object itself. @@ -152309,7 +151648,7 @@ type: keyword -- -*`threatintel.misp.attribute.value`*:: +*`misp.attribute.value`*:: + -- The value of the attribute, depending on the type like "url, sha1, email-src". @@ -152319,7 +151658,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.id`*:: +*`misp.context.attribute.id`*:: + -- The ID of the secondary attribute related to the event object. @@ -152329,7 +151668,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.type`*:: +*`misp.context.attribute.type`*:: + -- The type of the secondary attribute related to the event object. For example email, ipv4, sha1 and such. @@ -152339,7 +151678,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.category`*:: +*`misp.context.attribute.category`*:: + -- The category of the secondary attribute related to the event object. For example "Network Activity". @@ -152349,7 +151688,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.to_ids`*:: +*`misp.context.attribute.to_ids`*:: + -- If the secondary attribute should be automatically synced with an IDS. @@ -152359,7 +151698,7 @@ type: boolean -- -*`threatintel.misp.context.attribute.uuid`*:: +*`misp.context.attribute.uuid`*:: + -- The UUID of the secondary attribute related to the event. @@ -152369,7 +151708,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.event_id`*:: +*`misp.context.attribute.event_id`*:: + -- The local event ID of the secondary attribute related to the event. @@ -152379,7 +151718,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.distribution`*:: +*`misp.context.attribute.distribution`*:: + -- How the secondary attribute has been distributed, represented by integer numbers. @@ -152389,7 +151728,7 @@ type: long -- -*`threatintel.misp.context.attribute.timestamp`*:: +*`misp.context.attribute.timestamp`*:: + -- The timestamp in which the secondary attribute was attached to the event object. @@ -152399,7 +151738,7 @@ type: date -- -*`threatintel.misp.context.attribute.comment`*:: +*`misp.context.attribute.comment`*:: + -- Comments made to the secondary attribute itself. @@ -152409,7 +151748,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.sharing_group_id`*:: +*`misp.context.attribute.sharing_group_id`*:: + -- The group ID of the sharing group related to the specific secondary attribute. @@ -152419,7 +151758,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.deleted`*:: +*`misp.context.attribute.deleted`*:: + -- If the secondary attribute has been removed from the event object. @@ -152429,7 +151768,7 @@ type: boolean -- -*`threatintel.misp.context.attribute.disable_correlation`*:: +*`misp.context.attribute.disable_correlation`*:: + -- If correlation has been enabled on the secondary attribute related to the event object. @@ -152439,7 +151778,7 @@ type: boolean -- -*`threatintel.misp.context.attribute.object_id`*:: +*`misp.context.attribute.object_id`*:: + -- The ID of the Object in which the secondary attribute is attached. @@ -152449,7 +151788,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.object_relation`*:: +*`misp.context.attribute.object_relation`*:: + -- The type of relation the secondary attribute has with the event object itself. @@ -152459,7 +151798,7 @@ type: keyword -- -*`threatintel.misp.context.attribute.value`*:: +*`misp.context.attribute.value`*:: + -- The value of the attribute, depending on the type like "url, sha1, email-src". @@ -152476,7 +151815,7 @@ Fields for OTX Threat Intel -*`threatintel.otx.id`*:: +*`otx.id`*:: + -- The ID of the indicator. @@ -152486,7 +151825,7 @@ type: keyword -- -*`threatintel.otx.indicator`*:: +*`otx.indicator`*:: + -- The value of the indicator, for example if the type is domain, this would be the value. @@ -152496,7 +151835,7 @@ type: keyword -- -*`threatintel.otx.description`*:: +*`otx.description`*:: + -- A description of the indicator. @@ -152506,7 +151845,7 @@ type: keyword -- -*`threatintel.otx.title`*:: +*`otx.title`*:: + -- Title describing the indicator. @@ -152516,7 +151855,7 @@ type: keyword -- -*`threatintel.otx.content`*:: +*`otx.content`*:: + -- Extra text or descriptive content related to the indicator. @@ -152526,7 +151865,7 @@ type: keyword -- -*`threatintel.otx.type`*:: +*`otx.type`*:: + -- The indicator type, can for example be "domain, email, FileHash-SHA256". @@ -152550,7 +151889,7 @@ Entity that represents a threat. -*`threatintel.recordedfuture.entity.id`*:: +*`recordedfuture.entity.id`*:: + -- Entity ID. @@ -152562,7 +151901,7 @@ example: ip:192.0.2.13 -- -*`threatintel.recordedfuture.entity.name`*:: +*`recordedfuture.entity.name`*:: + -- Entity name. Value for the entity. @@ -152574,7 +151913,7 @@ example: 192.0.2.13 -- -*`threatintel.recordedfuture.entity.type`*:: +*`recordedfuture.entity.type`*:: + -- Entity type. @@ -152586,7 +151925,7 @@ example: IpAddress -- -*`threatintel.recordedfuture.intelCard`*:: +*`recordedfuture.intelCard`*:: + -- Link to the Recorded Future Intelligence Card for to this indicator. @@ -152596,7 +151935,7 @@ type: keyword -- -*`threatintel.recordedfuture.ip_range`*:: +*`recordedfuture.ip_range`*:: + -- Range of IPs for this indicator. @@ -152615,7 +151954,7 @@ Risk fields. -*`threatintel.recordedfuture.risk.criticality`*:: +*`recordedfuture.risk.criticality`*:: + -- Risk criticality (0-4). @@ -152625,7 +151964,7 @@ type: byte -- -*`threatintel.recordedfuture.risk.criticalityLabel`*:: +*`recordedfuture.risk.criticalityLabel`*:: + -- Risk criticality label. One of None, Unusual, Suspicious, Malicious, Very Malicious. @@ -152635,7 +151974,7 @@ type: keyword -- -*`threatintel.recordedfuture.risk.evidenceDetails`*:: +*`recordedfuture.risk.evidenceDetails`*:: + -- Risk's evidence details. @@ -152645,7 +151984,7 @@ type: flattened -- -*`threatintel.recordedfuture.risk.score`*:: +*`recordedfuture.risk.score`*:: + -- Risk score (0-99). @@ -152655,7 +151994,7 @@ type: short -- -*`threatintel.recordedfuture.risk.riskString`*:: +*`recordedfuture.risk.riskString`*:: + -- Number of Risk Rules observed as a factor of total number of rules. @@ -152667,7 +152006,7 @@ example: 1/54 -- -*`threatintel.recordedfuture.risk.riskSummary`*:: +*`recordedfuture.risk.riskSummary`*:: + -- Risk summary. @@ -152679,14 +152018,14 @@ example: 1 of 54 Risk Rules currently observed. -- -*`threatintel.recordedfuture.risk.riskSummary.text`*:: +*`recordedfuture.risk.riskSummary.text`*:: + -- type: text -- -*`threatintel.recordedfuture.risk.rules`*:: +*`recordedfuture.risk.rules`*:: + -- Number of rules observed. @@ -152703,7 +152042,7 @@ Fields for ThreatQ Threat Library -*`threatintel.threatq.updated_at`*:: +*`threatq.updated_at`*:: + -- Last modification time @@ -152713,7 +152052,7 @@ type: date -- -*`threatintel.threatq.created_at`*:: +*`threatq.created_at`*:: + -- Object creation time @@ -152723,7 +152062,7 @@ type: date -- -*`threatintel.threatq.expires_at`*:: +*`threatq.expires_at`*:: + -- Expiration time @@ -152733,7 +152072,7 @@ type: date -- -*`threatintel.threatq.expires_calculated_at`*:: +*`threatq.expires_calculated_at`*:: + -- Expiration calculation time @@ -152743,7 +152082,7 @@ type: date -- -*`threatintel.threatq.published_at`*:: +*`threatq.published_at`*:: + -- Object publication time @@ -152753,7 +152092,7 @@ type: date -- -*`threatintel.threatq.status`*:: +*`threatq.status`*:: + -- Object status within the Threat Library @@ -152763,7 +152102,7 @@ type: keyword -- -*`threatintel.threatq.indicator_value`*:: +*`threatq.indicator_value`*:: + -- Original indicator value @@ -152773,7 +152112,7 @@ type: keyword -- -*`threatintel.threatq.adversaries`*:: +*`threatq.adversaries`*:: + -- Adversaries that are linked to the object @@ -152783,7 +152122,7 @@ type: keyword -- -*`threatintel.threatq.attributes`*:: +*`threatq.attributes`*:: + -- These provide additional context about an object diff --git a/filebeat/docs/modules/threatintel.asciidoc b/filebeat/docs/modules/threatintel.asciidoc index a05384ff446..b8b5b6f950d 100644 --- a/filebeat/docs/modules/threatintel.asciidoc +++ b/filebeat/docs/modules/threatintel.asciidoc @@ -17,7 +17,7 @@ https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-ind Match rules], but is also compatible with other features like https://www.elastic.co/guide/en/elasticsearch/reference/current/enrich-processor.html[Enrich Processors]. The related threat intel attribute that is meant to be used for -matching incoming source data is stored under the `threatintel.indicator.*` +matching incoming source data is stored under the `threat.indicator.*` fields. The available filesets are: @@ -73,9 +73,9 @@ Abuse.ch URL Threat Intel is mapped to the following ECS fields. [options="header"] |============================================================== | URL Threat Intel Fields | ECS Fields -| url | threatintel.indicator.url.full +| url | threat.indicator.url.full | date_added | @timestamp -| host | threatintel.indicator.ip/domain +| host | threat.indicator.ip/domain |============================================================== [[abusemalware]] @@ -117,9 +117,9 @@ Abuse.ch Malware Threat Intel is mapped to the following ECS fields. [options="header"] |================================================================ | Malware Threat IntelFields | ECS Fields -| md5_hash | threatintel.indicator.file.hash.md5 -| sha256_hash | threatintel.indicator.file.hash.sha256 -| file_size | threatintel.indicator.file.size +| md5_hash | threat.indicator.file.hash.md5 +| sha256_hash | threat.indicator.file.hash.sha256 +| file_size | threat.indicator.file.size |================================================================ [[malwarebazaar]] @@ -161,24 +161,25 @@ Malware Bazaar Threat Intel is mapped to the following ECS fields. [options="header"] |================================================================ | Malware Threat IntelFields | ECS Fields -| md5_hash | threatintel.indicator.file.hash.md5 -| sha256_hash | threatintel.indicator.file.hash.sha256 -| tlsh | threatintel.indicator.file.hash.tlsh -| ssdeep | threatintel.indicator.file.hash.ssdeep -| imphash | threatintel.indicator.file.pe.imphash -| file_size | threatintel.indicator.file.size -| file_name | threatintel.indicator.file.name -| file_type_mime | threatintel.indicator.file.mime_type -| file_type | threatintel.indicator.file.type -| reporter | threatintel.indicator.provider -| origin_country | threatintel.indicator.geo.country_iso_code -| signature | threatintel.indicator.signature -| code_sign.subject_cn | threatintel.indicator.file.x509.subject.common_name -| code_sign.issuer_cn | threatintel.indicator.file.x509.issuer.common_name -| code_sign.algorithm | threatintel.indicator.file.x509.public_key_algorithm -| code_sign.valid_from | threatintel.indicator.file.x509.not_before -| code_sign.valid_to | threatintel.indicator.file.x509.not_after -| code_sign.serial_number | threatintel.indicator.file.x509.serial_number +| md5_hash | threat.indicator.file.hash.md5 +| sha256_hash | threat.indicator.file.hash.sha256 +| sha384_hash | threat.indicator.file.hash.sha384 +| tlsh | threat.indicator.file.hash.tlsh +| ssdeep | threat.indicator.file.hash.ssdeep +| imphash | threat.indicator.file.pe.imphash +| file_size | threat.indicator.file.size +| file_name | threat.indicator.file.name +| file_type_mime | threat.indicator.file.mime_type +| file_type | threat.indicator.file.type +| reporter | threat.indicator.provider +| origin_country | threat.indicator.geo.country_iso_code +| signature | threat.indicator.signature +| code_sign.subject_cn | threat.indicator.file.x509.subject.common_name +| code_sign.issuer_cn | threat.indicator.file.x509.issuer.common_name +| code_sign.algorithm | threat.indicator.file.x509.public_key_algorithm +| code_sign.valid_from | threat.indicator.file.x509.not_before +| code_sign.valid_to | threat.indicator.file.x509.not_after +| code_sign.serial_number | threat.indicator.file.x509.serial_number |================================================================ [[misp]] @@ -255,10 +256,10 @@ MISP Threat Intel is mapped to the following ECS fields. [options="header"] |============================================================== | Malware Threat IntelFields | ECS Fields -| misp.first_seen | threatintel.indicator.first_seen -| misp.last_seen | threatintel.indicator.last_seen +| misp.first_seen | threat.indicator.first_seen +| misp.last_seen | threat.indicator.last_seen | misp.tag | tag -| misp.value | threatintel.indicator.* +| misp.value | threat.indicator.* |============================================================== `misp.value` is mapped to the appropriate field dependent on attribute type. @@ -336,9 +337,9 @@ OTX Threat Intel is mapped to the following ECS fields. [options="header"] |============================================================ | Malware Threat Intel Fields | ECS Fields -| otx.type | threatintel.indicator.type -| otx.description | threatintel.indicator.description -| otx.indicator | threatintel.indicator.* +| otx.type | threat.indicator.type +| otx.description | threat.indicator.description +| otx.indicator | threat.indicator.* |============================================================ `otx.indicator` is mapped to the appropriate field dependent on attribute type. @@ -420,10 +421,10 @@ Anomali Threat Intel is mapped to the following ECS fields. [options="header"] |============================================================= | Malware Threat Intel Fields | ECS Fields -| anomali.description | threatintel.indicator.description -| anomali.created | threatintel.indicator.first_seen -| anomali.modified | threatintel.indicator.last_seen -| anomali.pattern | threatintel.indicator.* +| anomali.description | threat.indicator.description +| anomali.created | threat.indicator.first_seen +| anomali.modified | threat.indicator.last_seen +| anomali.pattern | threat.indicator.* | anomali.labels | tags |============================================================= @@ -491,24 +492,24 @@ Anomali ThreatStream fields are mapped to the following ECS fields: [options="header"] |============================================================= | ThreatStream fields | ECS Fields -| asn | threatintel.indicator.as.number -| classification<> | threatintel.indicator.marking.tlp -| confidence<> | threatintel.indicator.confidence -| country | threatintel.indicator.geo.country_iso_code -| date_first | threatintel.indicator.first_seen -| date_last | threatintel.indicator.last_seen +| asn | threat.indicator.as.number +| classification<> | threat.indicator.marking.tlp +| confidence<> | threat.indicator.confidence +| country | threat.indicator.geo.country_iso_code +| date_first | threat.indicator.first_seen +| date_last | threat.indicator.last_seen | detail | tags -| domain | threatintel.indicator.url.domain -| email | threatintel.indicator.email.address -| itype<> | threatintel.indicator.type -| lat | threatintel.indicator.geo.location.lat -| lon | threatintel.indicator.geo.location.lon -| md5 | threatintel.indicator.file.hash -| org | threatintel.indicator.as.organization.name +| domain | threat.indicator.url.domain +| email | threat.indicator.email.address +| itype<> | threat.indicator.type +| lat | threat.indicator.geo.location.lat +| lon | threat.indicator.geo.location.lon +| md5 | threat.indicator.file.hash +| org | threat.indicator.as.organization.name | severity<> | event.severity -| source | threatintel.indicator.provider -| srcip | threatintel.indicator.ip -| url | threatintel.indicator.url.original +| source | threat.indicator.provider +| srcip | threat.indicator.ip +| url | threat.indicator.url.original |============================================================= [[a]] @@ -590,16 +591,16 @@ Recorded Future fields are mapped to the following ECS fields: [options="header"] |============================================================= | Recorded Future fields | ECS Fields -| entity.name | threatintel.indicator.{url,ip,domain,file.hash} -| entity.type | threatintel.indicator.type -| fileHashes | threatintel.indicator.file.hash +| entity.name | threat.indicator.{url,ip,domain,file.hash} +| entity.type | threat.indicator.type +| fileHashes | threat.indicator.file.hash | intelCard | event.reference -| location.asn | threatintel.indicator.as.number -| location.location | threatintel.indicator.geo -| location.organization | threatintel.indicator.as.organization.name +| location.asn | threat.indicator.as.number +| location.location | threat.indicator.geo +| location.organization | threat.indicator.as.organization.name | risk.score | event.risk_score -| timestamps.firstSeen | threatintel.indicator.first_seen -| timestamps.lastSeen | threatintel.indicator.last_seen +| timestamps.firstSeen | threat.indicator.first_seen +| timestamps.lastSeen | threat.indicator.last_seen |============================================================= :has-dashboards!: @@ -707,11 +708,11 @@ Recorded Future fields are mapped to the following ECS fields: [options="header"] |============================================================= | ThreatQ fields | ECS Fields -| type.name | threatintel.indicator.type -| description | threatintel.indicator.description -| score | threatintel.indicator.confidence -| value | threatintel.indicator.{url,ip,domain,file.hash} -| sources | threatintel.indicator.provider +| type.name | threat.indicator.type +| description | threat.indicator.description +| score | threat.indicator.confidence +| value | threat.indicator.{url,ip,domain,file.hash} +| sources | threat.indicator.provider |============================================================= :has-dashboards!: diff --git a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc index a7acdb5f4bd..18c8d57e169 100644 --- a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc @@ -12,7 +12,7 @@ https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-ind Match rules], but is also compatible with other features like https://www.elastic.co/guide/en/elasticsearch/reference/current/enrich-processor.html[Enrich Processors]. The related threat intel attribute that is meant to be used for -matching incoming source data is stored under the `threatintel.indicator.*` +matching incoming source data is stored under the `threat.indicator.*` fields. The available filesets are: @@ -68,9 +68,9 @@ Abuse.ch URL Threat Intel is mapped to the following ECS fields. [options="header"] |============================================================== | URL Threat Intel Fields | ECS Fields -| url | threatintel.indicator.url.full +| url | threat.indicator.url.full | date_added | @timestamp -| host | threatintel.indicator.ip/domain +| host | threat.indicator.ip/domain |============================================================== [[abusemalware]] @@ -112,9 +112,9 @@ Abuse.ch Malware Threat Intel is mapped to the following ECS fields. [options="header"] |================================================================ | Malware Threat IntelFields | ECS Fields -| md5_hash | threatintel.indicator.file.hash.md5 -| sha256_hash | threatintel.indicator.file.hash.sha256 -| file_size | threatintel.indicator.file.size +| md5_hash | threat.indicator.file.hash.md5 +| sha256_hash | threat.indicator.file.hash.sha256 +| file_size | threat.indicator.file.size |================================================================ [[malwarebazaar]] @@ -156,24 +156,25 @@ Malware Bazaar Threat Intel is mapped to the following ECS fields. [options="header"] |================================================================ | Malware Threat IntelFields | ECS Fields -| md5_hash | threatintel.indicator.file.hash.md5 -| sha256_hash | threatintel.indicator.file.hash.sha256 -| tlsh | threatintel.indicator.file.hash.tlsh -| ssdeep | threatintel.indicator.file.hash.ssdeep -| imphash | threatintel.indicator.file.pe.imphash -| file_size | threatintel.indicator.file.size -| file_name | threatintel.indicator.file.name -| file_type_mime | threatintel.indicator.file.mime_type -| file_type | threatintel.indicator.file.type -| reporter | threatintel.indicator.provider -| origin_country | threatintel.indicator.geo.country_iso_code -| signature | threatintel.indicator.signature -| code_sign.subject_cn | threatintel.indicator.file.x509.subject.common_name -| code_sign.issuer_cn | threatintel.indicator.file.x509.issuer.common_name -| code_sign.algorithm | threatintel.indicator.file.x509.public_key_algorithm -| code_sign.valid_from | threatintel.indicator.file.x509.not_before -| code_sign.valid_to | threatintel.indicator.file.x509.not_after -| code_sign.serial_number | threatintel.indicator.file.x509.serial_number +| md5_hash | threat.indicator.file.hash.md5 +| sha256_hash | threat.indicator.file.hash.sha256 +| sha384_hash | threat.indicator.file.hash.sha384 +| tlsh | threat.indicator.file.hash.tlsh +| ssdeep | threat.indicator.file.hash.ssdeep +| imphash | threat.indicator.file.pe.imphash +| file_size | threat.indicator.file.size +| file_name | threat.indicator.file.name +| file_type_mime | threat.indicator.file.mime_type +| file_type | threat.indicator.file.type +| reporter | threat.indicator.provider +| origin_country | threat.indicator.geo.country_iso_code +| signature | threat.indicator.signature +| code_sign.subject_cn | threat.indicator.file.x509.subject.common_name +| code_sign.issuer_cn | threat.indicator.file.x509.issuer.common_name +| code_sign.algorithm | threat.indicator.file.x509.public_key_algorithm +| code_sign.valid_from | threat.indicator.file.x509.not_before +| code_sign.valid_to | threat.indicator.file.x509.not_after +| code_sign.serial_number | threat.indicator.file.x509.serial_number |================================================================ [[misp]] @@ -250,10 +251,10 @@ MISP Threat Intel is mapped to the following ECS fields. [options="header"] |============================================================== | Malware Threat IntelFields | ECS Fields -| misp.first_seen | threatintel.indicator.first_seen -| misp.last_seen | threatintel.indicator.last_seen +| misp.first_seen | threat.indicator.first_seen +| misp.last_seen | threat.indicator.last_seen | misp.tag | tag -| misp.value | threatintel.indicator.* +| misp.value | threat.indicator.* |============================================================== `misp.value` is mapped to the appropriate field dependent on attribute type. @@ -331,9 +332,9 @@ OTX Threat Intel is mapped to the following ECS fields. [options="header"] |============================================================ | Malware Threat Intel Fields | ECS Fields -| otx.type | threatintel.indicator.type -| otx.description | threatintel.indicator.description -| otx.indicator | threatintel.indicator.* +| otx.type | threat.indicator.type +| otx.description | threat.indicator.description +| otx.indicator | threat.indicator.* |============================================================ `otx.indicator` is mapped to the appropriate field dependent on attribute type. @@ -415,10 +416,10 @@ Anomali Threat Intel is mapped to the following ECS fields. [options="header"] |============================================================= | Malware Threat Intel Fields | ECS Fields -| anomali.description | threatintel.indicator.description -| anomali.created | threatintel.indicator.first_seen -| anomali.modified | threatintel.indicator.last_seen -| anomali.pattern | threatintel.indicator.* +| anomali.description | threat.indicator.description +| anomali.created | threat.indicator.first_seen +| anomali.modified | threat.indicator.last_seen +| anomali.pattern | threat.indicator.* | anomali.labels | tags |============================================================= @@ -486,24 +487,24 @@ Anomali ThreatStream fields are mapped to the following ECS fields: [options="header"] |============================================================= | ThreatStream fields | ECS Fields -| asn | threatintel.indicator.as.number -| classification<> | threatintel.indicator.marking.tlp -| confidence<> | threatintel.indicator.confidence -| country | threatintel.indicator.geo.country_iso_code -| date_first | threatintel.indicator.first_seen -| date_last | threatintel.indicator.last_seen +| asn | threat.indicator.as.number +| classification<> | threat.indicator.marking.tlp +| confidence<> | threat.indicator.confidence +| country | threat.indicator.geo.country_iso_code +| date_first | threat.indicator.first_seen +| date_last | threat.indicator.last_seen | detail | tags -| domain | threatintel.indicator.url.domain -| email | threatintel.indicator.email.address -| itype<> | threatintel.indicator.type -| lat | threatintel.indicator.geo.location.lat -| lon | threatintel.indicator.geo.location.lon -| md5 | threatintel.indicator.file.hash -| org | threatintel.indicator.as.organization.name +| domain | threat.indicator.url.domain +| email | threat.indicator.email.address +| itype<> | threat.indicator.type +| lat | threat.indicator.geo.location.lat +| lon | threat.indicator.geo.location.lon +| md5 | threat.indicator.file.hash +| org | threat.indicator.as.organization.name | severity<> | event.severity -| source | threatintel.indicator.provider -| srcip | threatintel.indicator.ip -| url | threatintel.indicator.url.original +| source | threat.indicator.provider +| srcip | threat.indicator.ip +| url | threat.indicator.url.original |============================================================= [[a]] @@ -585,16 +586,16 @@ Recorded Future fields are mapped to the following ECS fields: [options="header"] |============================================================= | Recorded Future fields | ECS Fields -| entity.name | threatintel.indicator.{url,ip,domain,file.hash} -| entity.type | threatintel.indicator.type -| fileHashes | threatintel.indicator.file.hash +| entity.name | threat.indicator.{url,ip,domain,file.hash} +| entity.type | threat.indicator.type +| fileHashes | threat.indicator.file.hash | intelCard | event.reference -| location.asn | threatintel.indicator.as.number -| location.location | threatintel.indicator.geo -| location.organization | threatintel.indicator.as.organization.name +| location.asn | threat.indicator.as.number +| location.location | threat.indicator.geo +| location.organization | threat.indicator.as.organization.name | risk.score | event.risk_score -| timestamps.firstSeen | threatintel.indicator.first_seen -| timestamps.lastSeen | threatintel.indicator.last_seen +| timestamps.firstSeen | threat.indicator.first_seen +| timestamps.lastSeen | threat.indicator.last_seen |============================================================= :has-dashboards!: @@ -702,11 +703,11 @@ Recorded Future fields are mapped to the following ECS fields: [options="header"] |============================================================= | ThreatQ fields | ECS Fields -| type.name | threatintel.indicator.type -| description | threatintel.indicator.description -| score | threatintel.indicator.confidence -| value | threatintel.indicator.{url,ip,domain,file.hash} -| sources | threatintel.indicator.provider +| type.name | threat.indicator.type +| description | threat.indicator.description +| score | threat.indicator.confidence +| value | threat.indicator.{url,ip,domain,file.hash} +| sources | threat.indicator.provider |============================================================= :has-dashboards!: diff --git a/x-pack/filebeat/module/threatintel/_meta/fields.yml b/x-pack/filebeat/module/threatintel/_meta/fields.yml index ee199daa6aa..5fb56abc40a 100644 --- a/x-pack/filebeat/module/threatintel/_meta/fields.yml +++ b/x-pack/filebeat/module/threatintel/_meta/fields.yml @@ -4,388 +4,21 @@ description: > Threat intelligence Filebeat Module. fields: - - name: threatintel + - name: "" type: group - description: > - Fields from the threatintel Filebeat module. fields: - - name: indicator.first_seen - type: date - description: > - The date and time when intelligence source first reported sighting this indicator. - - name: indicator.last_seen - type: date - description: > - The date and time when intelligence source last reported sighting this indicator. - - name: indicator.sightings - type: long - description: > - Number of times this indicator was observed conducting threat activity. - - name: indicator.type + - name: threat.indicator.file.hash.tlsh type: keyword description: > - Type of indicator as represented by Cyber Observable in STIX 2.0. - Expected values - * autonomous-system - * artifact - * directory - * domain-name - * email-addr - * file - * ipv4-addr - * ipv6-addr - * mac-addr - * mutex - * process - * software - * url - * user-account - * windows-registry-key - * x-509-certificate - - name: indicator.description - type: keyword - description: > - Describes the type of action conducted by the threat. - - name: indicator.scanner_stats - type: long - description: > - Count of AV/EDR vendors that successfully detected malicious file or URL. - - name: indicator.provider + The file's import tlsh, if available. + + - name: threat.indicator.file.hash.sha384 type: keyword description: > - Identifies the name of the intelligence provider. - - name: indicator.confidence + The file's sha384 hash, if available. + + - name: threat.feed.name type: keyword - description: > - Identifies the confidence rating assigned by the provider using STIX confidence scales. - Expected values - * Not Specified, None, Low, Medium, High - * 0-10 - * Admirality Scale (1-6) - * DNI Scale (5-95) - * WEP Scale (Impossible - Certain) - - name: indicator.module - type: keyword - description: > - Identifies the name of specific module this data is coming from. - - name: indicator.dataset - type: keyword - description: > - Identifies the name of specific dataset from the intelligence source. - - name: indicator.reference + + - name: threat.feed.dashboard_id type: keyword - description: > - Reference URL linking to additional information about this indicator. - - name: indicator.ip - type: ip - description: > - Identifies a threat indicator as an IP address (irrespective of direction). - - name: indicator.port - type: long - description: > - Identifies a threat indicator as a port number (irrespective of direction). - - name: indicator.email.address - type: keyword - description: > - Identifies a threat indicator as an email address (irrespective of direction). - - name: indicator.marking.tlp - type: keyword - description: > - Traffic Light Protocol sharing markings. - Expected values are: - * White - * Green - * Amber - * Red - - name: indicator.matched - type: group - fields: - - name: atomic - type: keyword - description: > - Identifies the atomic indicator that matched a local environment endpoint or network event. - - name: field - type: keyword - description: > - Identifies the field of the atomic indicator that matched a local environment endpoint or network event. - - name: type - type: keyword - description: > - Identifies the type of the atomic indicator that matched a local environment endpoint or network event. - - name: indicator.as - type: group - fields: - - name: number - type: long - description: - Unique number allocated to the autonomous system. The autonomous system number (ASN) - uniquely identifies each network on the Internet. - example: 15169 - - name: organization.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Organization name. - example: Google LLC - - name: indicator.registry - type: group - fields: - - name: data.strings - type: keyword - ignore_above: 1024 - description: > - Content when writing string types. - Populated as an array when writing string data to the registry. For single - string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with - one string. For sequences of string with REG_MULTI_SZ, this array will be - variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should - be populated with the decimal representation (e.g `"1"`). - example: '["C:\rta\red_ttp\bin\myapp.exe"]' - - name: path - type: keyword - ignore_above: 1024 - description: Full path, including hive, key and value - example: - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger - - name: value - type: keyword - ignore_above: 1024 - description: Name of the value written. - example: Debugger - - name: key - type: keyword - ignore_above: 1024 - description: Registry key value - - name: indicator.geo - type: group - fields: - - name: city_name - type: keyword - ignore_above: 1024 - description: City name. - example: Montreal - - name: continent_name - type: keyword - ignore_above: 1024 - description: Name of the continent. - example: North America - - name: country_iso_code - type: keyword - ignore_above: 1024 - description: Country ISO code. - example: CA - - name: country_name - type: keyword - ignore_above: 1024 - description: Country name. - example: Canada - - name: location - type: geo_point - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - - name: region_iso_code - type: keyword - ignore_above: 1024 - description: Region ISO code. - example: CA-QC - - name: region_name - type: keyword - ignore_above: 1024 - description: Region name. - example: Quebec - - name: indicator.file.pe.imphash - type: keyword - ignore_above: 1024 - description: - "A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html." - example: 0c6803c4e922103c4dca5963aad36ddf - - name: indicator.file - type: group - fields: - - name: hash - type: group - fields: - - name: tlsh - type: keyword - description: > - The file's import tlsh, if available. - - name: ssdeep - type: keyword - description: > - The file's ssdeep hash, if available. - - name: md5 - type: keyword - description: > - The file's md5 hash, if available. - - name: sha1 - type: keyword - description: > - The file's sha1 hash, if available. - - name: sha256 - type: keyword - description: > - The file's sha256 hash, if available. - - name: sha384 - type: keyword - description: > - The file's sha384 hash, if available. - - name: sha512 - type: keyword - description: > - The file's sha512 hash, if available. - - name: type - type: keyword - ignore_above: 1024 - description: > - The file type. - - name: size - type: long - description: > - The file's total size. - - name: name - type: keyword - description: > - The file's name. - - name: extension - type: keyword - description: > - The file's extension. - - name: mime_type - type: keyword - description: > - The file's MIME type. - - name: indicator.url - type: group - fields: - - name: domain - type: keyword - description: > - Domain of the url, such as "www.elastic.co". - - name: extension - type: keyword - ignore_above: 1024 - description: > - The field contains the file extension from the original request - - name: fragment - type: keyword - ignore_above: 1024 - description: > - Portion of the url after the `#`, such as "top". - - name: full - type: keyword - description: > - If full URLs are important to your use case, they should be stored - in `url.full`, whether this field is reconstructed or present in the event - source. - - name: original - type: keyword - description: > - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas - in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - - name: password - type: keyword - ignore_above: 1024 - description: > - Password of the request. - - name: path - type: keyword - description: > - Path of the request, such as "/search". - - name: port - type: long - format: string - description: > - Port of the request, such as 443. - - name: query - type: keyword - ignore_above: 1024 - description: > - The query field describes the query string of the request, such - as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there - is no query field. If there is a `?` but no query, the query field exists - with an empty string. The `exists` query can be used to differentiate between - the two cases. - - name: registered_domain - type: keyword - description: > - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix - list (http://publicsuffix.org). Trying to approximate this by simply taking - the last two labels will not work well for TLDs such as "co.uk". - - name: scheme - type: keyword - ignore_above: 1024 - description: > - Scheme of the request, such as "https". - - name: subdomain - type: keyword - ignore_above: 1024 - description: > - The subdomain portion of a fully qualified domain name includes - all of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot - be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", - the subdomain field should contain "sub2.sub1", with no trailing period. - - name: top_level_domain - type: keyword - ignore_above: 1024 - description: > - The effective top level domain (eTLD), also known as the domain - suffix, is the last part of the domain name. For example, the top level domain - for example.com is "com". - This value can be determined precisely with a list like the public suffix - list (http://publicsuffix.org). Trying to approximate this by simply taking - the last label will not work well for effective TLDs such as "co.uk". - - name: username - type: keyword - ignore_above: 1024 - description: > - Username of the request. - - name: indicator.x509 - type: group - fields: - - name: serial_number - type: keyword - ignore_above: 1024 - description: - Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. - example: 55FBB9C7DEBF09809D12CCAA - - name: issuer - type: keyword - ignore_above: 1024 - description: Name of issuing certificate authority. Could be either Distinguished Name (DN) or Common Name (CN), depending on source. - example: - C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance - Server CA - - name: subject - type: keyword - ignore_above: 1024 - description: Name of the certificate subject entity. Could be either Distinguished Name (DN) or Common Name (CN), depending on source. - example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - - name: alternative_names - type: keyword - ignore_above: 1024 - description: - List of subject alternative names (SAN). Name types vary by certificate - authority and certificate type but commonly contain IP addresses, DNS names - (and wildcards), and email addresses. - example: "*.elastic.co" - - name: indicator.signature - type: keyword - description: > - Malware family of sample (if available). diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/021ba940-de96-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/021ba940-de96-11eb-8f2b-753caedf727d.json index 993d2edccce..91a5cc79018 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/021ba940-de96-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/021ba940-de96-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.type" + "sourceField": "threat.indicator.type" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -96,4 +96,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1ODAsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/028175a0-ff74-11eb-acb2-2960a7069ed1.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/028175a0-ff74-11eb-acb2-2960a7069ed1.json index 14722019106..c6ef974933e 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/028175a0-ff74-11eb-acb2-2960a7069ed1.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/028175a0-ff74-11eb-acb2-2960a7069ed1.json @@ -28,7 +28,7 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.provider" + "sourceField": "threat.indicator.provider" }, "11576d1f-5400-4a71-bf04-681099e755d5": { "dataType": "number", @@ -95,4 +95,4 @@ "type": "lens", "updated_at": "2021-10-11T08:02:55.512Z", "version": "WzUyOSwxXQ==" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/037e2af0-df50-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/037e2af0-df50-11eb-8f2b-753caedf727d.json index 5be6f447603..0c677668719 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/037e2af0-df50-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/037e2af0-df50-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.type" + "sourceField": "threat.indicator.type" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -96,4 +96,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NjIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/06744e90-df52-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/06744e90-df52-11eb-8f2b-753caedf727d.json index b427db18d51..38b8c85420e 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/06744e90-df52-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/06744e90-df52-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.ip" + "sourceField": "threat.indicator.ip" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -47,7 +47,7 @@ "filters": [], "query": { "language": "kuery", - "query": "event.dataset:\"threatintel.recordedfuture\" and threatintel.indicator.type:ipv6-addr" + "query": "event.dataset:\"threatintel.recordedfuture\" and threat.indicator.type:ipv6-addr" }, "visualization": { "columns": [ @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NzAsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/0db62ee0-72e6-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/0db62ee0-72e6-11eb-a3e3-b3cc7c78a70f.json index a053c190ada..b4182474c23 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/0db62ee0-72e6-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/0db62ee0-72e6-11eb-a3e3-b3cc7c78a70f.json @@ -14,7 +14,7 @@ "959db113-1ce6-46fc-97c3-dbf5fd5abb9a": { "dataType": "string", "isBucketed": true, - "label": "Top values of threatintel.abusemalware.signature", + "label": "Top values of abusech.malware.signature", "operationType": "terms", "params": { "missingBucket": false, @@ -27,7 +27,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.abusemalware.signature" + "sourceField": "abusech.malware.signature" }, "de396547-655b-4db2-8a21-e9850acff0b0": { "dataType": "number", @@ -91,13 +91,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abusemalware.signature" + "field": "abusech.malware.signature" }, "meta": { "alias": null, "disabled": false, "indexRefName": "filter-index-pattern-2", - "key": "threatintel.abusemalware.signature", + "key": "abusech.malware.signature", "negate": false, "type": "exists", "value": "exists" @@ -168,4 +168,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:29.041Z", "version": "WzQ2MDMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/1136ceb0-de95-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/1136ceb0-de95-11eb-8f2b-753caedf727d.json index 05d17760abc..c771588f924 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/1136ceb0-de95-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/1136ceb0-de95-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.anomalithreatstream.resource_uri" + "sourceField": "anomali.threatstream.resource_uri" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTksMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/139c7da0-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/139c7da0-df51-11eb-8f2b-753caedf727d.json index d8abec34b65..e2269eea6d9 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/139c7da0-df51-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/139c7da0-df51-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.file.hash.sha256" + "sourceField": "threat.indicator.file.hash.sha256" } }, "incompleteColumns": {} @@ -90,4 +90,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NzMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/36f61650-de96-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/36f61650-de96-11eb-8f2b-753caedf727d.json index e48267b1fd8..86507728c60 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/36f61650-de96-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/36f61650-de96-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "threatintel.anomalithreatstream.classification" + "sourceField": "anomali.threatstream.classification" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -94,4 +94,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1ODUsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c40f4d0-de97-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c40f4d0-de97-11eb-8f2b-753caedf727d.json index 4f33f959e3a..bdfbd6b5096 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c40f4d0-de97-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c40f4d0-de97-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "threatintel.anomalithreatstream.itype" + "sourceField": "anomali.threatstream.itype" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -94,4 +94,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1ODEsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c996410-df52-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c996410-df52-11eb-8f2b-753caedf727d.json index 88c19ed280d..da5e6785b5a 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c996410-df52-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/3c996410-df52-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.domain" + "sourceField": "threat.indicator.url.domain" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NzcsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5e76ef90-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5e76ef90-df51-11eb-8f2b-753caedf727d.json index 03bafd193b3..a6fde56bd64 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5e76ef90-df51-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5e76ef90-df51-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.url.domain" + "sourceField": "threat.indicator.url.domain" } }, "incompleteColumns": {} @@ -90,4 +90,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NzUsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5ef7b430-de94-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5ef7b430-de94-11eb-8f2b-753caedf727d.json index 88642bb872e..27fee210ffd 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5ef7b430-de94-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/5ef7b430-de94-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.ip" + "sourceField": "threat.indicator.ip" } }, "incompleteColumns": {} @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/790cd040-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/790cd040-df51-11eb-8f2b-753caedf727d.json index 2abc0bb7316..781a6a42a39 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/790cd040-df51-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/790cd040-df51-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.url.original" + "sourceField": "threat.indicator.url.original" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NzgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7d9c70f0-de95-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7d9c70f0-de95-11eb-8f2b-753caedf727d.json index dbdc1f05605..741a17e6b10 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7d9c70f0-de95-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7d9c70f0-de95-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.anomali.name" + "sourceField": "anomali.limo.name" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTYsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7ec83f60-de98-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7ec83f60-de98-11eb-8f2b-753caedf727d.json index b321f95bae8..e1b1dfc2fc8 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7ec83f60-de98-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/7ec83f60-de98-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.file.hash.sha256" + "sourceField": "threat.indicator.file.hash.sha256" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTUsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8a6f7b20-de94-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8a6f7b20-de94-11eb-8f2b-753caedf727d.json index 86e2c969773..16f93c3473b 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8a6f7b20-de94-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8a6f7b20-de94-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.url.original" + "sourceField": "threat.indicator.url.original" } }, "incompleteColumns": {} @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTAsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8fb01a00-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8fb01a00-df51-11eb-8f2b-753caedf727d.json index be51533efa4..b8cc9578146 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8fb01a00-df51-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/8fb01a00-df51-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.url.path" + "sourceField": "threat.indicator.url.path" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NzYsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9282afc0-72d9-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9282afc0-72d9-11eb-a3e3-b3cc7c78a70f.json index 42d14abd0ec..09935680d66 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9282afc0-72d9-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9282afc0-72d9-11eb-a3e3-b3cc7c78a70f.json @@ -22,7 +22,7 @@ "a6319ec8-2ec8-4d3a-bc54-efe0a306786f": { "dataType": "string", "isBucketed": true, - "label": "Top values of threatintel.indicator.type", + "label": "Top values of threat.indicator.type", "operationType": "terms", "params": { "missingBucket": false, @@ -35,7 +35,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.type" + "sourceField": "threat.indicator.type" } }, "incompleteColumns": {} @@ -70,13 +70,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.type" + "field": "threat.indicator.type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "filter-index-pattern-1", - "key": "threatintel.indicator.type", + "key": "threat.indicator.type", "negate": false, "type": "exists", "value": "exists" @@ -147,4 +147,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:32.145Z", "version": "WzQ2NTMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/949bc180-df52-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/949bc180-df52-11eb-8f2b-753caedf727d.json index b4784339ef2..ec09008e580 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/949bc180-df52-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/949bc180-df52-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.recordedfuture.risk.riskSummary" + "sourceField": "recordedfuture.risk.riskSummary" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NjYsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/976620a0-de98-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/976620a0-de98-11eb-8f2b-753caedf727d.json index b9d9b336d1e..7bfea0d313e 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/976620a0-de98-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/976620a0-de98-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.file.hash.md5" + "sourceField": "threat.indicator.file.hash.md5" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9c78ade0-de95-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9c78ade0-de95-11eb-8f2b-753caedf727d.json index cb82ae74ba5..b6a60ae06c2 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9c78ade0-de95-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/9c78ade0-de95-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.anomali.description" + "sourceField": "anomali.limo.description" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTcsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/a0a31740-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/a0a31740-df51-11eb-8f2b-753caedf727d.json index ce6d74b3763..7a4ccbec7ff 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/a0a31740-df51-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/a0a31740-df51-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.url.scheme" + "sourceField": "threat.indicator.url.scheme" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NzQsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/aac00bc0-de98-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/aac00bc0-de98-11eb-8f2b-753caedf727d.json index 2e80121c2e4..062ccc359f7 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/aac00bc0-de98-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/aac00bc0-de98-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.file.hash.sha1" + "sourceField": "threat.indicator.file.hash.sha1" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTQsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/ae5934e0-de94-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/ae5934e0-de94-11eb-8f2b-753caedf727d.json index 02719d9dcb0..17f6d2ccc21 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/ae5934e0-de94-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/ae5934e0-de94-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.url.domain" + "sourceField": "threat.indicator.url.domain" } }, "incompleteColumns": {} @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTEsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/b0837690-df52-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/b0837690-df52-11eb-8f2b-753caedf727d.json index c7587803107..2ee5c4b1a2a 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/b0837690-df52-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/b0837690-df52-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.recordedfuture.risk.criticalityLabel" + "sourceField": "recordedfuture.risk.criticalityLabel" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -94,4 +94,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NjMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bd28cb00-de96-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bd28cb00-de96-11eb-8f2b-753caedf727d.json index ed51bcc85fb..5f95d44b92d 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bd28cb00-de96-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bd28cb00-de96-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 3 }, "scale": "ordinal", - "sourceField": "threatintel.anomalithreatstream.severity" + "sourceField": "anomali.threatstream.severity" } }, "incompleteColumns": {} @@ -98,4 +98,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1ODIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bfd2bfe0-de97-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bfd2bfe0-de97-11eb-8f2b-753caedf727d.json index 0850075db5b..c1110d8d611 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bfd2bfe0-de97-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/bfd2bfe0-de97-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.confidence" + "sourceField": "threat.indicator.confidence" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -94,4 +94,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1NzgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c2a5c180-df51-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c2a5c180-df51-11eb-8f2b-753caedf727d.json index 5915a46aca5..6163c46e0b0 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c2a5c180-df51-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c2a5c180-df51-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.ip" + "sourceField": "threat.indicator.ip" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -47,7 +47,7 @@ "filters": [], "query": { "language": "kuery", - "query": "event.dataset:\"threatintel.recordedfuture\" and threatintel.indicator.type:ipv4-addr" + "query": "event.dataset:\"threatintel.recordedfuture\" and threat.indicator.type:ipv4-addr" }, "visualization": { "columns": [ @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NjksMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c91fcd10-de95-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c91fcd10-de95-11eb-8f2b-753caedf727d.json index 63c9a1eebde..9eecce1a1c3 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c91fcd10-de95-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/c91fcd10-de95-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.provider" + "sourceField": "threat.indicator.provider" } }, "incompleteColumns": {} @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1ODQsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/cf4b4e40-ff69-11eb-acb2-2960a7069ed1.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/cf4b4e40-ff69-11eb-acb2-2960a7069ed1.json index 0d2bc89d441..ddb2717dd0e 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/cf4b4e40-ff69-11eb-acb2-2960a7069ed1.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/cf4b4e40-ff69-11eb-acb2-2960a7069ed1.json @@ -15,7 +15,7 @@ "73cdbb81-57ca-4474-a86c-bca60a527d29": { "dataType": "string", "isBucketed": true, - "label": "Top values of threatintel.indicator.type", + "label": "Top values of threat.indicator.type", "operationType": "terms", "params": { "missingBucket": false, @@ -28,7 +28,7 @@ "size": 15 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.type" + "sourceField": "threat.indicator.type" }, "89f18519-9360-4d37-ae52-134604ac6cfc": { "customLabel": true, @@ -118,4 +118,4 @@ "type": "lens", "updated_at": "2021-10-11T08:02:55.512Z", "version": "WzUyOCwxXQ==" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/d991e510-de96-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/d991e510-de96-11eb-8f2b-753caedf727d.json index f630743094f..e718c098360 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/d991e510-de96-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/d991e510-de96-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "threatintel.anomalithreatstream.state" + "sourceField": "anomali.threatstream.state" } }, "incompleteColumns": {} @@ -112,4 +112,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1ODcsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/dd4a3da0-df50-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/dd4a3da0-df50-11eb-8f2b-753caedf727d.json index b9b2341c0b1..4a25b4df0ef 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/dd4a3da0-df50-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/dd4a3da0-df50-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.file.hash.md5" + "sourceField": "threat.indicator.file.hash.md5" } }, "incompleteColumns": {} @@ -90,4 +90,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NzEsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/e5f07800-de94-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/e5f07800-de94-11eb-8f2b-753caedf727d.json index 1985a727380..03d75c58b2f 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/e5f07800-de94-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/e5f07800-de94-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.anomalithreatstream.id" + "sourceField": "anomali.threatstream.id" } }, "incompleteColumns": {} @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1OTgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f37f8350-df50-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f37f8350-df50-11eb-8f2b-753caedf727d.json index 45745f96eb0..f4c84cc7426 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f37f8350-df50-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f37f8350-df50-11eb-8f2b-753caedf727d.json @@ -36,7 +36,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.file.hash.sha1" + "sourceField": "threat.indicator.file.hash.sha1" } }, "incompleteColumns": {} @@ -90,4 +90,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:33.127Z", "version": "WzQ2NzIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f52a9720-de93-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f52a9720-de93-11eb-8f2b-753caedf727d.json index a3740f838db..7e2446f1e8d 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f52a9720-de93-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f52a9720-de93-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.email.address" + "sourceField": "threat.indicator.email.address" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -91,4 +91,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1ODksMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f5f18940-de96-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f5f18940-de96-11eb-8f2b-753caedf727d.json index c5c7c021b28..9b281bf4769 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f5f18940-de96-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/lens/f5f18940-de96-11eb-8f2b-753caedf727d.json @@ -28,7 +28,7 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "threatintel.indicator.marking.tlp" + "sourceField": "threat.indicator.marking.tlp" }, "9afb1b09-0f20-488c-9242-a94f7d11800b": { "dataType": "number", @@ -112,4 +112,4 @@ "type": "lens", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1ODMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json index 63e7825a56b..b37986b02eb 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json @@ -35,7 +35,7 @@ "type": "count" } ], - "term": "threatintel.indicator.geo.country_iso_code", + "term": "threat.indicator.geo.country_iso_code", "type": "ES_TERM_SOURCE" } } @@ -205,4 +205,4 @@ "type": "map", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MTksMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/ec5aa090-df42-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/ec5aa090-df42-11eb-8f2b-753caedf727d.json index 8100b60e6b3..e5e94752566 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/ec5aa090-df42-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/ec5aa090-df42-11eb-8f2b-753caedf727d.json @@ -29,16 +29,16 @@ "applyGlobalQuery": true, "applyGlobalTime": true, "filterByMapBounds": true, - "geoField": "threatintel.indicator.geo.location", + "geoField": "threat.indicator.geo.location", "id": "a3ecc6af-0299-4cb9-a29c-0b70f666b011", "indexPatternRefName": "layer_1_source_index_pattern", "scalingType": "LIMIT", "sortField": "", "sortOrder": "desc", "tooltipProperties": [ - "threatintel.indicator.as.number", - "threatintel.indicator.as.organization.name", - "threatintel.indicator.geo.country_iso_code" + "threat.indicator.as.number", + "threat.indicator.as.organization.name", + "threat.indicator.geo.country_iso_code" ], "topHitsSize": 1, "topHitsSplitField": "", @@ -195,4 +195,4 @@ "type": "map", "updated_at": "2021-08-04T16:34:28.102Z", "version": "WzQ1ODgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/01c261b0-7aa9-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/01c261b0-7aa9-11eb-ac13-d5ca87cb8fa2.json index 93d283d07e0..3bc7559fbf6 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/01c261b0-7aa9-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/01c261b0-7aa9-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.otx.title" + "field": "otx.title" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.otx.title", + "key": "otx.title", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "AlienVault OTX Indicator Title", - "field": "threatintel.otx.title", + "field": "otx.title", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NzQsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/02294f80-73c7-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/02294f80-73c7-11eb-a3e3-b3cc7c78a70f.json index 822c006ccc2..ff5c6b0b875 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/02294f80-73c7-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/02294f80-73c7-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.sha1" + "field": "threat.indicator.file.hash.sha1" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.sha1", + "key": "threat.indicator.file.hash.sha1", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "MISP SHA1 Hash Indicator", - "field": "threatintel.indicator.file.hash.sha1", + "field": "threat.indicator.file.hash.sha1", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2NDEsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/0ccdda50-76ce-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/0ccdda50-76ce-11eb-a3e3-b3cc7c78a70f.json index 1197b8b4a7e..44b6e23d553 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/0ccdda50-76ce-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/0ccdda50-76ce-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.md5" + "field": "threat.indicator.file.hash.md5" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.md5", + "key": "threat.indicator.file.hash.md5", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "AlienVault OTX MD5 Hash Indicator", - "field": "threatintel.indicator.file.hash.md5", + "field": "threat.indicator.file.hash.md5", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NzMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/142fb6c0-82a8-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/142fb6c0-82a8-11eb-ac13-d5ca87cb8fa2.json index bf55ff3b237..624dde62b61 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/142fb6c0-82a8-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/142fb6c0-82a8-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.sha1" + "field": "threat.indicator.file.hash.sha1" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.sha1", + "key": "threat.indicator.file.hash.sha1", "negate": false, "type": "exists", "value": "exists" @@ -78,7 +78,7 @@ "id": "2", "params": { "customLabel": "SHA1 Hash", - "field": "threatintel.indicator.file.hash.sha1", + "field": "threat.indicator.file.hash.sha1", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -134,4 +134,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MjYsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a0d5250-72e5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a0d5250-72e5-11eb-a3e3-b3cc7c78a70f.json index f9fc2390a2b..f43232fe645 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a0d5250-72e5-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a0d5250-72e5-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.sha256" + "field": "threat.indicator.file.hash.sha256" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.sha256", + "key": "threat.indicator.file.hash.sha256", "negate": false, "type": "exists", "value": "exists" @@ -47,13 +47,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.type" + "field": "threat.indicator.type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "key": "threatintel.indicator.type", + "key": "threat.indicator.type", "negate": false, "type": "exists", "value": "exists" @@ -84,7 +84,7 @@ "id": "2", "params": { "customLabel": "SHA256 Hash", - "field": "threatintel.indicator.file.hash.sha256", + "field": "threat.indicator.file.hash.sha256", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -101,7 +101,7 @@ "id": "3", "params": { "customLabel": "File Type", - "field": "threatintel.indicator.file.type", + "field": "threat.indicator.file.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -162,4 +162,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:29.041Z", "version": "WzQ2MDYsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a1c60c0-72d5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a1c60c0-72d5-11eb-a3e3-b3cc7c78a70f.json index b2e430cff4c..e972911d995 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a1c60c0-72d5-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1a1c60c0-72d5-11eb-a3e3-b3cc7c78a70f.json @@ -26,13 +26,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.type" + "field": "threat.indicator.type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.type", + "key": "threat.indicator.type", "negate": false, "type": "exists", "value": "exists" @@ -78,7 +78,7 @@ "enabled": true, "id": "3", "params": { - "field": "threatintel.indicator.type", + "field": "threat.indicator.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -143,4 +143,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:32.145Z", "version": "WzQ2NDksMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1adff580-72ee-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1adff580-72ee-11eb-a3e3-b3cc7c78a70f.json index 71144247760..550140b912f 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1adff580-72ee-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1adff580-72ee-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.domain" + "field": "threat.indicator.url.domain" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.domain", + "key": "threat.indicator.url.domain", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "Threat Indicator Domain", - "field": "threatintel.indicator.domain", + "field": "threat.indicator.url.domain", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NTQsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1c969990-73c7-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1c969990-73c7-11eb-a3e3-b3cc7c78a70f.json index e2f3d6fda09..e77a6cee76b 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1c969990-73c7-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1c969990-73c7-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.sha256" + "field": "threat.indicator.file.hash.sha256" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.sha256", + "key": "threat.indicator.file.hash.sha256", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "MISP SHA256 Hash Indicator", - "field": "threatintel.indicator.file.hash.sha256", + "field": "threat.indicator.file.hash.sha256", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2NDIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1d8002d0-82a7-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1d8002d0-82a7-11eb-ac13-d5ca87cb8fa2.json index 328a64f0785..57ca90543d3 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1d8002d0-82a7-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/1d8002d0-82a7-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.pe.imphash" + "field": "threat.indicator.file.pe.imphash" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.pe.imphash", + "key": "threat.indicator.file.pe.imphash", "negate": false, "type": "exists", "value": "exists" @@ -78,7 +78,7 @@ "id": "2", "params": { "customLabel": "Imphash Hash", - "field": "threatintel.indicator.file.pe.imphash", + "field": "threat.indicator.file.pe.imphash", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -134,4 +134,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MjgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/21ff17c0-82a6-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/21ff17c0-82a6-11eb-ac13-d5ca87cb8fa2.json index b3e12fb4193..4bec354e536 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/21ff17c0-82a6-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/21ff17c0-82a6-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.md5" + "field": "threat.indicator.file.hash.md5" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.md5", + "key": "threat.indicator.file.hash.md5", "negate": false, "type": "exists", "value": "exists" @@ -78,7 +78,7 @@ "id": "2", "params": { "customLabel": "MD5 Hash", - "field": "threatintel.indicator.file.hash.md5", + "field": "threat.indicator.file.hash.md5", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -134,4 +134,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MjUsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302cd5b0-76cd-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302cd5b0-76cd-11eb-a3e3-b3cc7c78a70f.json index 0e395ef2431..9bb6455feea 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302cd5b0-76cd-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302cd5b0-76cd-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.ip" + "field": "threat.indicator.ip" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.ip", + "key": "threat.indicator.ip", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "AlienVault OTX IP Indicator", - "field": "threatintel.indicator.ip", + "field": "threat.indicator.ip", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NjcsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302d0850-ff7b-11eb-acb2-2960a7069ed1.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302d0850-ff7b-11eb-acb2-2960a7069ed1.json index f931164c888..50f2a9cebc5 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302d0850-ff7b-11eb-acb2-2960a7069ed1.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/302d0850-ff7b-11eb-acb2-2960a7069ed1.json @@ -28,7 +28,7 @@ "id": "2", "params": { "customLabel": "Confidence", - "field": "threatintel.indicator.confidence", + "field": "threat.indicator.confidence", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -148,4 +148,4 @@ "type": "visualization", "updated_at": "2021-10-11T08:02:55.512Z", "version": "WzUzMCwxXQ==" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/346136f0-76d5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/346136f0-76d5-11eb-a3e3-b3cc7c78a70f.json index 3edcd79c797..bc86816afc3 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/346136f0-76d5-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/346136f0-76d5-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.url.original" + "field": "threat.indicator.url.original" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.url.original", + "key": "threat.indicator.url.original", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "AlienVault OTX URL Indicator", - "field": "threatintel.indicator.url.original", + "field": "threat.indicator.url.original", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NjksMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/40d61ab0-72e6-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/40d61ab0-72e6-11eb-a3e3-b3cc7c78a70f.json index f8d2e419a2b..a3e2646eea2 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/40d61ab0-72e6-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/40d61ab0-72e6-11eb-a3e3-b3cc7c78a70f.json @@ -27,7 +27,7 @@ "enabled": true, "id": "2", "params": { - "field": "threatintel.indicator.file.type", + "field": "threat.indicator.file.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -82,4 +82,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:29.041Z", "version": "WzQ2MDcsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/41100be0-72e5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/41100be0-72e5-11eb-a3e3-b3cc7c78a70f.json index d1e07d3fbbb..37aa10e1c04 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/41100be0-72e5-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/41100be0-72e5-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.ssdeep" + "field": "threat.indicator.file.hash.ssdeep" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.ssdeep", + "key": "threat.indicator.file.hash.ssdeep", "negate": false, "type": "exists", "value": "exists" @@ -47,13 +47,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.type" + "field": "threat.indicator.type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "key": "threatintel.indicator.type", + "key": "threat.indicator.type", "negate": false, "type": "exists", "value": "exists" @@ -84,7 +84,7 @@ "id": "2", "params": { "customLabel": "ssdeep Hash", - "field": "threatintel.indicator.file.hash.ssdeep", + "field": "threat.indicator.file.hash.ssdeep", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -101,7 +101,7 @@ "id": "3", "params": { "customLabel": "File Type", - "field": "threatintel.indicator.file.type", + "field": "threat.indicator.file.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -162,4 +162,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:29.041Z", "version": "WzQ2MDgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/49f0c060-76cd-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/49f0c060-76cd-11eb-a3e3-b3cc7c78a70f.json index 79f94d2a046..65880a6f4bb 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/49f0c060-76cd-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/49f0c060-76cd-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.domain" + "field": "threat.indicator.url.domain" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.domain", + "key": "threat.indicator.url.domain", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "AlienVault OTX IP Indicator", - "field": "threatintel.indicator.domain", + "field": "threat.indicator.url.domain", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NjgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/4e5d25c0-76ce-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/4e5d25c0-76ce-11eb-a3e3-b3cc7c78a70f.json index f44f7a32fa3..324c632ab27 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/4e5d25c0-76ce-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/4e5d25c0-76ce-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.sha256" + "field": "threat.indicator.file.hash.sha256" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.sha256", + "key": "threat.indicator.file.hash.sha256", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "AlienVault OTX SHA256 Hash Indicator", - "field": "threatintel.indicator.file.hash.sha256", + "field": "threat.indicator.file.hash.sha256", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NzIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/57faae10-73c5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/57faae10-73c5-11eb-a3e3-b3cc7c78a70f.json index 927f457e351..014612f2d3c 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/57faae10-73c5-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/57faae10-73c5-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.provider" + "field": "threat.indicator.provider" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.provider", + "key": "threat.indicator.provider", "negate": false, "type": "exists", "value": "exists" @@ -72,7 +72,7 @@ "enabled": true, "id": "2", "params": { - "field": "threatintel.indicator.provider", + "field": "threat.indicator.provider", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -137,4 +137,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2NDMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5b4877b0-82a6-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5b4877b0-82a6-11eb-ac13-d5ca87cb8fa2.json index db8a7fcef7e..ad4c74b0110 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5b4877b0-82a6-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5b4877b0-82a6-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.sha256" + "field": "threat.indicator.file.hash.sha256" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.sha256", + "key": "threat.indicator.file.hash.sha256", "negate": false, "type": "exists", "value": "exists" @@ -78,7 +78,7 @@ "id": "2", "params": { "customLabel": "SHA256 Hash", - "field": "threatintel.indicator.file.hash.sha256", + "field": "threat.indicator.file.hash.sha256", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -134,4 +134,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MjcsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5d395d80-ff71-11eb-acb2-2960a7069ed1.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5d395d80-ff71-11eb-acb2-2960a7069ed1.json index f559210728b..b5fe450d273 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5d395d80-ff71-11eb-acb2-2960a7069ed1.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5d395d80-ff71-11eb-acb2-2960a7069ed1.json @@ -28,7 +28,7 @@ "id": "2", "params": { "customLabel": "Most Linked Adversaries", - "field": "threatintel.threatq.adversaries", + "field": "threatq.adversaries", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -74,4 +74,4 @@ "type": "visualization", "updated_at": "2021-10-11T08:02:55.512Z", "version": "WzUyNiwxXQ==" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5eb61d00-ff72-11eb-acb2-2960a7069ed1.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5eb61d00-ff72-11eb-acb2-2960a7069ed1.json index fde00ab644d..3626ee406b7 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5eb61d00-ff72-11eb-acb2-2960a7069ed1.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/5eb61d00-ff72-11eb-acb2-2960a7069ed1.json @@ -31,7 +31,7 @@ "id": "2", "params": { "customLabel": "Indicator Type", - "field": "threatintel.indicator.type", + "field": "threat.indicator.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -48,7 +48,7 @@ "id": "3", "params": { "customLabel": "Indicator Value", - "field": "threatintel.threatq.indicator_value", + "field": "threatq.indicator_value", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -94,4 +94,4 @@ "type": "visualization", "updated_at": "2021-10-11T08:07:14.354Z", "version": "WzYxNCwxXQ==" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/6077fd00-76d5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/6077fd00-76d5-11eb-a3e3-b3cc7c78a70f.json index 4e9740c9a10..75b7601754b 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/6077fd00-76d5-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/6077fd00-76d5-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.url.path" + "field": "threat.indicator.url.path" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.url.path", + "key": "threat.indicator.url.path", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "AlienVault OTX URI Indicator", - "field": "threatintel.indicator.url.path", + "field": "threat.indicator.url.path", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NzEsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/62f6daa0-72ee-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/62f6daa0-72ee-11eb-a3e3-b3cc7c78a70f.json index c0879c8aff7..039e88b7677 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/62f6daa0-72ee-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/62f6daa0-72ee-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.url.full" + "field": "threat.indicator.url.full" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.url.full", + "key": "threat.indicator.url.full", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "Threat Indicator URL", - "field": "threatintel.indicator.url.full", + "field": "threat.indicator.url.full", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NTUsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7546ac40-82a6-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7546ac40-82a6-11eb-ac13-d5ca87cb8fa2.json index 479d7e408e3..4de8710a0e2 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7546ac40-82a6-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7546ac40-82a6-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.ssdeep" + "field": "threat.indicator.file.hash.ssdeep" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.ssdeep", + "key": "threat.indicator.file.hash.ssdeep", "negate": false, "type": "exists", "value": "exists" @@ -78,7 +78,7 @@ "id": "2", "params": { "customLabel": "ssdeep Hash", - "field": "threatintel.indicator.file.hash.ssdeep", + "field": "threat.indicator.file.hash.ssdeep", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -134,4 +134,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MjQsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7582b030-73c6-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7582b030-73c6-11eb-a3e3-b3cc7c78a70f.json index 6767b7e0d19..e2833363e12 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7582b030-73c6-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7582b030-73c6-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.domain" + "field": "threat.indicator.url.domain" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.domain", + "key": "threat.indicator.url.domain", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "MISP Domain Indicator", - "field": "threatintel.indicator.domain", + "field": "threat.indicator.url.domain", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2MzIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/786546d0-82a5-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/786546d0-82a5-11eb-ac13-d5ca87cb8fa2.json index bc70c5824da..773a823e514 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/786546d0-82a5-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/786546d0-82a5-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.tlsh" + "field": "threat.indicator.file.hash.tlsh" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.tlsh", + "key": "threat.indicator.file.hash.tlsh", "negate": false, "type": "exists", "value": "exists" @@ -78,7 +78,7 @@ "id": "2", "params": { "customLabel": "TLSH Hash", - "field": "threatintel.indicator.file.hash.tlsh", + "field": "threat.indicator.file.hash.tlsh", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -134,4 +134,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MjMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/79da77d0-72e5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/79da77d0-72e5-11eb-a3e3-b3cc7c78a70f.json index 50bed6e06e4..0551a2e4428 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/79da77d0-72e5-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/79da77d0-72e5-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.tlsh" + "field": "threat.indicator.file.hash.tlsh" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.tlsh", + "key": "threat.indicator.file.hash.tlsh", "negate": false, "type": "exists", "value": "exists" @@ -47,13 +47,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.type" + "field": "threat.indicator.type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "key": "threatintel.indicator.type", + "key": "threat.indicator.type", "negate": false, "type": "exists", "value": "exists" @@ -84,7 +84,7 @@ "id": "2", "params": { "customLabel": "TLSH Hash", - "field": "threatintel.indicator.file.hash.tlsh", + "field": "threat.indicator.file.hash.tlsh", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -101,7 +101,7 @@ "id": "3", "params": { "customLabel": "File Type", - "field": "threatintel.indicator.file.type", + "field": "threat.indicator.file.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -162,4 +162,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:29.041Z", "version": "WzQ2MDIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7c7d3750-73c3-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7c7d3750-73c3-11eb-a3e3-b3cc7c78a70f.json index 6ca2835a167..ffb99fa0838 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7c7d3750-73c3-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7c7d3750-73c3-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.type" + "field": "threat.indicator.type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.type", + "key": "threat.indicator.type", "negate": false, "type": "exists", "value": "exists" @@ -66,7 +66,7 @@ "enabled": true, "id": "2", "params": { - "field": "threatintel.indicator.type", + "field": "threat.indicator.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -131,4 +131,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2MzQsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7cbe5900-82ab-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7cbe5900-82ab-11eb-ac13-d5ca87cb8fa2.json index 08ea90539c1..75f21ca1a42 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7cbe5900-82ab-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/7cbe5900-82ab-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.first_seen" + "field": "threat.indicator.first_seen" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.first_seen", + "key": "threat.indicator.first_seen", "negate": false, "type": "exists", "value": "exists" @@ -76,7 +76,7 @@ "id": "2", "params": { "customLabel": "Indicator First Seen", - "field": "threatintel.indicator.first_seen", + "field": "threat.indicator.first_seen", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -132,4 +132,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MjIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/87980f70-72ec-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/87980f70-72ec-11eb-a3e3-b3cc7c78a70f.json index 3001eca6082..0b947ec09cd 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/87980f70-72ec-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/87980f70-72ec-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abuseurl.threat" + "field": "abusech.url.threat" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.abuseurl.threat", + "key": "abusech.url.threat", "negate": false, "type": "exists", "value": "exists" @@ -73,7 +73,7 @@ "id": "2", "params": { "customLabel": "Abuse URL Threat", - "field": "threatintel.abuseurl.threat", + "field": "abusech.url.threat", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -204,4 +204,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NTAsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/8b2a64a0-82a8-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/8b2a64a0-82a8-11eb-ac13-d5ca87cb8fa2.json index 8fd2ef65b07..13aee45f317 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/8b2a64a0-82a8-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/8b2a64a0-82a8-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.extension" + "field": "threat.indicator.file.extension" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.extension", + "key": "threat.indicator.file.extension", "negate": false, "type": "exists", "value": "exists" @@ -66,7 +66,7 @@ "enabled": true, "id": "2", "params": { - "field": "threatintel.indicator.file.extension", + "field": "threat.indicator.file.extension", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -131,4 +131,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MTcsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9047e8b0-72de-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9047e8b0-72de-11eb-a3e3-b3cc7c78a70f.json index cfa8fad3789..652e363bbf0 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9047e8b0-72de-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9047e8b0-72de-11eb-a3e3-b3cc7c78a70f.json @@ -34,7 +34,7 @@ "id": "2", "params": { "customLabel": "Threat Indicator Provider", - "field": "threatintel.indicator.provider", + "field": "threat.indicator.provider", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -156,4 +156,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:32.145Z", "version": "WzQ2NTUsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9109e490-76cd-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9109e490-76cd-11eb-a3e3-b3cc7c78a70f.json index 3e1c8861ced..9146d87144a 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9109e490-76cd-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/9109e490-76cd-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.url.domain" + "field": "threat.indicator.url.domain" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.url.domain", + "key": "threat.indicator.url.domain", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "AlienVault OTX URL Domain Indicator", - "field": "threatintel.indicator.url.domain", + "field": "threat.indicator.url.domain", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NzAsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/92961600-7621-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/92961600-7621-11eb-a3e3-b3cc7c78a70f.json index f9a63566f09..c6ec332aa22 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/92961600-7621-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/92961600-7621-11eb-a3e3-b3cc7c78a70f.json @@ -33,7 +33,7 @@ "type": "list" }, { - "fieldName": "threatintel.indicator.provider", + "fieldName": "threat.indicator.provider", "id": "1614117093181", "indexPatternRefName": "control_1_index_pattern", "label": "Indicator Provider", @@ -48,7 +48,7 @@ "type": "list" }, { - "fieldName": "threatintel.indicator.type", + "fieldName": "threat.indicator.type", "id": "1614117117360", "indexPatternRefName": "control_2_index_pattern", "label": "Indicator Type", @@ -101,4 +101,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:32.145Z", "version": "WzQ2NDcsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/95f384b0-76d8-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/95f384b0-76d8-11eb-a3e3-b3cc7c78a70f.json index a9c17ee0611..b2f747547b3 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/95f384b0-76d8-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/95f384b0-76d8-11eb-a3e3-b3cc7c78a70f.json @@ -35,7 +35,7 @@ "id": "2", "params": { "customLabel": "", - "field": "threatintel.indicator.url.scheme", + "field": "threat.indicator.url.scheme", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -156,4 +156,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NjQsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/98d42ee0-76b6-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/98d42ee0-76b6-11eb-a3e3-b3cc7c78a70f.json index 0c5102dfd14..03edc5edc0b 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/98d42ee0-76b6-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/98d42ee0-76b6-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abuseurl.tags" + "field": "abusech.url.tags" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.abuseurl.tags", + "key": "abusech.url.tags", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "Abuse URL Tags", - "field": "threatintel.abuseurl.tags", + "field": "abusech.url.tags", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NTEsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a09329d0-73c6-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a09329d0-73c6-11eb-a3e3-b3cc7c78a70f.json index d81abd72e48..d34f5079186 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a09329d0-73c6-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a09329d0-73c6-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.ip" + "field": "threat.indicator.ip" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.ip", + "key": "threat.indicator.ip", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "MISP IP Indicator", - "field": "threatintel.indicator.ip", + "field": "threat.indicator.ip", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2MzMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a1616dd0-72eb-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a1616dd0-72eb-11eb-a3e3-b3cc7c78a70f.json index 419dcc323d1..ba4ce6e4ea7 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a1616dd0-72eb-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a1616dd0-72eb-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abuseurl.blacklists.spamhaus_dbl" + "field": "abusech.url.blacklists.spamhaus_dbl" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.abuseurl.blacklists.spamhaus_dbl", + "key": "abusech.url.blacklists.spamhaus_dbl", "negate": false, "type": "exists", "value": "exists" @@ -47,13 +47,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abuseurl.blacklists.surbl" + "field": "abusech.url.blacklists.surbl" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "key": "threatintel.abuseurl.blacklists.surbl", + "key": "abusech.url.blacklists.surbl", "negate": false, "type": "exists", "value": "exists" @@ -84,7 +84,7 @@ "id": "2", "params": { "customLabel": "Spamhaus DBL Blacklist Status", - "field": "threatintel.abuseurl.blacklists.spamhaus_dbl", + "field": "abusech.url.blacklists.spamhaus_dbl", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -101,7 +101,7 @@ "id": "3", "params": { "customLabel": "SURBL Blacklist Status", - "field": "threatintel.abuseurl.blacklists.surbl", + "field": "abusech.url.blacklists.surbl", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -162,4 +162,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NjAsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a7b6e910-72ed-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a7b6e910-72ed-11eb-a3e3-b3cc7c78a70f.json index 007929c6d0a..81340059012 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a7b6e910-72ed-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a7b6e910-72ed-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.url.scheme" + "field": "threat.indicator.url.scheme" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.url.scheme", + "key": "threat.indicator.url.scheme", "negate": false, "type": "exists", "value": "exists" @@ -74,7 +74,7 @@ "id": "2", "params": { "customLabel": "URL Scheme", - "field": "threatintel.indicator.url.scheme", + "field": "threat.indicator.url.scheme", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -90,7 +90,7 @@ "enabled": true, "id": "3", "params": { - "field": "threatintel.indicator.url.scheme", + "field": "threat.indicator.url.scheme", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -220,4 +220,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NTIsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a911a8b0-ff77-11eb-acb2-2960a7069ed1.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a911a8b0-ff77-11eb-acb2-2960a7069ed1.json index 59f66be7644..25929d8fef8 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a911a8b0-ff77-11eb-acb2-2960a7069ed1.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/a911a8b0-ff77-11eb-acb2-2960a7069ed1.json @@ -27,7 +27,7 @@ "enabled": true, "id": "2", "params": { - "field": "threatintel.indicator.marking.tlp", + "field": "threat.indicator.marking.tlp", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -82,4 +82,4 @@ "type": "visualization", "updated_at": "2021-10-11T08:02:55.512Z", "version": "WzUyNSwxXQ==" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ad55b1e0-73c8-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ad55b1e0-73c8-11eb-a3e3-b3cc7c78a70f.json index a0719389fc8..0b6cc17dce5 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ad55b1e0-73c8-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ad55b1e0-73c8-11eb-a3e3-b3cc7c78a70f.json @@ -35,7 +35,7 @@ "id": "2", "params": { "customLabel": "Indicator Marking TLP", - "field": "threatintel.indicator.marking.tlp", + "field": "threat.indicator.marking.tlp", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -51,7 +51,7 @@ "enabled": true, "id": "3", "params": { - "field": "threatintel.indicator.marking.tlp", + "field": "threat.indicator.marking.tlp", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -171,4 +171,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2MzgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/aebde030-72d2-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/aebde030-72d2-11eb-a3e3-b3cc7c78a70f.json index 0d3c70a156f..09bbd1da8a4 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/aebde030-72d2-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/aebde030-72d2-11eb-a3e3-b3cc7c78a70f.json @@ -9,13 +9,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.marking.tlp" + "field": "threat.indicator.marking.tlp" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "threatintel.indicator.marking.tlp", + "key": "threat.indicator.marking.tlp", "negate": false, "type": "exists", "value": "exists" @@ -55,7 +55,7 @@ "id": "2", "params": { "customLabel": "Indicator Marking TLP", - "field": "threatintel.indicator.marking.tlp", + "field": "threat.indicator.marking.tlp", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -71,7 +71,7 @@ "enabled": true, "id": "3", "params": { - "field": "threatintel.indicator.marking.tlp", + "field": "threat.indicator.marking.tlp", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -196,4 +196,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:32.145Z", "version": "WzQ2NTcsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/b9533f50-72e5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/b9533f50-72e5-11eb-a3e3-b3cc7c78a70f.json index dd4771dced6..6b53ad4b086 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/b9533f50-72e5-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/b9533f50-72e5-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.pe.imphash" + "field": "threat.indicator.file.pe.imphash" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.pe.imphash", + "key": "threat.indicator.file.pe.imphash", "negate": false, "type": "exists", "value": "exists" @@ -47,13 +47,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.type" + "field": "threat.indicator.type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "key": "threatintel.indicator.type", + "key": "threat.indicator.type", "negate": false, "type": "exists", "value": "exists" @@ -84,7 +84,7 @@ "id": "2", "params": { "customLabel": "Imphash Hash", - "field": "threatintel.indicator.file.pe.imphash", + "field": "threat.indicator.file.pe.imphash", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -101,7 +101,7 @@ "id": "3", "params": { "customLabel": "File Type", - "field": "threatintel.indicator.file.type", + "field": "threat.indicator.file.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -162,4 +162,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:29.041Z", "version": "WzQ2MDUsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bc4790b0-82aa-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bc4790b0-82aa-11eb-ac13-d5ca87cb8fa2.json index f1fc5472b6b..395627036b1 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bc4790b0-82aa-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bc4790b0-82aa-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.malwarebazaar.intelligence.downloads" + "field": "abusech.malwarebazaar.intelligence.downloads" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.malwarebazaar.intelligence.downloads", + "key": "abusech.malwarebazaar.intelligence.downloads", "negate": false, "type": "exists", "value": "exists" @@ -76,7 +76,7 @@ "id": "2", "params": { "customLabel": "Malware Bazaar Downloads", - "field": "threatintel.malwarebazaar.intelligence.downloads", + "field": "abusech.malwarebazaar.intelligence.downloads", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -132,4 +132,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MjAsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bf3dfde0-73c3-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bf3dfde0-73c3-11eb-a3e3-b3cc7c78a70f.json index f65bf82d5b3..f71bb235922 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bf3dfde0-73c3-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/bf3dfde0-73c3-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.misp.published" + "field": "misp.published" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.misp.published", + "key": "misp.published", "negate": false, "type": "exists", "value": "exists" @@ -72,7 +72,7 @@ "enabled": true, "id": "2", "params": { - "field": "threatintel.misp.published", + "field": "misp.published", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -137,4 +137,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2MzksMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c102b0f0-73c6-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c102b0f0-73c6-11eb-a3e3-b3cc7c78a70f.json index 4ee6602cf67..e992bfb8585 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c102b0f0-73c6-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c102b0f0-73c6-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.url.full" + "field": "threat.indicator.url.full" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.url.full", + "key": "threat.indicator.url.full", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "MISP URL Indicator", - "field": "threatintel.indicator.url.full", + "field": "threat.indicator.url.full", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2MzYsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c7d5db50-82a8-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c7d5db50-82a8-11eb-ac13-d5ca87cb8fa2.json index 225ca993710..ad6317b4101 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c7d5db50-82a8-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c7d5db50-82a8-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.provider" + "field": "threat.indicator.provider" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.provider", + "key": "threat.indicator.provider", "negate": false, "type": "exists", "value": "exists" @@ -73,7 +73,7 @@ "id": "2", "params": { "customLabel": "Indicator Provider", - "field": "threatintel.indicator.provider", + "field": "threat.indicator.provider", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -204,4 +204,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MTgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c813c5d0-72dd-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c813c5d0-72dd-11eb-a3e3-b3cc7c78a70f.json index 18539863d1a..6619c3564fe 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c813c5d0-72dd-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/c813c5d0-72dd-11eb-a3e3-b3cc7c78a70f.json @@ -9,13 +9,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.type" + "field": "threat.indicator.type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "threatintel.indicator.type", + "key": "threat.indicator.type", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "enabled": true, "id": "3", "params": { - "field": "threatintel.indicator.type", + "field": "threat.indicator.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -192,4 +192,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:32.145Z", "version": "WzQ2NTgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d22c1090-82a5-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d22c1090-82a5-11eb-ac13-d5ca87cb8fa2.json index 107bf321eac..340bcc359c8 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d22c1090-82a5-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d22c1090-82a5-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.mime_type" + "field": "threat.indicator.file.mime_type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.mime_type", + "key": "threat.indicator.file.mime_type", "negate": false, "type": "exists", "value": "exists" @@ -78,7 +78,7 @@ "id": "3", "params": { "customLabel": "File MIME Type", - "field": "threatintel.indicator.file.mime_type", + "field": "threat.indicator.file.mime_type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -134,4 +134,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MTUsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d5d76c60-72ee-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d5d76c60-72ee-11eb-a3e3-b3cc7c78a70f.json index 26f577c2864..7450b383291 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d5d76c60-72ee-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/d5d76c60-72ee-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.url.full" + "field": "threat.indicator.url.full" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.url.full", + "key": "threat.indicator.url.full", "negate": false, "type": "exists", "value": "exists" @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NTgsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/dbd199d0-82aa-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/dbd199d0-82aa-11eb-ac13-d5ca87cb8fa2.json index bd6250bdc9b..a3f14f00b0e 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/dbd199d0-82aa-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/dbd199d0-82aa-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.malwarebazaar.intelligence.uploads" + "field": "abusech.malwarebazaar.intelligence.uploads" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.malwarebazaar.intelligence.uploads", + "key": "abusech.malwarebazaar.intelligence.uploads", "negate": false, "type": "exists", "value": "exists" @@ -76,7 +76,7 @@ "id": "2", "params": { "customLabel": "Malware Bazaar Uploads", - "field": "threatintel.malwarebazaar.intelligence.uploads", + "field": "abusech.malwarebazaar.intelligence.uploads", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -132,4 +132,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MjEsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ea5879c0-72eb-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ea5879c0-72eb-11eb-a3e3-b3cc7c78a70f.json index 3674297d158..fa58d2934c7 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ea5879c0-72eb-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ea5879c0-72eb-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abuseurl.url_status" + "field": "abusech.url.url_status" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.abuseurl.url_status", + "key": "abusech.url.url_status", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "URL Status", - "field": "threatintel.abuseurl.url_status", + "field": "abusech.url.url_status", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NTksMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/eba4ec60-72ea-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/eba4ec60-72ea-11eb-a3e3-b3cc7c78a70f.json index e05220ceeab..8745f6c3ca3 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/eba4ec60-72ea-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/eba4ec60-72ea-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abuseurl.larted" + "field": "abusech.url.larted" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.abuseurl.larted", + "key": "abusech.url.larted", "negate": false, "type": "exists", "value": "exists" @@ -73,7 +73,7 @@ "id": "2", "params": { "customLabel": "Hosting Provider Notified", - "field": "threatintel.abuseurl.larted", + "field": "abusech.url.larted", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -138,4 +138,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NTMsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ec68c4a0-73c6-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ec68c4a0-73c6-11eb-a3e3-b3cc7c78a70f.json index 4a7c4dfa740..517fa9c84ce 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ec68c4a0-73c6-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ec68c4a0-73c6-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.file.hash.md5" + "field": "threat.indicator.file.hash.md5" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.file.hash.md5", + "key": "threat.indicator.file.hash.md5", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "MISP MD5 Hash Indicator", - "field": "threatintel.indicator.file.hash.md5", + "field": "threat.indicator.file.hash.md5", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:31.083Z", "version": "WzQ2NDAsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ecf74b10-72ec-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ecf74b10-72ec-11eb-a3e3-b3cc7c78a70f.json index ea0aef5cb86..16d083d8762 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ecf74b10-72ec-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/ecf74b10-72ec-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abuseurl.threat" + "field": "abusech.url.threat" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.abuseurl.threat", + "key": "abusech.url.threat", "negate": false, "type": "exists", "value": "exists" @@ -72,7 +72,7 @@ "enabled": true, "id": "2", "params": { - "field": "threatintel.indicator.provider", + "field": "threat.indicator.provider", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -203,4 +203,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:25.974Z", "version": "WzQ1NTYsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f33125b0-76d8-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f33125b0-76d8-11eb-a3e3-b3cc7c78a70f.json index 3d473b4e17d..41b0ecfa65b 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f33125b0-76d8-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f33125b0-76d8-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.indicator.type" + "field": "threat.indicator.type" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.indicator.type", + "key": "threat.indicator.type", "negate": false, "type": "exists", "value": "exists" @@ -66,7 +66,7 @@ "enabled": true, "id": "2", "params": { - "field": "threatintel.indicator.type", + "field": "threat.indicator.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -131,4 +131,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:27.014Z", "version": "WzQ1NjYsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f91e9620-82a8-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f91e9620-82a8-11eb-ac13-d5ca87cb8fa2.json index 958c15dba69..664816cccba 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f91e9620-82a8-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f91e9620-82a8-11eb-ac13-d5ca87cb8fa2.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.malwarebazaar.tags" + "field": "abusech.malwarebazaar.tags" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.malwarebazaar.tags", + "key": "abusech.malwarebazaar.tags", "negate": false, "type": "exists", "value": "exists" @@ -67,7 +67,7 @@ "id": "2", "params": { "customLabel": "Malware Bazaar Tags", - "field": "threatintel.malwarebazaar.tags", + "field": "abusech.malwarebazaar.tags", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -123,4 +123,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:30.070Z", "version": "WzQ2MTQsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f9c6ba80-72e5-11eb-a3e3-b3cc7c78a70f.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f9c6ba80-72e5-11eb-a3e3-b3cc7c78a70f.json index 21660b248e4..516a572fb88 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f9c6ba80-72e5-11eb-a3e3-b3cc7c78a70f.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/visualization/f9c6ba80-72e5-11eb-a3e3-b3cc7c78a70f.json @@ -30,13 +30,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abusemalware.virustotal.link" + "field": "abusech.malware.virustotal.link" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "threatintel.abusemalware.virustotal.link", + "key": "abusech.malware.virustotal.link", "negate": false, "type": "exists", "value": "exists" @@ -47,13 +47,13 @@ "store": "appState" }, "exists": { - "field": "threatintel.abusemalware.virustotal.result" + "field": "abusech.malware.virustotal.result" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "key": "threatintel.abusemalware.virustotal.result", + "key": "abusech.malware.virustotal.result", "negate": false, "type": "exists", "value": "exists" @@ -95,7 +95,7 @@ "id": "2", "params": { "customLabel": "VirusTotal URL", - "field": "threatintel.abusemalware.virustotal.link", + "field": "abusech.malware.virustotal.link", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -112,7 +112,7 @@ "id": "3", "params": { "customLabel": "VirusTotal Result", - "field": "threatintel.abusemalware.virustotal.result", + "field": "abusech.malware.virustotal.result", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -173,4 +173,4 @@ "type": "visualization", "updated_at": "2021-08-04T16:34:29.041Z", "version": "WzQ2MTAsMV0=" -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/threatintel/abusemalware/_meta/fields.yml b/x-pack/filebeat/module/threatintel/abusemalware/_meta/fields.yml index 55f8657bc6e..73aae20e07f 100644 --- a/x-pack/filebeat/module/threatintel/abusemalware/_meta/fields.yml +++ b/x-pack/filebeat/module/threatintel/abusemalware/_meta/fields.yml @@ -1,4 +1,4 @@ -- name: abusemalware +- name: abusech.malware type: group description: > Fields for AbuseCH Malware Threat Intel @@ -31,4 +31,4 @@ - name: virustotal.link type: keyword description: > - Link to the Virustotal report. \ No newline at end of file + Link to the Virustotal report. diff --git a/x-pack/filebeat/module/threatintel/abusemalware/config/config.yml b/x-pack/filebeat/module/threatintel/abusemalware/config/config.yml index e7f4f8cc264..b4365bd3e5b 100644 --- a/x-pack/filebeat/module/threatintel/abusemalware/config/config.yml +++ b/x-pack/filebeat/module/threatintel/abusemalware/config/config.yml @@ -11,10 +11,9 @@ request.ssl: {{ .ssl | tojson }} request.proxy_url: {{ .proxy_url }} {{ end }} request.url: {{ .url }} -request.transforms: -- set: - target: header.Content-Type - value: application/json +{{ if .http_client_timeout }} +request.timeout: {{ .http_client_timeout }} +{{ end }} response.split: target: body.payloads @@ -30,17 +29,12 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} +tags: +{{if .preserve_original_event}} + - preserve_original_event +{{end}} +{{range $val := .tags}} + - {{$val}} +{{end}} -processors: - - decode_json_fields: - fields: [message] - target: json - - fingerprint: - fields: ["json.md5_hash"] - target_field: "@metadata._id" - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml index 5e24b68c52e..da0b365724f 100644 --- a/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml @@ -1,4 +1,5 @@ -description: Pipeline for parsing Abuse.ch Malware Threat Intel +--- +description: Pipeline for parsing Abuse.ch URL Threat Intel processors: #################### # Event ECS fields # @@ -6,6 +7,9 @@ processors: - set: field: event.ingested value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: "1.12" - set: field: event.kind value: enrichment @@ -20,92 +24,110 @@ processors: # General ECS fields # ###################### - rename: - field: json - target_field: threatintel.abusemalware + field: message + target_field: event.original ignore_missing: true + - json: + field: event.original + target_field: abusech.malware + - fingerprint: + fields: + - abusech.malware.md5_hash + - abusech.malware.sha256_hash + target_field: "_id" ##################### # Threat ECS Fields # ##################### + - set: + field: threat.feed.name + value: "[Filebeat] AbuseCH Malware" + - set: + field: threat.feed.dashboard_id + value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f" - date: - field: threatintel.abusemalware.firstseen - target_field: threatintel.indicator.first_seen + field: abusech.malware.firstseen + target_field: threat.indicator.first_seen formats: - "yyyy-MM-dd HH:mm:ss z" - "yyyy-MM-dd HH:mm:ss Z" - "yyyy-MM-dd HH:mm:ss" - if: "ctx?.threatintel?.abusemalware.firstseen != null" + if: "ctx.abusech?.malware?.firstseen != null" - set: - field: threatintel.indicator.type + field: threat.indicator.type value: file - rename: - field: threatintel.abusemalware.file_size - target_field: threatintel.indicator.file.size + field: abusech.malware.file_size + target_field: threat.indicator.file.size ignore_missing: true - rename: - field: threatintel.abusemalware.file_type - target_field: threatintel.indicator.file.type + field: abusech.malware.file_type + target_field: threat.indicator.file.type ignore_missing: true # This includes a direct link to malicious files, we do not want them to appear in Kibana # in case they are accidently clicked. - remove: - field: threatintel.abusemalware.urlhaus_download + field: abusech.malware.urlhaus_download ignore_missing: true - convert: - field: threatintel.indicator.file.size + field: threat.indicator.file.size type: long ignore_missing: true + - convert: + field: abusech.malware.virustotal.percent + type: float + ignore_missing: true - rename: - field: threatintel.abusemalware.md5_hash - target_field: threatintel.indicator.file.hash.md5 + field: abusech.malware.md5_hash + target_field: threat.indicator.file.hash.md5 ignore_missing: true - rename: - field: threatintel.abusemalware.sha256_hash - target_field: threatintel.indicator.file.hash.sha256 + field: abusech.malware.sha256_hash + target_field: threat.indicator.file.hash.sha256 ignore_missing: true - rename: - field: threatintel.abusemalware.imphash - target_field: threatintel.indicator.file.pe.imphash + field: abusech.malware.imphash + target_field: threat.indicator.file.pe.imphash ignore_missing: true - rename: - field: threatintel.abusemalware.ssdeep - target_field: threatintel.indicator.file.hash.ssdeep + field: abusech.malware.ssdeep + target_field: threat.indicator.file.hash.ssdeep ignore_missing: true - rename: - field: threatintel.abusemalware.tlsh - target_field: threatintel.indicator.file.hash.tlsh + field: abusech.malware.tlsh + target_field: threat.indicator.file.hash.tlsh ignore_missing: true - append: field: related.hash - value: "{{ threatintel.indicator.file.hash.md5 }}" - if: ctx?.threatintel?.indicator?.file?.hash?.md5 != null + value: "{{{threat.indicator.file.hash.md5}}}" + if: ctx?.threat?.indicator?.file?.hash?.md5 != null - append: field: related.hash - value: "{{ threatintel.indicator.file.hash.sha256 }}" - if: ctx?.threatintel?.indicator?.file?.hash?.sha256 != null + value: "{{{threat.indicator.file.hash.sha256}}}" + if: ctx?.threat?.indicator?.file?.hash?.sha256 != null - append: field: related.hash - value: "{{ threatintel.indicator.file.hash.ssdeep }}" - if: ctx?.threatintel?.indicator?.file?.hash?.ssdeep != null + value: "{{{threat.indicator.file.hash.ssdeep}}}" + if: ctx?.threat?.indicator?.file?.hash?.ssdeep != null - append: field: related.hash - value: "{{ threatintel.indicator.file.pe.imphash }}" - if: ctx?.threatintel?.indicator?.file?.pe?.imphash != null + value: "{{{threat.indicator.file.pe.imphash}}}" + if: ctx?.threat?.indicator?.file?.pe?.imphash != null - append: field: related.hash - value: "{{ threatintel.indicator.file.hash.tlsh }}" - if: ctx?.threatintel?.indicator?.file?.hash?.tlsh != null + value: "{{{threat.indicator.file.hash.tlsh}}}" + if: ctx?.threat?.indicator?.file?.hash?.tlsh != null ###################### # Cleanup processors # ###################### - set: - field: threatintel.indicator.type + field: threat.indicator.type value: unknown - if: ctx?.threatintel?.indicator?.type == null + if: ctx?.threat?.indicator?.type == null - script: lang: painless - if: ctx?.threatintel != null + if: ctx?.abusech != null source: | void handleMap(Map map) { for (def x : map.values()) { @@ -127,9 +149,14 @@ processors: } } handleMap(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true - remove: field: - - threatintel.abusemalware.firstseen + - abusech.malware.firstseen - message ignore_missing: true on_failure: diff --git a/x-pack/filebeat/module/threatintel/abusemalware/manifest.yml b/x-pack/filebeat/module/threatintel/abusemalware/manifest.yml index 5fe3a155180..0d755b7b38d 100644 --- a/x-pack/filebeat/module/threatintel/abusemalware/manifest.yml +++ b/x-pack/filebeat/module/threatintel/abusemalware/manifest.yml @@ -11,6 +11,9 @@ var: - name: tags default: [threatintel-abusemalware, forwarded] - name: proxy_url + - name: preserve_original_event + default: false + - name: http_client_timeout ingest_pipeline: - ingest/pipeline.yml diff --git a/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json index 6c31b6f779c..75a4d118ba3 100644 --- a/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json @@ -20,15 +20,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "7871286a8f1f68a14b18ae475683f724", - "threatintel.indicator.file.hash.sha256": "48a6aee18bcfe9058b35b1018832aef1c9efd8f50ac822f49abb484a5e2a4b1f", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG5:X5DpBw/KViMTB1MnEWk0115JW", - "threatintel.indicator.file.hash.tlsh": "1344D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:14:05.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "7871286a8f1f68a14b18ae475683f724", + "threat.indicator.file.hash.sha256": "48a6aee18bcfe9058b35b1018832aef1c9efd8f50ac822f49abb484a5e2a4b1f", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG5:X5DpBw/KViMTB1MnEWk0115JW", + "threat.indicator.file.hash.tlsh": "1344D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:14:05.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -51,17 +53,22 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "7b4c77dc293347b467fb860e34515163", - "threatintel.indicator.file.hash.sha256": "ec59538e8de8525b1674b3b8fe0c180ac822145350bcce054ad3fc6b95b1b5a4", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGY:X5DpBw/KViMTB1MnEWk0115Jr", - "threatintel.indicator.file.hash.tlsh": "4E44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:11:41.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "7b4c77dc293347b467fb860e34515163", + "threat.indicator.file.hash.sha256": "ec59538e8de8525b1674b3b8fe0c180ac822145350bcce054ad3fc6b95b1b5a4", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGY:X5DpBw/KViMTB1MnEWk0115Jr", + "threat.indicator.file.hash.tlsh": "4E44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:11:41.000Z", + "threat.indicator.type": "file" }, { + "abusech.malware.virustotal.link": "https://www.virustotal.com/gui/file/b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7/detection/f-b0e914d", + "abusech.malware.virustotal.percent": 37.88, + "abusech.malware.virustotal.result": "25 / 66", "event.category": "threat", "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", @@ -82,18 +89,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.abusemalware.virustotal.link": "https://www.virustotal.com/gui/file/b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7/detection/f-b0e914d", - "threatintel.abusemalware.virustotal.percent": "37.88", - "threatintel.abusemalware.virustotal.result": "25 / 66", - "threatintel.indicator.file.hash.md5": "373d34874d7bc89fd4cefa6272ee80bf", - "threatintel.indicator.file.hash.sha256": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGG:X5DpBw/KViMTB1MnEWk0115Jd", - "threatintel.indicator.file.hash.tlsh": "7544D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:11:22.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "373d34874d7bc89fd4cefa6272ee80bf", + "threat.indicator.file.hash.sha256": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGG:X5DpBw/KViMTB1MnEWk0115Jd", + "threat.indicator.file.hash.tlsh": "7544D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:11:22.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -116,15 +122,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "e2e02aae857488dbdbe6631c29abf3f8", - "threatintel.indicator.file.hash.sha256": "7483e834a73fb6817769596fe4c0fa01d28639f52bbbdc2b8a56c36d466dd7f8", - "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJ9:0h3eZgRQCcw+MN54dEq7kqRtoLZH", - "threatintel.indicator.file.hash.tlsh": "5554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 284672, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:11:21.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "e2e02aae857488dbdbe6631c29abf3f8", + "threat.indicator.file.hash.sha256": "7483e834a73fb6817769596fe4c0fa01d28639f52bbbdc2b8a56c36d466dd7f8", + "threat.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJ9:0h3eZgRQCcw+MN54dEq7kqRtoLZH", + "threat.indicator.file.hash.tlsh": "5554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 284672, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:11:21.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -146,16 +154,21 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "3e988e32b0c3c230d534e286665b89a5", - "threatintel.indicator.file.hash.sha256": "760e729426fb115b967a41e5a6f2f42d7a52a5cee74ed99065a6dc39bf89f59b", - "threatintel.indicator.file.hash.ssdeep": "6:TE6ll8uXi0jIAv6BHvPuA7RKTmOQamsQMGvMQgTYbtsWsQ72hCqPZG/:TTll8uTo5uA7RKtQamsS0QJfsQ7mCR", - "threatintel.indicator.file.hash.tlsh": "3CE0C002AB26C036500D154C221655B3B871911503CA14E6A6824BEA765D4A3290D190", - "threatintel.indicator.file.size": 352, - "threatintel.indicator.file.type": "unknown", - "threatintel.indicator.first_seen": "2021-01-14T06:08:02.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "3e988e32b0c3c230d534e286665b89a5", + "threat.indicator.file.hash.sha256": "760e729426fb115b967a41e5a6f2f42d7a52a5cee74ed99065a6dc39bf89f59b", + "threat.indicator.file.hash.ssdeep": "6:TE6ll8uXi0jIAv6BHvPuA7RKTmOQamsQMGvMQgTYbtsWsQ72hCqPZG/:TTll8uTo5uA7RKtQamsS0QJfsQ7mCR", + "threat.indicator.file.hash.tlsh": "3CE0C002AB26C036500D154C221655B3B871911503CA14E6A6824BEA765D4A3290D190", + "threat.indicator.file.size": 352, + "threat.indicator.file.type": "unknown", + "threat.indicator.first_seen": "2021-01-14T06:08:02.000Z", + "threat.indicator.type": "file" }, { + "abusech.malware.virustotal.link": "https://www.virustotal.com/gui/file/86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac/detection/f-86655c0", + "abusech.malware.virustotal.percent": 39.13, + "abusech.malware.virustotal.result": "27 / 69", "event.category": "threat", "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", @@ -176,18 +189,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.abusemalware.virustotal.link": "https://www.virustotal.com/gui/file/86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac/detection/f-86655c0", - "threatintel.abusemalware.virustotal.percent": "39.13", - "threatintel.abusemalware.virustotal.result": "27 / 69", - "threatintel.indicator.file.hash.md5": "dcc20d534cdf29eab03d8148bf728857", - "threatintel.indicator.file.hash.sha256": "86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGI:X5DpBw/KViMTB1MnEWk0115JH", - "threatintel.indicator.file.hash.tlsh": "0D44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:08:02.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "dcc20d534cdf29eab03d8148bf728857", + "threat.indicator.file.hash.sha256": "86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGI:X5DpBw/KViMTB1MnEWk0115JH", + "threat.indicator.file.hash.tlsh": "0D44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:08:02.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -210,15 +222,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "f6facbf7a90b9e67a6de9f6634eb40ba", - "threatintel.indicator.file.hash.sha256": "e91c9e11d3ce4f55fabd7196279367482d2fabfa32df81e614b15fc53b4e26be", - "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJ1:0h3eZgRQCcw+MN54dEq7kqRtoLZL", - "threatintel.indicator.file.hash.tlsh": "2554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 284672, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:07:53.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "f6facbf7a90b9e67a6de9f6634eb40ba", + "threat.indicator.file.hash.sha256": "e91c9e11d3ce4f55fabd7196279367482d2fabfa32df81e614b15fc53b4e26be", + "threat.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJ1:0h3eZgRQCcw+MN54dEq7kqRtoLZL", + "threat.indicator.file.hash.tlsh": "2554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 284672, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:07:53.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -241,17 +255,20 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "44325fd5bdda2e2cdea07c3a39953bb1", - "threatintel.indicator.file.hash.sha256": "beedbbcacfc34b5edd8c68e3e4acf364992ebbcd989548e09e38fa03c5659bac", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG/:X5DpBw/KViMTB1MnEWk0115Jg", - "threatintel.indicator.file.hash.tlsh": "A044D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:07:41.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "44325fd5bdda2e2cdea07c3a39953bb1", + "threat.indicator.file.hash.sha256": "beedbbcacfc34b5edd8c68e3e4acf364992ebbcd989548e09e38fa03c5659bac", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG/:X5DpBw/KViMTB1MnEWk0115Jg", + "threat.indicator.file.hash.tlsh": "A044D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:07:41.000Z", + "threat.indicator.type": "file" }, { + "abusech.malware.signature": "Heodo", "event.category": "threat", "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", @@ -272,16 +289,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.abusemalware.signature": "Heodo", - "threatintel.indicator.file.hash.md5": "4c549051950522a3f1b0814aa9b1f6d1", - "threatintel.indicator.file.hash.sha256": "7cba55da723c0e020267a02e6ffc83e03a83701757fc4ec65ea398618ad881cf", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG4:X5DpBw/KViMTB1MnEWk0115Jv", - "threatintel.indicator.file.hash.tlsh": "4544D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:07:31.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "4c549051950522a3f1b0814aa9b1f6d1", + "threat.indicator.file.hash.sha256": "7cba55da723c0e020267a02e6ffc83e03a83701757fc4ec65ea398618ad881cf", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG4:X5DpBw/KViMTB1MnEWk0115Jv", + "threat.indicator.file.hash.tlsh": "4544D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:07:31.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -304,15 +322,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "d7333113098d88b6a5dd5b8eb24f9b87", - "threatintel.indicator.file.hash.sha256": "426be5e085e6bbad8430223dc89d8d3ced497133f8d478fd00005bcbb73399d4", - "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJw:0h3eZgRQCcw+MN54dEq7kqRtoLZW", - "threatintel.indicator.file.hash.tlsh": "9454CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 284672, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:07:07.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "d7333113098d88b6a5dd5b8eb24f9b87", + "threat.indicator.file.hash.sha256": "426be5e085e6bbad8430223dc89d8d3ced497133f8d478fd00005bcbb73399d4", + "threat.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJw:0h3eZgRQCcw+MN54dEq7kqRtoLZW", + "threat.indicator.file.hash.tlsh": "9454CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 284672, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:07:07.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -335,15 +355,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "c8dbb261c1f450534c3693da2f4b479f", - "threatintel.indicator.file.hash.sha256": "25093afdaeb3ea000743ab843360a6b64f58c0a1ab950072ba6528056735deb9", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGe:X5DpBw/KViMTB1MnEWk0115JR", - "threatintel.indicator.file.hash.tlsh": "F344D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:07:07.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "c8dbb261c1f450534c3693da2f4b479f", + "threat.indicator.file.hash.sha256": "25093afdaeb3ea000743ab843360a6b64f58c0a1ab950072ba6528056735deb9", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGe:X5DpBw/KViMTB1MnEWk0115JR", + "threat.indicator.file.hash.tlsh": "F344D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:07:07.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -366,15 +388,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "714953f1d0031a4bb2f0c44afd015931", - "threatintel.indicator.file.hash.sha256": "b3327a96280365e441057f490df6261c9a2400fd63719eb9a7a0c9db95beecc5", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGc:X5DpBw/KViMTB1MnEWk0115J7", - "threatintel.indicator.file.hash.tlsh": "F644D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:07:06.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "714953f1d0031a4bb2f0c44afd015931", + "threat.indicator.file.hash.sha256": "b3327a96280365e441057f490df6261c9a2400fd63719eb9a7a0c9db95beecc5", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGc:X5DpBw/KViMTB1MnEWk0115J7", + "threat.indicator.file.hash.tlsh": "F644D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:07:06.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -397,15 +421,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "20fd22742500d4cec123398afc3d3672", - "threatintel.indicator.file.hash.sha256": "e92b54904391c171238863b584355197ba4508f73320a8e89afbb5425fc2dc4b", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGc:X5DpBw/KViMTB1MnEWk0115JP", - "threatintel.indicator.file.hash.tlsh": "BE44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:07:00.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "20fd22742500d4cec123398afc3d3672", + "threat.indicator.file.hash.sha256": "e92b54904391c171238863b584355197ba4508f73320a8e89afbb5425fc2dc4b", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGc:X5DpBw/KViMTB1MnEWk0115JP", + "threat.indicator.file.hash.tlsh": "BE44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:07:00.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -428,17 +454,20 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "aa81ceea053797a6f8c38a0f2f9b80b0", - "threatintel.indicator.file.hash.sha256": "dd15e74b3cd3a4fdb5f47adefd6f90e27d5a20e01316cc791711f6dce7c0f52e", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGf:X5DpBw/KViMTB1MnEWk0115Jo", - "threatintel.indicator.file.hash.tlsh": "CC44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:06:36.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "aa81ceea053797a6f8c38a0f2f9b80b0", + "threat.indicator.file.hash.sha256": "dd15e74b3cd3a4fdb5f47adefd6f90e27d5a20e01316cc791711f6dce7c0f52e", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGf:X5DpBw/KViMTB1MnEWk0115Jo", + "threat.indicator.file.hash.tlsh": "CC44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:06:36.000Z", + "threat.indicator.type": "file" }, { + "abusech.malware.signature": "Heodo", "event.category": "threat", "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", @@ -459,16 +488,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.abusemalware.signature": "Heodo", - "threatintel.indicator.file.hash.md5": "a2ce6795664c0fa93b07fa54ba868991", - "threatintel.indicator.file.hash.sha256": "0fae1eeabc4f5e07bd16f7851aec5ab6032d407c7ff0270f2b6e85c2a3efebd1", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGD:X5DpBw/KViMTB1MnEWk0115JY", - "threatintel.indicator.file.hash.tlsh": "8C44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:06:13.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "a2ce6795664c0fa93b07fa54ba868991", + "threat.indicator.file.hash.sha256": "0fae1eeabc4f5e07bd16f7851aec5ab6032d407c7ff0270f2b6e85c2a3efebd1", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGD:X5DpBw/KViMTB1MnEWk0115JY", + "threat.indicator.file.hash.tlsh": "8C44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:06:13.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -491,15 +521,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "9b9bac158dacb9c2f5511e9c464a7de4", - "threatintel.indicator.file.hash.sha256": "07a9d84c0b2c8cf1fd90ab409b9399d06920ab4b6efb647b5a3b9bef1045ee7e", - "threatintel.indicator.file.hash.ssdeep": "6144:WlLMUG2gFWLDFO9vNa11y3NPcJufFFTXNZrjJTKk:W5MT4WNaHy9P1FjbrjlKk", - "threatintel.indicator.file.hash.tlsh": "6B54CF217A53C826F5E800FCA6E9878914167F346F44A4C773D40F6AA8759E2EF2B317", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 280064, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:05:52.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "9b9bac158dacb9c2f5511e9c464a7de4", + "threat.indicator.file.hash.sha256": "07a9d84c0b2c8cf1fd90ab409b9399d06920ab4b6efb647b5a3b9bef1045ee7e", + "threat.indicator.file.hash.ssdeep": "6144:WlLMUG2gFWLDFO9vNa11y3NPcJufFFTXNZrjJTKk:W5MT4WNaHy9P1FjbrjlKk", + "threat.indicator.file.hash.tlsh": "6B54CF217A53C826F5E800FCA6E9878914167F346F44A4C773D40F6AA8759E2EF2B317", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 280064, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:05:52.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -522,17 +554,20 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "e48e3fa5e0f7b21c1ecf1efc81ff91e8", - "threatintel.indicator.file.hash.sha256": "708c0193aec6354af6877f314d4b0e3864552bac77258bee9ee5bf886a116df5", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGo:X5DpBw/KViMTB1MnEWk0115Jj", - "threatintel.indicator.file.hash.tlsh": "6644D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:05:51.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "e48e3fa5e0f7b21c1ecf1efc81ff91e8", + "threat.indicator.file.hash.sha256": "708c0193aec6354af6877f314d4b0e3864552bac77258bee9ee5bf886a116df5", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGo:X5DpBw/KViMTB1MnEWk0115Jj", + "threat.indicator.file.hash.tlsh": "6644D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:05:51.000Z", + "threat.indicator.type": "file" }, { + "abusech.malware.signature": "Heodo", "event.category": "threat", "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", @@ -553,16 +588,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.abusemalware.signature": "Heodo", - "threatintel.indicator.file.hash.md5": "8957f5347633ab4b10c2ae4fb92c8572", - "threatintel.indicator.file.hash.sha256": "f70a3c016fe791eb30959961f0bcaa08ba7b738491b9ae61cb4a667cd1de8b37", - "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJy:0h3eZgRQCcw+MN54dEq7kqRtoLZM", - "threatintel.indicator.file.hash.tlsh": "0754CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 284672, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:05:50.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "8957f5347633ab4b10c2ae4fb92c8572", + "threat.indicator.file.hash.sha256": "f70a3c016fe791eb30959961f0bcaa08ba7b738491b9ae61cb4a667cd1de8b37", + "threat.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJy:0h3eZgRQCcw+MN54dEq7kqRtoLZM", + "threat.indicator.file.hash.tlsh": "0754CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 284672, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:05:50.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -585,15 +621,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "09cc76b7077b4d5704e46e864575ff03", - "threatintel.indicator.file.hash.sha256": "94ca186561b13fa9b1bf15f7e66118debc686b40d2a62a5cf4b3c6ca6ee1c7a1", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG/:X5DpBw/KViMTB1MnEWk0115Js", - "threatintel.indicator.file.hash.tlsh": "BB44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:05:36.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "09cc76b7077b4d5704e46e864575ff03", + "threat.indicator.file.hash.sha256": "94ca186561b13fa9b1bf15f7e66118debc686b40d2a62a5cf4b3c6ca6ee1c7a1", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG/:X5DpBw/KViMTB1MnEWk0115Js", + "threat.indicator.file.hash.tlsh": "BB44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:05:36.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -616,17 +654,20 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "98a1cdf7de4232363f1d1e0f33dbfd99", - "threatintel.indicator.file.hash.sha256": "909f890dbc5748845cf06d0fb0b73a5c0cb17761f37e9cd4810eea0d0eb8627f", - "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJQ:0h3eZgRQCcw+MN54dEq7kqRtoLZ+", - "threatintel.indicator.file.hash.tlsh": "C554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 284672, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:05:16.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "98a1cdf7de4232363f1d1e0f33dbfd99", + "threat.indicator.file.hash.sha256": "909f890dbc5748845cf06d0fb0b73a5c0cb17761f37e9cd4810eea0d0eb8627f", + "threat.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJQ:0h3eZgRQCcw+MN54dEq7kqRtoLZ+", + "threat.indicator.file.hash.tlsh": "C554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 284672, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:05:16.000Z", + "threat.indicator.type": "file" }, { + "abusech.malware.signature": "Heodo", "event.category": "threat", "event.dataset": "threatintel.abusemalware", "event.kind": "enrichment", @@ -647,16 +688,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.abusemalware.signature": "Heodo", - "threatintel.indicator.file.hash.md5": "8a51830c1662513ba6bd44e2f7849547", - "threatintel.indicator.file.hash.sha256": "d1fa76346bef5bc8adaa615e109894a7c30f0bef07ab6272409c4056ea8d52aa", - "threatintel.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJh:0h3eZgRQCcw+MN54dEq7kqRtoLZ/", - "threatintel.indicator.file.hash.tlsh": "1654CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 284672, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:05:15.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "8a51830c1662513ba6bd44e2f7849547", + "threat.indicator.file.hash.sha256": "d1fa76346bef5bc8adaa615e109894a7c30f0bef07ab6272409c4056ea8d52aa", + "threat.indicator.file.hash.ssdeep": "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJh:0h3eZgRQCcw+MN54dEq7kqRtoLZ/", + "threat.indicator.file.hash.tlsh": "1654CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 284672, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:05:15.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -679,15 +721,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "ae21d742a8118d6b86674aa5370bd6a7", - "threatintel.indicator.file.hash.sha256": "3b9698b6c18bcba15ee33378440dd3f42509730e6b1d2d5832c71a74b1920e51", - "threatintel.indicator.file.hash.ssdeep": "6144:WlLMUG2gFWLDFO9vNa11y3NPcJufFFTXNZrjJTKS:W5MT4WNaHy9P1FjbrjlKS", - "threatintel.indicator.file.hash.tlsh": "5454CF217A53C826F5E800FCA6E9878925167F346F44A4C373D40F6AA8759E2DF2B317", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 280064, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:05:12.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "ae21d742a8118d6b86674aa5370bd6a7", + "threat.indicator.file.hash.sha256": "3b9698b6c18bcba15ee33378440dd3f42509730e6b1d2d5832c71a74b1920e51", + "threat.indicator.file.hash.ssdeep": "6144:WlLMUG2gFWLDFO9vNa11y3NPcJufFFTXNZrjJTKS:W5MT4WNaHy9P1FjbrjlKS", + "threat.indicator.file.hash.tlsh": "5454CF217A53C826F5E800FCA6E9878925167F346F44A4C373D40F6AA8759E2DF2B317", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 280064, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:05:12.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -710,15 +754,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "78c9d88d24ed1d982a83216eed1590f6", - "threatintel.indicator.file.hash.sha256": "d11edc90f0e879a175abc6e2ce5c94a263aa2a01cd3b6e8b9fdf93a51235ae99", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG8:X5DpBw/KViMTB1MnEWk0115Jr", - "threatintel.indicator.file.hash.tlsh": "6044D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:04:38.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "78c9d88d24ed1d982a83216eed1590f6", + "threat.indicator.file.hash.sha256": "d11edc90f0e879a175abc6e2ce5c94a263aa2a01cd3b6e8b9fdf93a51235ae99", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG8:X5DpBw/KViMTB1MnEWk0115Jr", + "threat.indicator.file.hash.tlsh": "6044D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:04:38.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -741,15 +787,17 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "236577d5d83e2a8d08623a7a7f724188", - "threatintel.indicator.file.hash.sha256": "8cd28fed7ebdcd79ea2509dca84f0a727ca28d4eaaed5a92cd10b1279ff16afa", - "threatintel.indicator.file.hash.ssdeep": "6144:X1G3WVIOY6Bdjehj+qudd96ou/6mv5wdC:X1GmSafShjYdd96z/6cwdC", - "threatintel.indicator.file.hash.tlsh": "8D34BE41B28B8B4BD163163C2976D1F8953CFC909761CE693B64B22F0F739D0892E7A5", - "threatintel.indicator.file.pe.imphash": "ed2860c18f5483e3b5388bad75169dc1", - "threatintel.indicator.file.size": 241664, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:04:26.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "236577d5d83e2a8d08623a7a7f724188", + "threat.indicator.file.hash.sha256": "8cd28fed7ebdcd79ea2509dca84f0a727ca28d4eaaed5a92cd10b1279ff16afa", + "threat.indicator.file.hash.ssdeep": "6144:X1G3WVIOY6Bdjehj+qudd96ou/6mv5wdC:X1GmSafShjYdd96z/6cwdC", + "threat.indicator.file.hash.tlsh": "8D34BE41B28B8B4BD163163C2976D1F8953CFC909761CE693B64B22F0F739D0892E7A5", + "threat.indicator.file.pe.imphash": "ed2860c18f5483e3b5388bad75169dc1", + "threat.indicator.file.size": 241664, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:04:26.000Z", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -772,14 +820,16 @@ "forwarded", "threatintel-abusemalware" ], - "threatintel.indicator.file.hash.md5": "ff60107d82dcda7e6726d214528758e7", - "threatintel.indicator.file.hash.sha256": "fb25d13188a5d0913bbcf5aeff6c7e3208ad92a7d10ab6bed2735f4d43310a27", - "threatintel.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGz:X5DpBw/KViMTB1MnEWk0115JU", - "threatintel.indicator.file.hash.tlsh": "9244D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", - "threatintel.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", - "threatintel.indicator.file.size": 277504, - "threatintel.indicator.file.type": "dll", - "threatintel.indicator.first_seen": "2021-01-14T06:04:20.000Z", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH Malware", + "threat.indicator.file.hash.md5": "ff60107d82dcda7e6726d214528758e7", + "threat.indicator.file.hash.sha256": "fb25d13188a5d0913bbcf5aeff6c7e3208ad92a7d10ab6bed2735f4d43310a27", + "threat.indicator.file.hash.ssdeep": "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGz:X5DpBw/KViMTB1MnEWk0115JU", + "threat.indicator.file.hash.tlsh": "9244D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717", + "threat.indicator.file.pe.imphash": "68aea345b134d576ccdef7f06db86088", + "threat.indicator.file.size": 277504, + "threat.indicator.file.type": "dll", + "threat.indicator.first_seen": "2021-01-14T06:04:20.000Z", + "threat.indicator.type": "file" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/abuseurl/_meta/fields.yml b/x-pack/filebeat/module/threatintel/abuseurl/_meta/fields.yml index a93f91d339c..f407bb8d615 100644 --- a/x-pack/filebeat/module/threatintel/abuseurl/_meta/fields.yml +++ b/x-pack/filebeat/module/threatintel/abuseurl/_meta/fields.yml @@ -1,4 +1,4 @@ -- name: abuseurl +- name: abusech.url type: group description: > Fields for AbuseCH Malware Threat Intel diff --git a/x-pack/filebeat/module/threatintel/abuseurl/config/config.yml b/x-pack/filebeat/module/threatintel/abuseurl/config/config.yml index da01bc61c40..f577594ec06 100644 --- a/x-pack/filebeat/module/threatintel/abuseurl/config/config.yml +++ b/x-pack/filebeat/module/threatintel/abuseurl/config/config.yml @@ -11,10 +11,6 @@ request.ssl: {{ .ssl | tojson }} request.proxy_url: {{ .proxy_url }} {{ end }} request.url: {{ .url }} -request.transforms: -- set: - target: header.Content-Type - value: application/json response.split: target: body.urls @@ -30,17 +26,12 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} +tags: +{{if .preserve_original_event}} + - preserve_original_event +{{end}} +{{range $val := .tags}} + - {{$val}} +{{end}} -processors: - - decode_json_fields: - fields: [message] - target: json - - fingerprint: - fields: ["json.id"] - target_field: "@metadata._id" - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml index bf674ba2c88..f762db7351e 100644 --- a/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml @@ -1,3 +1,4 @@ +--- description: Pipeline for parsing Abuse.ch URL Threat Intel processors: #################### @@ -6,6 +7,9 @@ processors: - set: field: event.ingested value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: "1.12" - set: field: event.kind value: enrichment @@ -20,62 +24,75 @@ processors: # General ECS fields # ###################### - rename: - field: json - target_field: threatintel.abuseurl + field: message + target_field: event.original ignore_missing: true + - json: + field: event.original + target_field: abusech.url + - fingerprint: + fields: + - abusech.url.id + target_field: "_id" ##################### # Threat ECS Fields # ##################### - set: - field: threatintel.indicator.type + field: threat.feed.name + value: "[Filebeat] AbuseCH URL" + - set: + field: threat.feed.dashboard_id + value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f" + - set: + field: threat.indicator.type value: url - date: - field: threatintel.abuseurl.date_added - target_field: threatintel.indicator.first_seen + field: abusech.url.date_added + target_field: threat.indicator.first_seen formats: - "yyyy-MM-dd HH:mm:ss z" - "yyyy-MM-dd HH:mm:ss Z" - if: "ctx?.threatintel?.abuseurl?.date_added != null" + if: "ctx.abusech?.url?.date_added != null" - uri_parts: - field: threatintel.abuseurl.url - target_field: threatintel.indicator.url + field: abusech.url.url + target_field: threat.indicator.url keep_original: true remove_if_successful: true - set: - field: threatintel.indicator.url.full - value: "{{{threatintel.indicator.url.original}}}" + field: threat.indicator.url.full + value: "{{{threat.indicator.url.original}}}" ignore_empty_value: true - rename: - field: threatintel.abuseurl.urlhaus_reference - target_field: threatintel.indicator.reference + field: abusech.url.urlhaus_reference + target_field: threat.indicator.reference ignore_missing: true # Host can be both IP addresses and domain names - grok: - field: threatintel.abuseurl.host + field: abusech.url.host patterns: - - "(?:%{IP:threatintel.indicator.ip}|%{GREEDYDATA:threatintel.indicator.url.domain})" + - "(?:%{IP:threat.indicator.ip}|%{GREEDYDATA:threat.indicator.url.domain})" ignore_failure: true - rename: - field: threatintel.abuseurl.reporter - target_field: threatintel.indicator.provider + field: abusech.url.reporter + target_field: threat.indicator.provider ignore_missing: true ###################### # Cleanup processors # ###################### - set: - field: threatintel.indicator.type + field: threat.indicator.type value: unknown - if: ctx?.threatintel?.indicator?.type == null + if: ctx?.threat?.indicator?.type == null - convert: - field: threatintel.abuseurl.larted + field: abusech.url.larted type: boolean ignore_missing: true - script: lang: painless - if: ctx?.threatintel != null + if: ctx?.abusech != null source: | void handleMap(Map map) { for (def x : map.values()) { @@ -97,11 +114,16 @@ processors: } } handleMap(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true - remove: field: - - threatintel.abuseurl.date_added - - threatintel.abuseurl.url - - threatintel.abuseurl.host + - abusech.url.date_added + - abusech.url.url + - abusech.url.host - message ignore_missing: true on_failure: diff --git a/x-pack/filebeat/module/threatintel/abuseurl/manifest.yml b/x-pack/filebeat/module/threatintel/abuseurl/manifest.yml index 13b5e663c4a..2f71ad88253 100644 --- a/x-pack/filebeat/module/threatintel/abuseurl/manifest.yml +++ b/x-pack/filebeat/module/threatintel/abuseurl/manifest.yml @@ -11,6 +11,8 @@ var: - name: tags default: [threatintel-abuseurls, forwarded] - name: proxy_url + - name: preserve_original_event + default: false ingest_pipeline: - ingest/pipeline.yml diff --git a/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json index 3b312440b34..c76728b3c16 100644 --- a/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json @@ -1,5 +1,15 @@ [ { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961548", + "abusech.url.larted": false, + "abusech.url.tags": [ + "Mozi", + "elf" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -13,30 +23,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961548", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:19:13.000Z", + "threat.indicator.ip": "103.72.223.103", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961548/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "103.72.223.103", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://103.72.223.103:34613/Mozi.m", + "threat.indicator.url.original": "http://103.72.223.103:34613/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 34613, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961546", + "abusech.url.larted": false, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:19:13.000Z", - "threatintel.indicator.ip": "103.72.223.103", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961548/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "103.72.223.103", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://103.72.223.103:34613/Mozi.m", - "threatintel.indicator.url.original": "http://103.72.223.103:34613/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 34613, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -50,30 +62,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961546", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:19:05.000Z", + "threat.indicator.ip": "112.30.97.184", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961546/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "112.30.97.184", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://112.30.97.184:44941/Mozi.m", + "threat.indicator.url.original": "http://112.30.97.184:44941/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 44941, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961547", + "abusech.url.larted": false, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:19:05.000Z", - "threatintel.indicator.ip": "112.30.97.184", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961546/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "112.30.97.184", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://112.30.97.184:44941/Mozi.m", - "threatintel.indicator.url.original": "http://112.30.97.184:44941/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 44941, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -87,30 +101,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961547", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:19:05.000Z", + "threat.indicator.ip": "113.110.198.53", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961547/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "113.110.198.53", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://113.110.198.53:37173/Mozi.m", + "threat.indicator.url.original": "http://113.110.198.53:37173/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 37173, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961545", + "abusech.url.larted": false, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:19:05.000Z", - "threatintel.indicator.ip": "113.110.198.53", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961547/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "113.110.198.53", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://113.110.198.53:37173/Mozi.m", - "threatintel.indicator.url.original": "http://113.110.198.53:37173/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 37173, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -124,30 +140,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961545", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:19:04.000Z", + "threat.indicator.ip": "101.20.183.170", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961545/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "101.20.183.170", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://101.20.183.170:47545/Mozi.m", + "threat.indicator.url.original": "http://101.20.183.170:47545/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 47545, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961544", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:19:04.000Z", - "threatintel.indicator.ip": "101.20.183.170", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961545/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "101.20.183.170", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://101.20.183.170:47545/Mozi.m", - "threatintel.indicator.url.original": "http://101.20.183.170:47545/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 47545, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -161,30 +179,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961544", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:07:07.000Z", + "threat.indicator.ip": "59.8.35.22", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961544/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "59.8.35.22", + "threat.indicator.url.extension": "a", + "threat.indicator.url.full": "http://59.8.35.22:44782/Mozi.a", + "threat.indicator.url.original": "http://59.8.35.22:44782/Mozi.a", + "threat.indicator.url.path": "/Mozi.a", + "threat.indicator.url.port": 44782, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961543", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:07:07.000Z", - "threatintel.indicator.ip": "59.8.35.22", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961544/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "59.8.35.22", - "threatintel.indicator.url.extension": "a", - "threatintel.indicator.url.full": "http://59.8.35.22:44782/Mozi.a", - "threatintel.indicator.url.original": "http://59.8.35.22:44782/Mozi.a", - "threatintel.indicator.url.path": "/Mozi.a", - "threatintel.indicator.url.port": 44782, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -198,30 +218,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961543", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:07:06.000Z", + "threat.indicator.ip": "59.96.37.35", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961543/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "59.96.37.35", + "threat.indicator.url.extension": "a", + "threat.indicator.url.full": "http://59.96.37.35:44359/Mozi.a", + "threat.indicator.url.original": "http://59.96.37.35:44359/Mozi.a", + "threat.indicator.url.path": "/Mozi.a", + "threat.indicator.url.port": 44359, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961540", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:07:06.000Z", - "threatintel.indicator.ip": "59.96.37.35", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961543/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "59.96.37.35", - "threatintel.indicator.url.extension": "a", - "threatintel.indicator.url.full": "http://59.96.37.35:44359/Mozi.a", - "threatintel.indicator.url.original": "http://59.96.37.35:44359/Mozi.a", - "threatintel.indicator.url.path": "/Mozi.a", - "threatintel.indicator.url.port": 44359, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -235,30 +257,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961540", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:07:05.000Z", + "threat.indicator.ip": "42.239.233.17", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961540/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "42.239.233.17", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://42.239.233.17:56507/Mozi.m", + "threat.indicator.url.original": "http://42.239.233.17:56507/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 56507, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961541", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:07:05.000Z", - "threatintel.indicator.ip": "42.239.233.17", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961540/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "42.239.233.17", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://42.239.233.17:56507/Mozi.m", - "threatintel.indicator.url.original": "http://42.239.233.17:56507/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 56507, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -272,30 +296,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961541", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:07:05.000Z", + "threat.indicator.ip": "58.252.178.20", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961541/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "58.252.178.20", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://58.252.178.20:57562/Mozi.m", + "threat.indicator.url.original": "http://58.252.178.20:57562/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 57562, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961542", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:07:05.000Z", - "threatintel.indicator.ip": "58.252.178.20", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961541/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "58.252.178.20", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://58.252.178.20:57562/Mozi.m", - "threatintel.indicator.url.original": "http://58.252.178.20:57562/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 57562, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -309,30 +335,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961542", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:07:05.000Z", + "threat.indicator.ip": "45.176.111.95", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961542/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "45.176.111.95", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://45.176.111.95:48845/Mozi.m", + "threat.indicator.url.original": "http://45.176.111.95:48845/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 48845, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961539", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:07:05.000Z", - "threatintel.indicator.ip": "45.176.111.95", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961542/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "45.176.111.95", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://45.176.111.95:48845/Mozi.m", - "threatintel.indicator.url.original": "http://45.176.111.95:48845/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 48845, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -346,30 +374,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961539", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:07:04.000Z", + "threat.indicator.ip": "42.224.68.97", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961539/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "42.224.68.97", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://42.224.68.97:58245/Mozi.m", + "threat.indicator.url.original": "http://42.224.68.97:58245/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 58245, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961538", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:07:04.000Z", - "threatintel.indicator.ip": "42.224.68.97", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961539/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "42.224.68.97", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://42.224.68.97:58245/Mozi.m", - "threatintel.indicator.url.original": "http://42.224.68.97:58245/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 58245, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -383,30 +413,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961538", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:06:08.000Z", + "threat.indicator.ip": "222.81.144.207", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961538/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "222.81.144.207", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://222.81.144.207:37198/Mozi.m", + "threat.indicator.url.original": "http://222.81.144.207:37198/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 37198, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961537", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:06:08.000Z", - "threatintel.indicator.ip": "222.81.144.207", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961538/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "222.81.144.207", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://222.81.144.207:37198/Mozi.m", - "threatintel.indicator.url.original": "http://222.81.144.207:37198/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 37198, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -420,30 +452,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961537", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:06:06.000Z", + "threat.indicator.ip": "182.127.185.137", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961537/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "182.127.185.137", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://182.127.185.137:33524/Mozi.m", + "threat.indicator.url.original": "http://182.127.185.137:33524/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 33524, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961531", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:06:06.000Z", - "threatintel.indicator.ip": "182.127.185.137", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961537/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "182.127.185.137", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://182.127.185.137:33524/Mozi.m", - "threatintel.indicator.url.original": "http://182.127.185.137:33524/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 33524, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -457,30 +491,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961531", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threat.indicator.ip": "39.84.175.185", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961531/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "39.84.175.185", + "threat.indicator.url.extension": "a", + "threat.indicator.url.full": "http://39.84.175.185:48261/Mozi.a", + "threat.indicator.url.original": "http://39.84.175.185:48261/Mozi.a", + "threat.indicator.url.path": "/Mozi.a", + "threat.indicator.url.port": 48261, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961532", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", - "threatintel.indicator.ip": "39.84.175.185", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961531/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "39.84.175.185", - "threatintel.indicator.url.extension": "a", - "threatintel.indicator.url.full": "http://39.84.175.185:48261/Mozi.a", - "threatintel.indicator.url.original": "http://39.84.175.185:48261/Mozi.a", - "threatintel.indicator.url.path": "/Mozi.a", - "threatintel.indicator.url.port": 48261, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -494,30 +530,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961532", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threat.indicator.ip": "27.41.11.238", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961532/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "27.41.11.238", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://27.41.11.238:34478/Mozi.m", + "threat.indicator.url.original": "http://27.41.11.238:34478/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 34478, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961533", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", - "threatintel.indicator.ip": "27.41.11.238", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961532/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "27.41.11.238", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://27.41.11.238:34478/Mozi.m", - "threatintel.indicator.url.original": "http://27.41.11.238:34478/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 34478, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -531,30 +569,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961533", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threat.indicator.ip": "182.127.133.68", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961533/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "182.127.133.68", + "threat.indicator.url.extension": "a", + "threat.indicator.url.full": "http://182.127.133.68:35703/Mozi.a", + "threat.indicator.url.original": "http://182.127.133.68:35703/Mozi.a", + "threat.indicator.url.path": "/Mozi.a", + "threat.indicator.url.port": 35703, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961534", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", - "threatintel.indicator.ip": "182.127.133.68", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961533/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "182.127.133.68", - "threatintel.indicator.url.extension": "a", - "threatintel.indicator.url.full": "http://182.127.133.68:35703/Mozi.a", - "threatintel.indicator.url.original": "http://182.127.133.68:35703/Mozi.a", - "threatintel.indicator.url.path": "/Mozi.a", - "threatintel.indicator.url.port": 35703, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -568,30 +608,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961534", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threat.indicator.ip": "27.46.44.102", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961534/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "27.46.44.102", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://27.46.44.102:48666/Mozi.m", + "threat.indicator.url.original": "http://27.46.44.102:48666/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 48666, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961535", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", - "threatintel.indicator.ip": "27.46.44.102", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961534/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "27.46.44.102", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://27.46.44.102:48666/Mozi.m", - "threatintel.indicator.url.original": "http://27.46.44.102:48666/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 48666, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -605,30 +647,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961535", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threat.indicator.ip": "39.70.88.65", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961535/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "39.70.88.65", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://39.70.88.65:53923/Mozi.m", + "threat.indicator.url.original": "http://39.70.88.65:53923/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 53923, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961536", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", - "threatintel.indicator.ip": "39.70.88.65", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961535/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "39.70.88.65", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://39.70.88.65:53923/Mozi.m", - "threatintel.indicator.url.original": "http://39.70.88.65:53923/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 53923, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -642,30 +686,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961536", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:06:05.000Z", + "threat.indicator.ip": "42.224.136.237", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961536/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "42.224.136.237", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://42.224.136.237:52794/Mozi.m", + "threat.indicator.url.original": "http://42.224.136.237:52794/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 52794, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961530", + "abusech.url.larted": false, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:06:05.000Z", - "threatintel.indicator.ip": "42.224.136.237", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961536/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "42.224.136.237", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://42.224.136.237:52794/Mozi.m", - "threatintel.indicator.url.original": "http://42.224.136.237:52794/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 52794, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -679,30 +725,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961530", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:05:34.000Z", + "threat.indicator.ip": "117.208.135.63", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961530/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "117.208.135.63", + "threat.indicator.url.extension": "a", + "threat.indicator.url.full": "http://117.208.135.63:49312/Mozi.a", + "threat.indicator.url.original": "http://117.208.135.63:49312/Mozi.a", + "threat.indicator.url.path": "/Mozi.a", + "threat.indicator.url.port": 49312, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961525", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T21:05:34.000Z", - "threatintel.indicator.ip": "117.208.135.63", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961530/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "117.208.135.63", - "threatintel.indicator.url.extension": "a", - "threatintel.indicator.url.full": "http://117.208.135.63:49312/Mozi.a", - "threatintel.indicator.url.original": "http://117.208.135.63:49312/Mozi.a", - "threatintel.indicator.url.path": "/Mozi.a", - "threatintel.indicator.url.port": 49312, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -716,30 +764,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961525", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threat.indicator.ip": "125.47.66.60", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961525/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "125.47.66.60", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://125.47.66.60:38961/Mozi.m", + "threat.indicator.url.original": "http://125.47.66.60:38961/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 38961, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961526", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", - "threatintel.indicator.ip": "125.47.66.60", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961525/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "125.47.66.60", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://125.47.66.60:38961/Mozi.m", - "threatintel.indicator.url.original": "http://125.47.66.60:38961/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 38961, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -753,30 +803,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961526", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threat.indicator.ip": "182.117.95.148", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961526/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "182.117.95.148", + "threat.indicator.url.extension": "a", + "threat.indicator.url.full": "http://182.117.95.148:50420/Mozi.a", + "threat.indicator.url.original": "http://182.117.95.148:50420/Mozi.a", + "threat.indicator.url.path": "/Mozi.a", + "threat.indicator.url.port": 50420, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961527", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", - "threatintel.indicator.ip": "182.117.95.148", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961526/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "182.117.95.148", - "threatintel.indicator.url.extension": "a", - "threatintel.indicator.url.full": "http://182.117.95.148:50420/Mozi.a", - "threatintel.indicator.url.original": "http://182.117.95.148:50420/Mozi.a", - "threatintel.indicator.url.path": "/Mozi.a", - "threatintel.indicator.url.port": 50420, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -790,30 +842,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961527", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threat.indicator.ip": "117.202.71.48", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961527/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "117.202.71.48", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://117.202.71.48:55007/Mozi.m", + "threat.indicator.url.original": "http://117.202.71.48:55007/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 55007, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961528", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", - "threatintel.indicator.ip": "117.202.71.48", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961527/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "117.202.71.48", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://117.202.71.48:55007/Mozi.m", - "threatintel.indicator.url.original": "http://117.202.71.48:55007/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 55007, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -827,30 +881,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961528", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threat.indicator.ip": "125.99.132.118", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961528/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "125.99.132.118", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://125.99.132.118:51143/Mozi.m", + "threat.indicator.url.original": "http://125.99.132.118:51143/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 51143, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961529", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", - "threatintel.indicator.ip": "125.99.132.118", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961528/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "125.99.132.118", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://125.99.132.118:51143/Mozi.m", - "threatintel.indicator.url.original": "http://125.99.132.118:51143/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 51143, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -864,30 +920,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961529", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi", - "elf" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:05:06.000Z", - "threatintel.indicator.ip": "182.114.123.69", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961529/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "182.114.123.69", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://182.114.123.69:41003/Mozi.m", - "threatintel.indicator.url.original": "http://182.114.123.69:41003/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 41003, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:05:06.000Z", + "threat.indicator.ip": "182.114.123.69", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961529/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "182.114.123.69", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://182.114.123.69:41003/Mozi.m", + "threat.indicator.url.original": "http://182.114.123.69:41003/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 41003, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961524", + "abusech.url.larted": false, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -901,29 +958,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961524", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T21:04:38.000Z", - "threatintel.indicator.ip": "116.19.127.37", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961524/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "116.19.127.37", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://116.19.127.37:35739/Mozi.m", - "threatintel.indicator.url.original": "http://116.19.127.37:35739/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 35739, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:38.000Z", + "threat.indicator.ip": "116.19.127.37", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961524/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "116.19.127.37", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://116.19.127.37:35739/Mozi.m", + "threat.indicator.url.original": "http://116.19.127.37:35739/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 35739, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961523", + "abusech.url.larted": false, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -937,29 +996,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961523", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T21:04:36.000Z", - "threatintel.indicator.ip": "42.239.253.55", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961523/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "42.239.253.55", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://42.239.253.55:45653/Mozi.m", - "threatintel.indicator.url.original": "http://42.239.253.55:45653/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 45653, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:36.000Z", + "threat.indicator.ip": "42.239.253.55", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961523/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "42.239.253.55", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://42.239.253.55:45653/Mozi.m", + "threat.indicator.url.original": "http://42.239.253.55:45653/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 45653, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961520", + "abusech.url.larted": false, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -973,29 +1034,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961520", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T21:04:33.000Z", - "threatintel.indicator.ip": "103.217.121.228", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961520/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "103.217.121.228", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://103.217.121.228:41349/Mozi.m", - "threatintel.indicator.url.original": "http://103.217.121.228:41349/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 41349, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:33.000Z", + "threat.indicator.ip": "103.217.121.228", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961520/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "103.217.121.228", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://103.217.121.228:41349/Mozi.m", + "threat.indicator.url.original": "http://103.217.121.228:41349/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 41349, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961521", + "abusech.url.larted": false, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1009,29 +1072,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961521", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T21:04:33.000Z", - "threatintel.indicator.ip": "111.92.81.255", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961521/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "111.92.81.255", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://111.92.81.255:48586/Mozi.m", - "threatintel.indicator.url.original": "http://111.92.81.255:48586/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 48586, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:33.000Z", + "threat.indicator.ip": "111.92.81.255", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961521/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "111.92.81.255", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://111.92.81.255:48586/Mozi.m", + "threat.indicator.url.original": "http://111.92.81.255:48586/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 48586, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961522", + "abusech.url.larted": false, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1045,29 +1110,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961522", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T21:04:33.000Z", - "threatintel.indicator.ip": "45.229.55.75", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961522/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "45.229.55.75", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://45.229.55.75:38111/Mozi.m", - "threatintel.indicator.url.original": "http://45.229.55.75:38111/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 38111, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:33.000Z", + "threat.indicator.ip": "45.229.55.75", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961522/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "45.229.55.75", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://45.229.55.75:38111/Mozi.m", + "threat.indicator.url.original": "http://45.229.55.75:38111/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 38111, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961518", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1081,29 +1148,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961518", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:10.000Z", - "threatintel.indicator.ip": "182.121.242.148", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961518/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "182.121.242.148", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://182.121.242.148:34556/Mozi.m", - "threatintel.indicator.url.original": "http://182.121.242.148:34556/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 34556, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:10.000Z", + "threat.indicator.ip": "182.121.242.148", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961518/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "182.121.242.148", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://182.121.242.148:34556/Mozi.m", + "threat.indicator.url.original": "http://182.121.242.148:34556/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 34556, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961519", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi", + "elf" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1117,30 +1187,33 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961519", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi", - "elf" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:10.000Z", - "threatintel.indicator.ip": "106.115.189.249", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961519/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "106.115.189.249", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://106.115.189.249:59815/Mozi.m", - "threatintel.indicator.url.original": "http://106.115.189.249:59815/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 59815, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:10.000Z", + "threat.indicator.ip": "106.115.189.249", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961519/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "106.115.189.249", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://106.115.189.249:59815/Mozi.m", + "threat.indicator.url.original": "http://106.115.189.249:59815/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 59815, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961516", + "abusech.url.larted": true, + "abusech.url.tags": [ + "32-bit", + "elf", + "mips" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1154,31 +1227,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961516", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "32-bit", - "elf", - "mips" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:08.000Z", - "threatintel.indicator.ip": "182.117.93.110", - "threatintel.indicator.provider": "geenensp", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961516/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "182.117.93.110", - "threatintel.indicator.url.extension": "sh", - "threatintel.indicator.url.full": "http://182.117.93.110:50587/bin.sh", - "threatintel.indicator.url.original": "http://182.117.93.110:50587/bin.sh", - "threatintel.indicator.url.path": "/bin.sh", - "threatintel.indicator.url.port": 50587, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:08.000Z", + "threat.indicator.ip": "182.117.93.110", + "threat.indicator.provider": "geenensp", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961516/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "182.117.93.110", + "threat.indicator.url.extension": "sh", + "threat.indicator.url.full": "http://182.117.93.110:50587/bin.sh", + "threat.indicator.url.original": "http://182.117.93.110:50587/bin.sh", + "threat.indicator.url.path": "/bin.sh", + "threat.indicator.url.port": 50587, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961517", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi", + "elf" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1192,30 +1266,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961517", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi", - "elf" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:08.000Z", - "threatintel.indicator.ip": "110.251.5.169", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961517/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "110.251.5.169", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://110.251.5.169:48322/Mozi.m", - "threatintel.indicator.url.original": "http://110.251.5.169:48322/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 48322, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:08.000Z", + "threat.indicator.ip": "110.251.5.169", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961517/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "110.251.5.169", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://110.251.5.169:48322/Mozi.m", + "threat.indicator.url.original": "http://110.251.5.169:48322/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 48322, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961515", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1229,29 +1304,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961515", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:06.000Z", - "threatintel.indicator.ip": "101.51.117.186", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961515/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "101.51.117.186", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://101.51.117.186:33317/Mozi.m", - "threatintel.indicator.url.original": "http://101.51.117.186:33317/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 33317, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:06.000Z", + "threat.indicator.ip": "101.51.117.186", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961515/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "101.51.117.186", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://101.51.117.186:33317/Mozi.m", + "threat.indicator.url.original": "http://101.51.117.186:33317/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 33317, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961513", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1265,29 +1342,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961513", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:05.000Z", - "threatintel.indicator.ip": "121.151.78.166", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961513/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "121.151.78.166", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://121.151.78.166:41516/Mozi.m", - "threatintel.indicator.url.original": "http://121.151.78.166:41516/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 41516, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:05.000Z", + "threat.indicator.ip": "121.151.78.166", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961513/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "121.151.78.166", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://121.151.78.166:41516/Mozi.m", + "threat.indicator.url.original": "http://121.151.78.166:41516/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 41516, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961514", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1301,29 +1380,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961514", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:05.000Z", - "threatintel.indicator.ip": "116.72.92.97", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961514/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "116.72.92.97", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://116.72.92.97:57798/Mozi.m", - "threatintel.indicator.url.original": "http://116.72.92.97:57798/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 57798, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:05.000Z", + "threat.indicator.ip": "116.72.92.97", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961514/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "116.72.92.97", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://116.72.92.97:57798/Mozi.m", + "threat.indicator.url.original": "http://116.72.92.97:57798/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 57798, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961509", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1337,29 +1418,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961509", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:04.000Z", - "threatintel.indicator.ip": "27.218.15.209", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961509/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "27.218.15.209", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://27.218.15.209:47671/Mozi.m", - "threatintel.indicator.url.original": "http://27.218.15.209:47671/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 47671, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:04.000Z", + "threat.indicator.ip": "27.218.15.209", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961509/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "27.218.15.209", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://27.218.15.209:47671/Mozi.m", + "threat.indicator.url.original": "http://27.218.15.209:47671/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 47671, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961510", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1373,29 +1456,33 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961510", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:04.000Z", - "threatintel.indicator.ip": "120.85.171.210", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961510/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "120.85.171.210", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://120.85.171.210:57690/Mozi.m", - "threatintel.indicator.url.original": "http://120.85.171.210:57690/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 57690, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:04.000Z", + "threat.indicator.ip": "120.85.171.210", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961510/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "120.85.171.210", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://120.85.171.210:57690/Mozi.m", + "threat.indicator.url.original": "http://120.85.171.210:57690/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 57690, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961511", + "abusech.url.larted": true, + "abusech.url.tags": [ + "32-bit", + "elf", + "mips" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1409,30 +1496,30 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961511", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "32-bit", - "elf", - "mips" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:04.000Z", - "threatintel.indicator.ip": "117.251.59.53", - "threatintel.indicator.provider": "geenensp", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961511/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "117.251.59.53", - "threatintel.indicator.url.full": "http://117.251.59.53:50611/i", - "threatintel.indicator.url.original": "http://117.251.59.53:50611/i", - "threatintel.indicator.url.path": "/i", - "threatintel.indicator.url.port": 50611, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:04.000Z", + "threat.indicator.ip": "117.251.59.53", + "threat.indicator.provider": "geenensp", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961511/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "117.251.59.53", + "threat.indicator.url.full": "http://117.251.59.53:50611/i", + "threat.indicator.url.original": "http://117.251.59.53:50611/i", + "threat.indicator.url.path": "/i", + "threat.indicator.url.port": 50611, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961512", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1446,29 +1533,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961512", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T21:04:04.000Z", - "threatintel.indicator.ip": "115.58.83.167", - "threatintel.indicator.provider": "Gandylyan1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961512/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "115.58.83.167", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://115.58.83.167:34141/Mozi.m", - "threatintel.indicator.url.original": "http://115.58.83.167:34141/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 34141, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T21:04:04.000Z", + "threat.indicator.ip": "115.58.83.167", + "threat.indicator.provider": "Gandylyan1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961512/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "115.58.83.167", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://115.58.83.167:34141/Mozi.m", + "threat.indicator.url.original": "http://115.58.83.167:34141/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 34141, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961507", + "abusech.url.larted": true, + "abusech.url.tags": [ + "Mozi", + "elf" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1482,30 +1572,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961507", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:08.000Z", + "threat.indicator.ip": "94.178.124.83", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961507/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "94.178.124.83", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://94.178.124.83:44399/Mozi.m", + "threat.indicator.url.original": "http://94.178.124.83:44399/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 44399, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961508", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:08.000Z", - "threatintel.indicator.ip": "94.178.124.83", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961507/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "94.178.124.83", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://94.178.124.83:44399/Mozi.m", - "threatintel.indicator.url.original": "http://94.178.124.83:44399/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 44399, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1519,30 +1611,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961508", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:08.000Z", + "threat.indicator.ip": "182.122.75.232", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961508/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "182.122.75.232", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://182.122.75.232:49120/Mozi.m", + "threat.indicator.url.original": "http://182.122.75.232:49120/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 49120, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961506", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:08.000Z", - "threatintel.indicator.ip": "182.122.75.232", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961508/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "182.122.75.232", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://182.122.75.232:49120/Mozi.m", - "threatintel.indicator.url.original": "http://182.122.75.232:49120/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 49120, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1556,30 +1650,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961506", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:07.000Z", + "threat.indicator.ip": "115.63.202.43", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961506/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "115.63.202.43", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://115.63.202.43:51136/Mozi.m", + "threat.indicator.url.original": "http://115.63.202.43:51136/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 51136, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961504", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:07.000Z", - "threatintel.indicator.ip": "115.63.202.43", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961506/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "115.63.202.43", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://115.63.202.43:51136/Mozi.m", - "threatintel.indicator.url.original": "http://115.63.202.43:51136/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 51136, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1593,30 +1689,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961504", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:06.000Z", + "threat.indicator.ip": "59.99.40.204", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961504/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "59.99.40.204", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://59.99.40.204:45773/Mozi.m", + "threat.indicator.url.original": "http://59.99.40.204:45773/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 45773, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961505", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:06.000Z", - "threatintel.indicator.ip": "59.99.40.204", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961504/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "59.99.40.204", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://59.99.40.204:45773/Mozi.m", - "threatintel.indicator.url.original": "http://59.99.40.204:45773/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 45773, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1630,30 +1728,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961505", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:06.000Z", + "threat.indicator.ip": "117.247.128.213", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961505/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "117.247.128.213", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://117.247.128.213:56528/Mozi.m", + "threat.indicator.url.original": "http://117.247.128.213:56528/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 56528, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961500", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:06.000Z", - "threatintel.indicator.ip": "117.247.128.213", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961505/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "117.247.128.213", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://117.247.128.213:56528/Mozi.m", - "threatintel.indicator.url.original": "http://117.247.128.213:56528/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 56528, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1667,30 +1767,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961500", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:05.000Z", + "threat.indicator.ip": "14.137.219.132", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961500/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "14.137.219.132", + "threat.indicator.url.extension": "a", + "threat.indicator.url.full": "http://14.137.219.132:44427/Mozi.a", + "threat.indicator.url.original": "http://14.137.219.132:44427/Mozi.a", + "threat.indicator.url.path": "/Mozi.a", + "threat.indicator.url.port": 44427, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961501", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:05.000Z", - "threatintel.indicator.ip": "14.137.219.132", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961500/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "14.137.219.132", - "threatintel.indicator.url.extension": "a", - "threatintel.indicator.url.full": "http://14.137.219.132:44427/Mozi.a", - "threatintel.indicator.url.original": "http://14.137.219.132:44427/Mozi.a", - "threatintel.indicator.url.path": "/Mozi.a", - "threatintel.indicator.url.port": 44427, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1704,30 +1806,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961501", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:05.000Z", + "threat.indicator.ip": "42.224.40.14", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961501/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "42.224.40.14", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://42.224.40.14:36134/Mozi.m", + "threat.indicator.url.original": "http://42.224.40.14:36134/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 36134, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961502", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:05.000Z", - "threatintel.indicator.ip": "42.224.40.14", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961501/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "42.224.40.14", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://42.224.40.14:36134/Mozi.m", - "threatintel.indicator.url.original": "http://42.224.40.14:36134/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 36134, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1741,30 +1845,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961502", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:05.000Z", + "threat.indicator.ip": "186.33.104.107", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961502/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "186.33.104.107", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://186.33.104.107:43973/Mozi.m", + "threat.indicator.url.original": "http://186.33.104.107:43973/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 43973, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961503", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:05.000Z", - "threatintel.indicator.ip": "186.33.104.107", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961502/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "186.33.104.107", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://186.33.104.107:43973/Mozi.m", - "threatintel.indicator.url.original": "http://186.33.104.107:43973/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 43973, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1778,30 +1884,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961503", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:05.000Z", + "threat.indicator.ip": "85.105.16.154", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961503/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "85.105.16.154", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://85.105.16.154:41319/Mozi.m", + "threat.indicator.url.original": "http://85.105.16.154:41319/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 41319, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961496", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:05.000Z", - "threatintel.indicator.ip": "85.105.16.154", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961503/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "85.105.16.154", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://85.105.16.154:41319/Mozi.m", - "threatintel.indicator.url.original": "http://85.105.16.154:41319/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 41319, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1815,30 +1923,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961496", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:04.000Z", + "threat.indicator.ip": "178.141.73.115", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961496/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "178.141.73.115", + "threat.indicator.url.extension": "a", + "threat.indicator.url.full": "http://178.141.73.115:51847/Mozi.a", + "threat.indicator.url.original": "http://178.141.73.115:51847/Mozi.a", + "threat.indicator.url.path": "/Mozi.a", + "threat.indicator.url.port": 51847, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961497", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:04.000Z", - "threatintel.indicator.ip": "178.141.73.115", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961496/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "178.141.73.115", - "threatintel.indicator.url.extension": "a", - "threatintel.indicator.url.full": "http://178.141.73.115:51847/Mozi.a", - "threatintel.indicator.url.original": "http://178.141.73.115:51847/Mozi.a", - "threatintel.indicator.url.path": "/Mozi.a", - "threatintel.indicator.url.port": 51847, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1852,30 +1962,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961497", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:04.000Z", + "threat.indicator.ip": "186.33.104.135", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961497/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "186.33.104.135", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://186.33.104.135:54469/Mozi.m", + "threat.indicator.url.original": "http://186.33.104.135:54469/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 54469, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961498", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:04.000Z", - "threatintel.indicator.ip": "186.33.104.135", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961497/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "186.33.104.135", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://186.33.104.135:54469/Mozi.m", - "threatintel.indicator.url.original": "http://186.33.104.135:54469/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 54469, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1889,30 +2001,32 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961498", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:04.000Z", + "threat.indicator.ip": "115.56.159.43", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961498/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "115.56.159.43", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://115.56.159.43:34547/Mozi.m", + "threat.indicator.url.original": "http://115.56.159.43:34547/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 34547, + "threat.indicator.url.scheme": "http" + }, + { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961499", + "abusech.url.larted": true, + "abusech.url.tags": [ "Mozi", "elf" ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:04.000Z", - "threatintel.indicator.ip": "115.56.159.43", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961498/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "115.56.159.43", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://115.56.159.43:34547/Mozi.m", - "threatintel.indicator.url.original": "http://115.56.159.43:34547/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 34547, - "threatintel.indicator.url.scheme": "http" - }, - { + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "online", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1926,30 +2040,31 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961499", - "threatintel.abuseurl.larted": true, - "threatintel.abuseurl.tags": [ - "Mozi", - "elf" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "online", - "threatintel.indicator.first_seen": "2021-01-14T20:52:04.000Z", - "threatintel.indicator.ip": "42.230.138.170", - "threatintel.indicator.provider": "lrz_urlhaus", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961499/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "42.230.138.170", - "threatintel.indicator.url.extension": "m", - "threatintel.indicator.url.full": "http://42.230.138.170:33932/Mozi.m", - "threatintel.indicator.url.original": "http://42.230.138.170:33932/Mozi.m", - "threatintel.indicator.url.path": "/Mozi.m", - "threatintel.indicator.url.port": 33932, - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:52:04.000Z", + "threat.indicator.ip": "42.230.138.170", + "threat.indicator.provider": "lrz_urlhaus", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961499/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "42.230.138.170", + "threat.indicator.url.extension": "m", + "threat.indicator.url.full": "http://42.230.138.170:33932/Mozi.m", + "threat.indicator.url.original": "http://42.230.138.170:33932/Mozi.m", + "threat.indicator.url.path": "/Mozi.m", + "threat.indicator.url.port": 33932, + "threat.indicator.url.scheme": "http" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961494", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1963,27 +2078,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961494", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:47.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961494/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://univirtek.com/viro/02478080035/blank.jpg", - "threatintel.indicator.url.original": "https://univirtek.com/viro/02478080035/blank.jpg", - "threatintel.indicator.url.path": "/viro/02478080035/blank.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:47.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961494/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://univirtek.com/viro/02478080035/blank.jpg", + "threat.indicator.url.original": "https://univirtek.com/viro/02478080035/blank.jpg", + "threat.indicator.url.path": "/viro/02478080035/blank.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961495", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -1997,27 +2114,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961495", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:47.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961495/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://univirtek.com/viro/FRRNDR77C25D325O/map.png", - "threatintel.indicator.url.original": "https://univirtek.com/viro/FRRNDR77C25D325O/map.png", - "threatintel.indicator.url.path": "/viro/FRRNDR77C25D325O/map.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:47.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961495/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://univirtek.com/viro/FRRNDR77C25D325O/map.png", + "threat.indicator.url.original": "https://univirtek.com/viro/FRRNDR77C25D325O/map.png", + "threat.indicator.url.path": "/viro/FRRNDR77C25D325O/map.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961492", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2031,27 +2150,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961492", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:45.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961492/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ladiesincode.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/CNNSRG83H04F158R/blank.jpg", - "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/CNNSRG83H04F158R/blank.jpg", - "threatintel.indicator.url.path": "/ladi/CNNSRG83H04F158R/blank.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:45.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961492/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ladiesincode.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://ladiesincode.com/ladi/CNNSRG83H04F158R/blank.jpg", + "threat.indicator.url.original": "https://ladiesincode.com/ladi/CNNSRG83H04F158R/blank.jpg", + "threat.indicator.url.path": "/ladi/CNNSRG83H04F158R/blank.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961493", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2065,27 +2186,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961493", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:45.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961493/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "letonguesc.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://letonguesc.com/leto/02328510512/logo.css", - "threatintel.indicator.url.original": "https://letonguesc.com/leto/02328510512/logo.css", - "threatintel.indicator.url.path": "/leto/02328510512/logo.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:45.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961493/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "letonguesc.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://letonguesc.com/leto/02328510512/logo.css", + "threat.indicator.url.original": "https://letonguesc.com/leto/02328510512/logo.css", + "threat.indicator.url.path": "/leto/02328510512/logo.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961490", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2099,27 +2222,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961490", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:44.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961490/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://cxminute.com/minu/MLILSN74B21E507L/uk.png", - "threatintel.indicator.url.original": "https://cxminute.com/minu/MLILSN74B21E507L/uk.png", - "threatintel.indicator.url.path": "/minu/MLILSN74B21E507L/uk.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:44.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961490/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://cxminute.com/minu/MLILSN74B21E507L/uk.png", + "threat.indicator.url.original": "https://cxminute.com/minu/MLILSN74B21E507L/uk.png", + "threat.indicator.url.path": "/minu/MLILSN74B21E507L/uk.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961491", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2133,27 +2258,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961491", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:44.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961491/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://cxminute.com/minu/12875710159/blank.css", - "threatintel.indicator.url.original": "https://cxminute.com/minu/12875710159/blank.css", - "threatintel.indicator.url.path": "/minu/12875710159/blank.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:44.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961491/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://cxminute.com/minu/12875710159/blank.css", + "threat.indicator.url.original": "https://cxminute.com/minu/12875710159/blank.css", + "threat.indicator.url.path": "/minu/12875710159/blank.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961489", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2167,27 +2294,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961489", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:41.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961489/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "gif", - "threatintel.indicator.url.full": "https://cxminute.com/minu/CPNLNZ65M20A200N/maps.gif", - "threatintel.indicator.url.original": "https://cxminute.com/minu/CPNLNZ65M20A200N/maps.gif", - "threatintel.indicator.url.path": "/minu/CPNLNZ65M20A200N/maps.gif", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:41.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961489/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "gif", + "threat.indicator.url.full": "https://cxminute.com/minu/CPNLNZ65M20A200N/maps.gif", + "threat.indicator.url.original": "https://cxminute.com/minu/CPNLNZ65M20A200N/maps.gif", + "threat.indicator.url.path": "/minu/CPNLNZ65M20A200N/maps.gif", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961488", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2201,27 +2330,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961488", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:40.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961488/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "belfetproduction.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://belfetproduction.com/bella/DLPCMN64D02D789E/logo.png", - "threatintel.indicator.url.original": "https://belfetproduction.com/bella/DLPCMN64D02D789E/logo.png", - "threatintel.indicator.url.path": "/bella/DLPCMN64D02D789E/logo.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:40.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961488/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "belfetproduction.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://belfetproduction.com/bella/DLPCMN64D02D789E/logo.png", + "threat.indicator.url.original": "https://belfetproduction.com/bella/DLPCMN64D02D789E/logo.png", + "threat.indicator.url.path": "/bella/DLPCMN64D02D789E/logo.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961487", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2235,27 +2366,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961487", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:17.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961487/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "belfetproduction.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://belfetproduction.com/bella/01844510469/1x1.jpg", - "threatintel.indicator.url.original": "https://belfetproduction.com/bella/01844510469/1x1.jpg", - "threatintel.indicator.url.path": "/bella/01844510469/1x1.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:17.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961487/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "belfetproduction.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://belfetproduction.com/bella/01844510469/1x1.jpg", + "threat.indicator.url.original": "https://belfetproduction.com/bella/01844510469/1x1.jpg", + "threat.indicator.url.path": "/bella/01844510469/1x1.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961485", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2269,27 +2402,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961485", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:16.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961485/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ladiesincode.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/FRRDNI52M71E522D/logo.css", - "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/FRRDNI52M71E522D/logo.css", - "threatintel.indicator.url.path": "/ladi/FRRDNI52M71E522D/logo.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:16.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961485/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ladiesincode.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://ladiesincode.com/ladi/FRRDNI52M71E522D/logo.css", + "threat.indicator.url.original": "https://ladiesincode.com/ladi/FRRDNI52M71E522D/logo.css", + "threat.indicator.url.path": "/ladi/FRRDNI52M71E522D/logo.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961486", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2303,27 +2438,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961486", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:16.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961486/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "letonguesc.com", - "threatintel.indicator.url.extension": "gif", - "threatintel.indicator.url.full": "https://letonguesc.com/leto/CPPMRC65E04H980Q/it.gif", - "threatintel.indicator.url.original": "https://letonguesc.com/leto/CPPMRC65E04H980Q/it.gif", - "threatintel.indicator.url.path": "/leto/CPPMRC65E04H980Q/it.gif", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:16.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961486/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "letonguesc.com", + "threat.indicator.url.extension": "gif", + "threat.indicator.url.full": "https://letonguesc.com/leto/CPPMRC65E04H980Q/it.gif", + "threat.indicator.url.original": "https://letonguesc.com/leto/CPPMRC65E04H980Q/it.gif", + "threat.indicator.url.path": "/leto/CPPMRC65E04H980Q/it.gif", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961482", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2337,27 +2474,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961482", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:15.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961482/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://univirtek.com/viro/06389650018/it.css", - "threatintel.indicator.url.original": "https://univirtek.com/viro/06389650018/it.css", - "threatintel.indicator.url.path": "/viro/06389650018/it.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:15.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961482/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://univirtek.com/viro/06389650018/it.css", + "threat.indicator.url.original": "https://univirtek.com/viro/06389650018/it.css", + "threat.indicator.url.path": "/viro/06389650018/it.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961483", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2371,27 +2510,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961483", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:15.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961483/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "belfetproduction.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://belfetproduction.com/bella/CRSRRT61E15H501H/logo.png", - "threatintel.indicator.url.original": "https://belfetproduction.com/bella/CRSRRT61E15H501H/logo.png", - "threatintel.indicator.url.path": "/bella/CRSRRT61E15H501H/logo.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:15.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961483/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "belfetproduction.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://belfetproduction.com/bella/CRSRRT61E15H501H/logo.png", + "threat.indicator.url.original": "https://belfetproduction.com/bella/CRSRRT61E15H501H/logo.png", + "threat.indicator.url.path": "/bella/CRSRRT61E15H501H/logo.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961484", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2405,27 +2546,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961484", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:15.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961484/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://cxminute.com/minu/SMPMSM67P05F205U/it.jpg", - "threatintel.indicator.url.original": "https://cxminute.com/minu/SMPMSM67P05F205U/it.jpg", - "threatintel.indicator.url.path": "/minu/SMPMSM67P05F205U/it.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:15.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961484/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://cxminute.com/minu/SMPMSM67P05F205U/it.jpg", + "threat.indicator.url.original": "https://cxminute.com/minu/SMPMSM67P05F205U/it.jpg", + "threat.indicator.url.path": "/minu/SMPMSM67P05F205U/it.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961480", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2439,27 +2582,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961480", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:13.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961480/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://univirtek.com/viro/SBNPQL78A24A783E/uk.png", - "threatintel.indicator.url.original": "https://univirtek.com/viro/SBNPQL78A24A783E/uk.png", - "threatintel.indicator.url.path": "/viro/SBNPQL78A24A783E/uk.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:13.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961480/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://univirtek.com/viro/SBNPQL78A24A783E/uk.png", + "threat.indicator.url.original": "https://univirtek.com/viro/SBNPQL78A24A783E/uk.png", + "threat.indicator.url.path": "/viro/SBNPQL78A24A783E/uk.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961481", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2473,27 +2618,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961481", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:13.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961481/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://cxminute.com/minu/15578761007/maps.jpg", - "threatintel.indicator.url.original": "https://cxminute.com/minu/15578761007/maps.jpg", - "threatintel.indicator.url.path": "/minu/15578761007/maps.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:13.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961481/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://cxminute.com/minu/15578761007/maps.jpg", + "threat.indicator.url.original": "https://cxminute.com/minu/15578761007/maps.jpg", + "threat.indicator.url.path": "/minu/15578761007/maps.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961478", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2507,27 +2654,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961478", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:10.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961478/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://univirtek.com/viro/03079590133/1x1.png", - "threatintel.indicator.url.original": "https://univirtek.com/viro/03079590133/1x1.png", - "threatintel.indicator.url.path": "/viro/03079590133/1x1.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:10.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961478/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://univirtek.com/viro/03079590133/1x1.png", + "threat.indicator.url.original": "https://univirtek.com/viro/03079590133/1x1.png", + "threat.indicator.url.path": "/viro/03079590133/1x1.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961479", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2541,27 +2690,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961479", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:51:10.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961479/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ladiesincode.com", - "threatintel.indicator.url.extension": "gif", - "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/BNCLNR77T56M082U/it.gif", - "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/BNCLNR77T56M082U/it.gif", - "threatintel.indicator.url.path": "/ladi/BNCLNR77T56M082U/it.gif", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:51:10.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961479/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ladiesincode.com", + "threat.indicator.url.extension": "gif", + "threat.indicator.url.full": "https://ladiesincode.com/ladi/BNCLNR77T56M082U/it.gif", + "threat.indicator.url.original": "https://ladiesincode.com/ladi/BNCLNR77T56M082U/it.gif", + "threat.indicator.url.path": "/ladi/BNCLNR77T56M082U/it.gif", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961476", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2575,27 +2726,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961476", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:45.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961476/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://cxminute.com/minu/JNKMTJ64B29L424O/uk.css", - "threatintel.indicator.url.original": "https://cxminute.com/minu/JNKMTJ64B29L424O/uk.css", - "threatintel.indicator.url.path": "/minu/JNKMTJ64B29L424O/uk.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:45.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961476/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://cxminute.com/minu/JNKMTJ64B29L424O/uk.css", + "threat.indicator.url.original": "https://cxminute.com/minu/JNKMTJ64B29L424O/uk.css", + "threat.indicator.url.path": "/minu/JNKMTJ64B29L424O/uk.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961477", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2609,27 +2762,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961477", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:45.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961477/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "belfetproduction.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://belfetproduction.com/bella/PGNMRA64S22I608Z/en.png", - "threatintel.indicator.url.original": "https://belfetproduction.com/bella/PGNMRA64S22I608Z/en.png", - "threatintel.indicator.url.path": "/bella/PGNMRA64S22I608Z/en.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:45.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961477/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "belfetproduction.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://belfetproduction.com/bella/PGNMRA64S22I608Z/en.png", + "threat.indicator.url.original": "https://belfetproduction.com/bella/PGNMRA64S22I608Z/en.png", + "threat.indicator.url.path": "/bella/PGNMRA64S22I608Z/en.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961470", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2643,27 +2798,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961470", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961470/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://cxminute.com/minu/RZKDRD77T23Z229T/logo.jpg", - "threatintel.indicator.url.original": "https://cxminute.com/minu/RZKDRD77T23Z229T/logo.jpg", - "threatintel.indicator.url.path": "/minu/RZKDRD77T23Z229T/logo.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:43.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961470/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://cxminute.com/minu/RZKDRD77T23Z229T/logo.jpg", + "threat.indicator.url.original": "https://cxminute.com/minu/RZKDRD77T23Z229T/logo.jpg", + "threat.indicator.url.path": "/minu/RZKDRD77T23Z229T/logo.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961471", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2677,27 +2834,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961471", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961471/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "fhivelifestyle.online", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://fhivelifestyle.online/nhbrwvdffsgt/adf/maps.jpg", - "threatintel.indicator.url.original": "https://fhivelifestyle.online/nhbrwvdffsgt/adf/maps.jpg", - "threatintel.indicator.url.path": "/nhbrwvdffsgt/adf/maps.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:43.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961471/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "fhivelifestyle.online", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://fhivelifestyle.online/nhbrwvdffsgt/adf/maps.jpg", + "threat.indicator.url.original": "https://fhivelifestyle.online/nhbrwvdffsgt/adf/maps.jpg", + "threat.indicator.url.path": "/nhbrwvdffsgt/adf/maps.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961472", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2711,27 +2870,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961472", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961472/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "belfetproduction.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://belfetproduction.com/bella/05739900487/1x1.css", - "threatintel.indicator.url.original": "https://belfetproduction.com/bella/05739900487/1x1.css", - "threatintel.indicator.url.path": "/bella/05739900487/1x1.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:43.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961472/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "belfetproduction.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://belfetproduction.com/bella/05739900487/1x1.css", + "threat.indicator.url.original": "https://belfetproduction.com/bella/05739900487/1x1.css", + "threat.indicator.url.path": "/bella/05739900487/1x1.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961473", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2745,27 +2906,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961473", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961473/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "belfetproduction.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://belfetproduction.com/bella/01767180597/map.css", - "threatintel.indicator.url.original": "https://belfetproduction.com/bella/01767180597/map.css", - "threatintel.indicator.url.path": "/bella/01767180597/map.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:43.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961473/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "belfetproduction.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://belfetproduction.com/bella/01767180597/map.css", + "threat.indicator.url.original": "https://belfetproduction.com/bella/01767180597/map.css", + "threat.indicator.url.path": "/bella/01767180597/map.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961474", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2779,27 +2942,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961474", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961474/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "belfetproduction.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://belfetproduction.com/bella/BRNGRG55D21F394K/map.css", - "threatintel.indicator.url.original": "https://belfetproduction.com/bella/BRNGRG55D21F394K/map.css", - "threatintel.indicator.url.path": "/bella/BRNGRG55D21F394K/map.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:43.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961474/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "belfetproduction.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://belfetproduction.com/bella/BRNGRG55D21F394K/map.css", + "threat.indicator.url.original": "https://belfetproduction.com/bella/BRNGRG55D21F394K/map.css", + "threat.indicator.url.path": "/bella/BRNGRG55D21F394K/map.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961475", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2813,27 +2978,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961475", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:43.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961475/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://cxminute.com/minu/DLLTZN67L20L157J/1x1.css", - "threatintel.indicator.url.original": "https://cxminute.com/minu/DLLTZN67L20L157J/1x1.css", - "threatintel.indicator.url.path": "/minu/DLLTZN67L20L157J/1x1.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:43.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961475/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://cxminute.com/minu/DLLTZN67L20L157J/1x1.css", + "threat.indicator.url.original": "https://cxminute.com/minu/DLLTZN67L20L157J/1x1.css", + "threat.indicator.url.path": "/minu/DLLTZN67L20L157J/1x1.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961468", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2847,27 +3014,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961468", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:38.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961468/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://cxminute.com/minu/08035410722/logo.jpg", - "threatintel.indicator.url.original": "https://cxminute.com/minu/08035410722/logo.jpg", - "threatintel.indicator.url.path": "/minu/08035410722/logo.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:38.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961468/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://cxminute.com/minu/08035410722/logo.jpg", + "threat.indicator.url.original": "https://cxminute.com/minu/08035410722/logo.jpg", + "threat.indicator.url.path": "/minu/08035410722/logo.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961469", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2881,27 +3050,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961469", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:38.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961469/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://univirtek.com/viro/GRNZEI60M13G346L/en.css", - "threatintel.indicator.url.original": "https://univirtek.com/viro/GRNZEI60M13G346L/en.css", - "threatintel.indicator.url.path": "/viro/GRNZEI60M13G346L/en.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:38.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961469/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://univirtek.com/viro/GRNZEI60M13G346L/en.css", + "threat.indicator.url.original": "https://univirtek.com/viro/GRNZEI60M13G346L/en.css", + "threat.indicator.url.path": "/viro/GRNZEI60M13G346L/en.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961467", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2915,27 +3086,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961467", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:13.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961467/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "letonguesc.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://letonguesc.com/leto/03253350239/1x1.png", - "threatintel.indicator.url.original": "https://letonguesc.com/leto/03253350239/1x1.png", - "threatintel.indicator.url.path": "/leto/03253350239/1x1.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:13.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961467/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "letonguesc.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://letonguesc.com/leto/03253350239/1x1.png", + "threat.indicator.url.original": "https://letonguesc.com/leto/03253350239/1x1.png", + "threat.indicator.url.path": "/leto/03253350239/1x1.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961464", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2949,27 +3122,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961464", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:09.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961464/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ladiesincode.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/10582470158/uk.css", - "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/10582470158/uk.css", - "threatintel.indicator.url.path": "/ladi/10582470158/uk.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:09.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961464/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ladiesincode.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://ladiesincode.com/ladi/10582470158/uk.css", + "threat.indicator.url.original": "https://ladiesincode.com/ladi/10582470158/uk.css", + "threat.indicator.url.path": "/ladi/10582470158/uk.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961465", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -2983,27 +3158,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961465", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:09.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961465/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ladiesincode.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/BTTLNZ68A56D325C/map.css", - "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/BTTLNZ68A56D325C/map.css", - "threatintel.indicator.url.path": "/ladi/BTTLNZ68A56D325C/map.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:09.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961465/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ladiesincode.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://ladiesincode.com/ladi/BTTLNZ68A56D325C/map.css", + "threat.indicator.url.original": "https://ladiesincode.com/ladi/BTTLNZ68A56D325C/map.css", + "threat.indicator.url.path": "/ladi/BTTLNZ68A56D325C/map.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961466", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3017,27 +3194,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961466", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:09.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961466/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "letonguesc.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://letonguesc.com/leto/NNTLRT68P28A717L/en.jpg", - "threatintel.indicator.url.original": "https://letonguesc.com/leto/NNTLRT68P28A717L/en.jpg", - "threatintel.indicator.url.path": "/leto/NNTLRT68P28A717L/en.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:09.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961466/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "letonguesc.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://letonguesc.com/leto/NNTLRT68P28A717L/en.jpg", + "threat.indicator.url.original": "https://letonguesc.com/leto/NNTLRT68P28A717L/en.jpg", + "threat.indicator.url.path": "/leto/NNTLRT68P28A717L/en.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961461", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3051,27 +3230,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961461", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:08.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961461/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://univirtek.com/viro/CTTNDR89A19B149W/maps.png", - "threatintel.indicator.url.original": "https://univirtek.com/viro/CTTNDR89A19B149W/maps.png", - "threatintel.indicator.url.path": "/viro/CTTNDR89A19B149W/maps.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:08.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961461/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://univirtek.com/viro/CTTNDR89A19B149W/maps.png", + "threat.indicator.url.original": "https://univirtek.com/viro/CTTNDR89A19B149W/maps.png", + "threat.indicator.url.path": "/viro/CTTNDR89A19B149W/maps.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961462", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3085,27 +3266,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961462", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:08.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961462/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://cxminute.com/minu/DRSNTN77B16I197U/logo.css", - "threatintel.indicator.url.original": "https://cxminute.com/minu/DRSNTN77B16I197U/logo.css", - "threatintel.indicator.url.path": "/minu/DRSNTN77B16I197U/logo.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:08.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961462/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://cxminute.com/minu/DRSNTN77B16I197U/logo.css", + "threat.indicator.url.original": "https://cxminute.com/minu/DRSNTN77B16I197U/logo.css", + "threat.indicator.url.path": "/minu/DRSNTN77B16I197U/logo.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961463", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3119,27 +3302,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961463", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:08.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961463/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://univirtek.com/viro/02941830735/uk.css", - "threatintel.indicator.url.original": "https://univirtek.com/viro/02941830735/uk.css", - "threatintel.indicator.url.path": "/viro/02941830735/uk.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:08.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961463/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://univirtek.com/viro/02941830735/uk.css", + "threat.indicator.url.original": "https://univirtek.com/viro/02941830735/uk.css", + "threat.indicator.url.path": "/viro/02941830735/uk.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961458", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3153,27 +3338,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961458", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:07.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961458/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "belfetproduction.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://belfetproduction.com/bella/MNSGCM91A04G240K/it.css", - "threatintel.indicator.url.original": "https://belfetproduction.com/bella/MNSGCM91A04G240K/it.css", - "threatintel.indicator.url.path": "/bella/MNSGCM91A04G240K/it.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:07.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961458/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "belfetproduction.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://belfetproduction.com/bella/MNSGCM91A04G240K/it.css", + "threat.indicator.url.original": "https://belfetproduction.com/bella/MNSGCM91A04G240K/it.css", + "threat.indicator.url.path": "/bella/MNSGCM91A04G240K/it.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961459", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3187,27 +3374,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961459", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:07.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961459/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ladiesincode.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/03108100615/it.jpg", - "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/03108100615/it.jpg", - "threatintel.indicator.url.path": "/ladi/03108100615/it.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:07.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961459/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ladiesincode.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://ladiesincode.com/ladi/03108100615/it.jpg", + "threat.indicator.url.original": "https://ladiesincode.com/ladi/03108100615/it.jpg", + "threat.indicator.url.path": "/ladi/03108100615/it.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961460", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3221,27 +3410,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961460", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:50:07.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961460/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://cxminute.com/minu/PTACSM56A31F604X/en.png", - "threatintel.indicator.url.original": "https://cxminute.com/minu/PTACSM56A31F604X/en.png", - "threatintel.indicator.url.path": "/minu/PTACSM56A31F604X/en.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:50:07.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961460/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://cxminute.com/minu/PTACSM56A31F604X/en.png", + "threat.indicator.url.original": "https://cxminute.com/minu/PTACSM56A31F604X/en.png", + "threat.indicator.url.path": "/minu/PTACSM56A31F604X/en.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961455", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3255,27 +3446,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961455", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:49:39.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961455/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "gif", - "threatintel.indicator.url.full": "https://univirtek.com/viro/00183050368/en.gif", - "threatintel.indicator.url.original": "https://univirtek.com/viro/00183050368/en.gif", - "threatintel.indicator.url.path": "/viro/00183050368/en.gif", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:49:39.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961455/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "gif", + "threat.indicator.url.full": "https://univirtek.com/viro/00183050368/en.gif", + "threat.indicator.url.original": "https://univirtek.com/viro/00183050368/en.gif", + "threat.indicator.url.path": "/viro/00183050368/en.gif", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961456", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3289,27 +3482,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961456", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:49:39.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961456/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "gif", - "threatintel.indicator.url.full": "https://cxminute.com/minu/TSNLSN58H30G912H/uk.gif", - "threatintel.indicator.url.original": "https://cxminute.com/minu/TSNLSN58H30G912H/uk.gif", - "threatintel.indicator.url.path": "/minu/TSNLSN58H30G912H/uk.gif", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:49:39.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961456/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "gif", + "threat.indicator.url.full": "https://cxminute.com/minu/TSNLSN58H30G912H/uk.gif", + "threat.indicator.url.original": "https://cxminute.com/minu/TSNLSN58H30G912H/uk.gif", + "threat.indicator.url.path": "/minu/TSNLSN58H30G912H/uk.gif", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961457", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3323,27 +3518,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961457", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:49:39.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961457/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "letonguesc.com", - "threatintel.indicator.url.extension": "gif", - "threatintel.indicator.url.full": "https://letonguesc.com/leto/08658331007/blank.gif", - "threatintel.indicator.url.original": "https://letonguesc.com/leto/08658331007/blank.gif", - "threatintel.indicator.url.path": "/leto/08658331007/blank.gif", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:49:39.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961457/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "letonguesc.com", + "threat.indicator.url.extension": "gif", + "threat.indicator.url.full": "https://letonguesc.com/leto/08658331007/blank.gif", + "threat.indicator.url.original": "https://letonguesc.com/leto/08658331007/blank.gif", + "threat.indicator.url.path": "/leto/08658331007/blank.gif", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961450", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3357,27 +3554,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961450", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961450/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cxminute.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://cxminute.com/minu/01098910324/blank.png", - "threatintel.indicator.url.original": "https://cxminute.com/minu/01098910324/blank.png", - "threatintel.indicator.url.path": "/minu/01098910324/blank.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:49:37.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961450/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cxminute.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://cxminute.com/minu/01098910324/blank.png", + "threat.indicator.url.original": "https://cxminute.com/minu/01098910324/blank.png", + "threat.indicator.url.path": "/minu/01098910324/blank.png", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961451", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3391,27 +3590,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961451", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961451/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://univirtek.com/viro/02794390233/uk.css", - "threatintel.indicator.url.original": "https://univirtek.com/viro/02794390233/uk.css", - "threatintel.indicator.url.path": "/viro/02794390233/uk.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:49:37.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961451/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://univirtek.com/viro/02794390233/uk.css", + "threat.indicator.url.original": "https://univirtek.com/viro/02794390233/uk.css", + "threat.indicator.url.path": "/viro/02794390233/uk.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961452", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3425,27 +3626,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961452", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961452/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "css", - "threatintel.indicator.url.full": "https://univirtek.com/viro/CSTDNT69D63F754D/en.css", - "threatintel.indicator.url.original": "https://univirtek.com/viro/CSTDNT69D63F754D/en.css", - "threatintel.indicator.url.path": "/viro/CSTDNT69D63F754D/en.css", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:49:37.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961452/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "css", + "threat.indicator.url.full": "https://univirtek.com/viro/CSTDNT69D63F754D/en.css", + "threat.indicator.url.original": "https://univirtek.com/viro/CSTDNT69D63F754D/en.css", + "threat.indicator.url.path": "/viro/CSTDNT69D63F754D/en.css", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961453", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3459,27 +3662,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961453", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961453/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://univirtek.com/viro/GSTGNE91B06L219W/1x1.jpg", - "threatintel.indicator.url.original": "https://univirtek.com/viro/GSTGNE91B06L219W/1x1.jpg", - "threatintel.indicator.url.path": "/viro/GSTGNE91B06L219W/1x1.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:49:37.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961453/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://univirtek.com/viro/GSTGNE91B06L219W/1x1.jpg", + "threat.indicator.url.original": "https://univirtek.com/viro/GSTGNE91B06L219W/1x1.jpg", + "threat.indicator.url.path": "/viro/GSTGNE91B06L219W/1x1.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961454", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3493,27 +3698,29 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961454", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:49:37.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961454/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "univirtek.com", - "threatintel.indicator.url.extension": "jpg", - "threatintel.indicator.url.full": "https://univirtek.com/viro/03610140125/map.jpg", - "threatintel.indicator.url.original": "https://univirtek.com/viro/03610140125/map.jpg", - "threatintel.indicator.url.path": "/viro/03610140125/map.jpg", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:49:37.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961454/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "univirtek.com", + "threat.indicator.url.extension": "jpg", + "threat.indicator.url.full": "https://univirtek.com/viro/03610140125/map.jpg", + "threat.indicator.url.original": "https://univirtek.com/viro/03610140125/map.jpg", + "threat.indicator.url.path": "/viro/03610140125/map.jpg", + "threat.indicator.url.scheme": "https" }, { + "abusech.url.blacklists.spamhaus_dbl": "not listed", + "abusech.url.blacklists.surbl": "not listed", + "abusech.url.id": "961448", + "abusech.url.larted": false, + "abusech.url.tags": [ + "sLoad" + ], + "abusech.url.threat": "malware_download", + "abusech.url.url_status": "offline", "event.category": "threat", "event.dataset": "threatintel.abuseurl", "event.kind": "enrichment", @@ -3527,24 +3734,17 @@ "forwarded", "threatintel-abuseurls" ], - "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", - "threatintel.abuseurl.blacklists.surbl": "not listed", - "threatintel.abuseurl.id": "961448", - "threatintel.abuseurl.larted": false, - "threatintel.abuseurl.tags": [ - "sLoad" - ], - "threatintel.abuseurl.threat": "malware_download", - "threatintel.abuseurl.url_status": "offline", - "threatintel.indicator.first_seen": "2021-01-14T20:49:36.000Z", - "threatintel.indicator.provider": "Cryptolaemus1", - "threatintel.indicator.reference": "https://urlhaus.abuse.ch/url/961448/", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "belfetproduction.com", - "threatintel.indicator.url.extension": "png", - "threatintel.indicator.url.full": "https://belfetproduction.com/bella/CRRLRD74E09A462T/blank.png", - "threatintel.indicator.url.original": "https://belfetproduction.com/bella/CRRLRD74E09A462T/blank.png", - "threatintel.indicator.url.path": "/bella/CRRLRD74E09A462T/blank.png", - "threatintel.indicator.url.scheme": "https" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH URL", + "threat.indicator.first_seen": "2021-01-14T20:49:36.000Z", + "threat.indicator.provider": "Cryptolaemus1", + "threat.indicator.reference": "https://urlhaus.abuse.ch/url/961448/", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "belfetproduction.com", + "threat.indicator.url.extension": "png", + "threat.indicator.url.full": "https://belfetproduction.com/bella/CRRLRD74E09A462T/blank.png", + "threat.indicator.url.original": "https://belfetproduction.com/bella/CRRLRD74E09A462T/blank.png", + "threat.indicator.url.path": "/bella/CRRLRD74E09A462T/blank.png", + "threat.indicator.url.scheme": "https" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/anomali/_meta/fields.yml b/x-pack/filebeat/module/threatintel/anomali/_meta/fields.yml index 69ab6e22e9b..696b062b6b2 100644 --- a/x-pack/filebeat/module/threatintel/anomali/_meta/fields.yml +++ b/x-pack/filebeat/module/threatintel/anomali/_meta/fields.yml @@ -1,4 +1,4 @@ -- name: anomali +- name: anomali.limo type: group description: > Fields for Anomali Threat Intel @@ -50,4 +50,4 @@ - name: object_marking_refs type: keyword description: > - The STIX reference object. \ No newline at end of file + The STIX reference object. diff --git a/x-pack/filebeat/module/threatintel/anomali/config/config.yml b/x-pack/filebeat/module/threatintel/anomali/config/config.yml index a268ddb7559..1a30d874635 100644 --- a/x-pack/filebeat/module/threatintel/anomali/config/config.yml +++ b/x-pack/filebeat/module/threatintel/anomali/config/config.yml @@ -30,7 +30,7 @@ request.transforms: value: items 0-10000 - set: target: url.params.match[type] - value: {{ .types }} + value: indicator - set: target: url.params.added_after value: '[[.cursor.timestamp]]' @@ -54,17 +54,12 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} +tags: +{{if .preserve_original_event}} + - preserve_original_event +{{end}} +{{range $val := .tags}} + - {{$val}} +{{end}} -processors: - - decode_json_fields: - fields: [message] - target: json - - fingerprint: - fields: ["json.id"] - target_field: "@metadata._id" - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml index eccbf5e9826..94ca3a84751 100644 --- a/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml @@ -1,4 +1,5 @@ -description: Pipeline for parsing Anomali Threat Intel +--- +description: Pipeline for parsing Anomali Limo indicators processors: #################### # Event ECS fields # @@ -6,6 +7,9 @@ processors: - set: field: event.ingested value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: "1.12" - set: field: event.kind value: enrichment @@ -20,16 +24,30 @@ processors: # General ECS fields # ###################### - rename: - field: json - target_field: threatintel.anomali + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: anomali.limo + - fingerprint: + fields: + - anomali.limo.id + target_field: "_id" ignore_missing: true ##################### # Threat ECS Fields # ##################### + - set: + field: threat.feed.name + value: "[Filebeat] Anomali Limo" + - set: + field: threat.feed.dashboard_id + value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f" ## File indicator operations - date: - field: threatintel.anomali.created + field: anomali.limo.created formats: - "yyyy-MM-dd'T'HH:mm:ssz" - "yyyy-MM-dd'T'HH:mm:ssZ" @@ -39,68 +57,73 @@ processors: - "yyyy-MM-dd'T'HH:mm:ss.SSZ" - "yyyy-MM-dd'T'HH:mm:ss.SSSz" - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" - if: "ctx?.threatintel?.anomali?.created != null" + if: "ctx.anomali?.limo?.created != null" - date: - field: threatintel.anomali.modified - target_field: threatintel.anomali.modified + field: anomali.limo.modified + target_field: anomali.limo.modified formats: + - "yyyy-MM-dd'T'HH:mm:ssz" + - "yyyy-MM-dd'T'HH:mm:ssZ" - "yyyy-MM-dd'T'HH:mm:ss.Sz" - "yyyy-MM-dd'T'HH:mm:ss.SZ" - "yyyy-MM-dd'T'HH:mm:ss.SSz" - "yyyy-MM-dd'T'HH:mm:ss.SSZ" - "yyyy-MM-dd'T'HH:mm:ss.SSSz" - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" - if: "ctx?.threatintel?.anomali?.modified != null" + if: "ctx.anomali?.limo?.modified != null" - date: - field: threatintel.anomali.valid_from - target_field: threatintel.indicator.first_seen + field: anomali.limo.valid_from + target_field: threat.indicator.first_seen formats: + - "yyyy-MM-dd'T'HH:mm:ssz" + - "yyyy-MM-dd'T'HH:mm:ssZ" - "yyyy-MM-dd'T'HH:mm:ss.Sz" - "yyyy-MM-dd'T'HH:mm:ss.SZ" - "yyyy-MM-dd'T'HH:mm:ss.SSz" - "yyyy-MM-dd'T'HH:mm:ss.SSZ" - "yyyy-MM-dd'T'HH:mm:ss.SSSz" - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" - if: "ctx?.threatintel?.anomali?.valid_from != null" + if: "ctx.anomali?.limo?.valid_from != null" - grok: - field: threatintel.anomali.pattern + field: anomali.limo.pattern patterns: - "^\\[%{DATA:_tmp.threattype}:value%{SPACE}=%{SPACE}'%{DATA:_tmp.threatvalue}'\\]" + if: ctx.anomali?.limo?.pattern != null - rename: field: _tmp.threattype - target_field: threatintel.indicator.type + target_field: threat.indicator.type ignore_missing: true - rename: field: _tmp.threatvalue - target_field: threatintel.indicator.ip + target_field: threat.indicator.ip ignore_missing: true - if: "['ipv4-addr', 'ipv6-addr'].contains(ctx?.threatintel?.indicator?.type)" + if: "['ipv4-addr', 'ipv6-addr'].contains(ctx.threat?.indicator?.type)" - uri_parts: field: _tmp.threatvalue - target_field: threatintel.indicator.url + target_field: threat.indicator.url keep_original: true remove_if_successful: true - if: ctx?.threatintel?.indicator?.type == 'url' + if: ctx.threat?.indicator?.type == 'url' - set: - field: threatintel.indicator.url.full - value: "{{{threatintel.indicator.url.original}}}" + field: threat.indicator.url.full + value: "{{{threat.indicator.url.original}}}" ignore_empty_value: true - rename: field: _tmp.threatvalue - target_field: threatintel.indicator.email.address + target_field: threat.indicator.email.address ignore_missing: true - if: ctx?.threatintel?.indicator?.type == 'email-addr' + if: ctx.threat?.indicator?.type == 'email-addr' - rename: field: _tmp.threatvalue - target_field: threatintel.indicator.url.domain + target_field: threat.indicator.url.domain ignore_missing: true - if: ctx?.threatintel?.indicator?.type == 'domain-name' + if: ctx.threat?.indicator?.type == 'domain-name' - set: - field: threatintel.indicator.type + field: threat.indicator.type value: unknown - if: ctx?.threatintel?.indicator?.type == null + if: ctx.threat?.indicator?.type == null - foreach: - field: threatintel.anomali.labels + field: anomali.limo.labels ignore_missing: true processor: append: @@ -108,9 +131,9 @@ processors: value: "{{_ingest._value}}" allow_duplicates: false - grok: - field: threatintel.anomali.description + field: anomali.limo.description patterns: - - "^%{GREEDYDATA}Source: %{GREEDYDATA:threatintel.indicator.provider}" + - "^%{GREEDYDATA}Source: %{GREEDYDATA:threat.indicator.provider}" ignore_missing: true ignore_failure: true ###################### @@ -140,9 +163,14 @@ processors: } } handleMap(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true - remove: field: - - threatintel.anomali.created + - anomali.limo.created - message - _tmp ignore_missing: true diff --git a/x-pack/filebeat/module/threatintel/anomali/manifest.yml b/x-pack/filebeat/module/threatintel/anomali/manifest.yml index 1087e00df8a..bdfcf20a3ad 100644 --- a/x-pack/filebeat/module/threatintel/anomali/manifest.yml +++ b/x-pack/filebeat/module/threatintel/anomali/manifest.yml @@ -8,8 +8,6 @@ var: - name: first_interval default: 24h - name: ssl - - name: types - default: indicators - name: username - name: password - name: url @@ -17,6 +15,8 @@ var: - name: tags default: [threatintel-anomali, forwarded] - name: proxy_url + - name: preserve_original_event + default: false ingest_pipeline: - ingest/pipeline.yml diff --git a/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json index f527da1ed98..7f998f8c778 100644 --- a/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json @@ -1,5 +1,20 @@ [ { + "anomali.limo.description": "TS ID: 55241332361; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--44c85d4f-45ca-4977-b693-c810bbfb7a28", + "anomali.limo.labels": [ + "malicious-activity", + "threatstream-confidence-76", + "threatstream-severity-medium" + ], + "anomali.limo.modified": "2020-01-22T02:58:57.431Z", + "anomali.limo.name": "mal_url: http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ + "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" + ], + "anomali.limo.pattern": "[url:value = 'http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:58:57.431Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -16,32 +31,34 @@ "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332361; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--44c85d4f-45ca-4977-b693-c810bbfb7a28", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:58:57.431Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "chol.cc", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/Work6/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332307; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "anomali.limo.id": "indicator--f9fe5c81-6869-4247-af81-62b7c8aba209", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-76", + "threatstream-confidence-68", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:58:57.431Z", - "threatintel.anomali.name": "mal_url: http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:58:57.503Z", + "anomali.limo.name": "mal_url: http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:58:57.431Z", - "threatintel.indicator.first_seen": "2020-01-22T02:58:57.431Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "chol.cc", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/Work6/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:58:57.503Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -58,32 +75,34 @@ "threatstream-confidence-68", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332307; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", - "threatintel.anomali.id": "indicator--f9fe5c81-6869-4247-af81-62b7c8aba209", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:58:57.503Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "worldatdoor.in", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332302; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--b0e14122-9005-4776-99fc-00872476c6d1", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-68", + "threatstream-confidence-71", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:58:57.503Z", - "threatintel.anomali.name": "mal_url: http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:58:57.570Z", + "anomali.limo.name": "mal_url: http://f0387770.xsph.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:58:57.503Z", - "threatintel.indicator.first_seen": "2020-01-22T02:58:57.503Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "worldatdoor.in", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0387770.xsph.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:58:57.57Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -100,31 +119,33 @@ "threatstream-confidence-71", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332302; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--b0e14122-9005-4776-99fc-00872476c6d1", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:58:57.570Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0387770.xsph.ru", + "threat.indicator.url.full": "http://f0387770.xsph.ru/login", + "threat.indicator.url.original": "http://f0387770.xsph.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332312; iType: mal_url; State: active; Org: Digital Ocean; Source: CyberCrime", + "anomali.limo.id": "indicator--111ec76f-616d-4aa8-80fd-e11ef0066aba", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-71", + "threatstream-confidence-50", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:58:57.570Z", - "threatintel.anomali.name": "mal_url: http://f0387770.xsph.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:58:59.366Z", + "anomali.limo.name": "mal_url: http://178.62.187.103/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0387770.xsph.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:58:57.57Z", - "threatintel.indicator.first_seen": "2020-01-22T02:58:57.570Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0387770.xsph.ru", - "threatintel.indicator.url.full": "http://f0387770.xsph.ru/login", - "threatintel.indicator.url.original": "http://f0387770.xsph.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://178.62.187.103/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:58:59.366Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -141,31 +162,33 @@ "threatstream-confidence-50", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332312; iType: mal_url; State: active; Org: Digital Ocean; Source: CyberCrime", - "threatintel.anomali.id": "indicator--111ec76f-616d-4aa8-80fd-e11ef0066aba", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:58:59.366Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "178.62.187.103", + "threat.indicator.url.full": "http://178.62.187.103/login", + "threat.indicator.url.original": "http://178.62.187.103/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332386; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--189ce776-6d7e-4e85-9222-de5876644988", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-50", + "threatstream-confidence-66", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:58:59.366Z", - "threatintel.anomali.name": "mal_url: http://178.62.187.103/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:58:59.457Z", + "anomali.limo.name": "mal_url: http://appareluea.com/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://178.62.187.103/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:58:59.366Z", - "threatintel.indicator.first_seen": "2020-01-22T02:58:59.366Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "178.62.187.103", - "threatintel.indicator.url.full": "http://178.62.187.103/login", - "threatintel.indicator.url.original": "http://178.62.187.103/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://appareluea.com/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:58:59.457Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -182,32 +205,34 @@ "threatstream-confidence-66", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332386; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--189ce776-6d7e-4e85-9222-de5876644988", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:58:59.457Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "appareluea.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://appareluea.com/panel/admin.php", + "threat.indicator.url.original": "http://appareluea.com/panel/admin.php", + "threat.indicator.url.path": "/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332391; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--a4144d34-b86d-475e-8047-eb46b48ee325", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-66", + "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:58:59.457Z", - "threatintel.anomali.name": "mal_url: http://appareluea.com/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:06.402Z", + "anomali.limo.name": "mal_url: http://nkpotu.xyz/Kpot3/login.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://appareluea.com/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:58:59.457Z", - "threatintel.indicator.first_seen": "2020-01-22T02:58:59.457Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "appareluea.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://appareluea.com/panel/admin.php", - "threatintel.indicator.url.original": "http://appareluea.com/panel/admin.php", - "threatintel.indicator.url.path": "/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://nkpotu.xyz/Kpot3/login.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:06.402Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -224,32 +249,34 @@ "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332391; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--a4144d34-b86d-475e-8047-eb46b48ee325", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:06.402Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "nkpotu.xyz", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://nkpotu.xyz/Kpot3/login.php", + "threat.indicator.url.original": "http://nkpotu.xyz/Kpot3/login.php", + "threat.indicator.url.path": "/Kpot3/login.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332372; iType: mal_ip; State: active; Org: Unified Layer; Source: CyberCrime", + "anomali.limo.id": "indicator--983d9c3d-b7f8-4345-b643-b1d18e6ac6b2", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-93", + "threatstream-confidence-49", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:06.402Z", - "threatintel.anomali.name": "mal_url: http://nkpotu.xyz/Kpot3/login.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:19.990Z", + "anomali.limo.name": "mal_ip: 162.144.128.116", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://nkpotu.xyz/Kpot3/login.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:06.402Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:06.402Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "nkpotu.xyz", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://nkpotu.xyz/Kpot3/login.php", - "threatintel.indicator.url.original": "http://nkpotu.xyz/Kpot3/login.php", - "threatintel.indicator.url.path": "/Kpot3/login.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '162.144.128.116']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:19.99Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -266,27 +293,29 @@ "threatstream-confidence-49", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332372; iType: mal_ip; State: active; Org: Unified Layer; Source: CyberCrime", - "threatintel.anomali.id": "indicator--983d9c3d-b7f8-4345-b643-b1d18e6ac6b2", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:19.990Z", + "threat.indicator.ip": "162.144.128.116", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55241332313; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "anomali.limo.id": "indicator--f9c6386b-dba2-41f9-8160-d307671e5c8e", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-49", + "threatstream-confidence-79", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:19.990Z", - "threatintel.anomali.name": "mal_ip: 162.144.128.116", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:20.155Z", + "anomali.limo.name": "mal_url: http://ntrcgroup.com/nze/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '162.144.128.116']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:19.99Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:19.990Z", - "threatintel.indicator.ip": "162.144.128.116", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://ntrcgroup.com/nze/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:20.155Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -303,32 +332,34 @@ "threatstream-confidence-79", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332313; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", - "threatintel.anomali.id": "indicator--f9c6386b-dba2-41f9-8160-d307671e5c8e", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:20.155Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ntrcgroup.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://ntrcgroup.com/nze/panel/admin.php", + "threat.indicator.url.original": "http://ntrcgroup.com/nze/panel/admin.php", + "threat.indicator.url.path": "/nze/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332350; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--98fad53e-5389-47f7-a3ff-44d334af2d6b", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-79", + "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:20.155Z", - "threatintel.anomali.name": "mal_url: http://ntrcgroup.com/nze/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:25.521Z", + "anomali.limo.name": "mal_url: http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://ntrcgroup.com/nze/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:20.155Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:20.155Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ntrcgroup.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://ntrcgroup.com/nze/panel/admin.php", - "threatintel.indicator.url.original": "http://ntrcgroup.com/nze/panel/admin.php", - "threatintel.indicator.url.path": "/nze/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:25.521Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -345,32 +376,34 @@ "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332350; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--98fad53e-5389-47f7-a3ff-44d334af2d6b", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:25.521Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "chol.cc", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/Work8/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332291; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--76c01735-fb76-463d-9609-9ea3aedf3f4f", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-76", + "threatstream-confidence-68", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:25.521Z", - "threatintel.anomali.name": "mal_url: http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:25.626Z", + "anomali.limo.name": "mal_url: http://f0390764.xsph.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:25.521Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:25.521Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "chol.cc", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/Work8/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0390764.xsph.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:25.626Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -387,31 +420,33 @@ "threatstream-confidence-68", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332291; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--76c01735-fb76-463d-9609-9ea3aedf3f4f", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:25.626Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0390764.xsph.ru", + "threat.indicator.url.full": "http://f0390764.xsph.ru/login", + "threat.indicator.url.original": "http://f0390764.xsph.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332343; iType: mal_ip; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--e0a812dc-63c8-4949-b038-2241b2dbfcdc", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-68", + "threatstream-confidence-85", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:25.626Z", - "threatintel.anomali.name": "mal_url: http://f0390764.xsph.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:36.461Z", + "anomali.limo.name": "mal_ip: 45.143.138.39", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0390764.xsph.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:25.626Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:25.626Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0390764.xsph.ru", - "threatintel.indicator.url.full": "http://f0390764.xsph.ru/login", - "threatintel.indicator.url.original": "http://f0390764.xsph.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '45.143.138.39']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:36.461Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -428,27 +463,29 @@ "threatstream-confidence-85", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332343; iType: mal_ip; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--e0a812dc-63c8-4949-b038-2241b2dbfcdc", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:36.461Z", + "threat.indicator.ip": "45.143.138.39", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55241332316; iType: mal_url; State: active; Org: Sksa Technology Sdn Bhd; Source: CyberCrime", + "anomali.limo.id": "indicator--6f0d8607-21cb-4738-9712-f4fd91a37f7d", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-85", + "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:36.461Z", - "threatintel.anomali.name": "mal_ip: 45.143.138.39", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:41.193Z", + "anomali.limo.name": "mal_url: http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '45.143.138.39']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:36.461Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:36.461Z", - "threatintel.indicator.ip": "45.143.138.39", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:41.193Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -465,32 +502,34 @@ "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332316; iType: mal_url; State: active; Org: Sksa Technology Sdn Bhd; Source: CyberCrime", - "threatintel.anomali.id": "indicator--6f0d8607-21cb-4738-9712-f4fd91a37f7d", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:41.193Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "aglfreight.com.my", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php", + "threat.indicator.url.original": "http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php", + "threat.indicator.url.path": "/inc/js/jstree/biu/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332284; iType: mal_url; State: active; Org: Oltelecom Jsc; Source: CyberCrime", + "anomali.limo.id": "indicator--c649d6d4-87c4-4b76-bfc2-75a509ccb187", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-82", + "threatstream-confidence-61", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:41.193Z", - "threatintel.anomali.name": "mal_url: http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:41.228Z", + "anomali.limo.name": "mal_url: http://95.182.122.184/", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:41.193Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:41.193Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "aglfreight.com.my", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php", - "threatintel.indicator.url.original": "http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php", - "threatintel.indicator.url.path": "/inc/js/jstree/biu/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://95.182.122.184/']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:41.228Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -507,31 +546,33 @@ "threatstream-confidence-61", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332284; iType: mal_url; State: active; Org: Oltelecom Jsc; Source: CyberCrime", - "threatintel.anomali.id": "indicator--c649d6d4-87c4-4b76-bfc2-75a509ccb187", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:41.228Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "95.182.122.184", + "threat.indicator.url.full": "http://95.182.122.184/", + "threat.indicator.url.original": "http://95.182.122.184/", + "threat.indicator.url.path": "/", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332337; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime", + "anomali.limo.id": "indicator--408ebd2d-063f-4646-b2e7-c00519869736", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-61", + "threatstream-confidence-62", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:41.228Z", - "threatintel.anomali.name": "mal_url: http://95.182.122.184/", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:51.313Z", + "anomali.limo.name": "mal_ip: 198.54.115.121", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://95.182.122.184/']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:41.228Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:41.228Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "95.182.122.184", - "threatintel.indicator.url.full": "http://95.182.122.184/", - "threatintel.indicator.url.original": "http://95.182.122.184/", - "threatintel.indicator.url.path": "/", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '198.54.115.121']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:51.313Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -548,27 +589,29 @@ "threatstream-confidence-62", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332337; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime", - "threatintel.anomali.id": "indicator--408ebd2d-063f-4646-b2e7-c00519869736", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:51.313Z", + "threat.indicator.ip": "198.54.115.121", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55241332324; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", + "anomali.limo.id": "indicator--e1d215cb-c7a5-40e0-bc53-8f92a2bcaba8", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-62", + "threatstream-confidence-38", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:51.313Z", - "threatintel.anomali.name": "mal_ip: 198.54.115.121", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:51.372Z", + "anomali.limo.name": "mal_ip: 192.185.119.172", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '198.54.115.121']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:51.313Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:51.313Z", - "threatintel.indicator.ip": "198.54.115.121", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '192.185.119.172']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:51.372Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -585,27 +628,29 @@ "threatstream-confidence-38", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332324; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", - "threatintel.anomali.id": "indicator--e1d215cb-c7a5-40e0-bc53-8f92a2bcaba8", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:51.372Z", + "threat.indicator.ip": "192.185.119.172", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55241332296; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--6f3a4a2b-62e3-48ef-94ae-70103f09cf7e", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-38", + "threatstream-confidence-61", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:51.372Z", - "threatintel.anomali.name": "mal_ip: 192.185.119.172", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T02:59:51.442Z", + "anomali.limo.name": "mal_url: http://f0389246.xsph.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '192.185.119.172']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:51.372Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:51.372Z", - "threatintel.indicator.ip": "192.185.119.172", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0389246.xsph.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T02:59:51.442Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -622,31 +667,33 @@ "threatstream-confidence-61", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332296; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--6f3a4a2b-62e3-48ef-94ae-70103f09cf7e", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T02:59:51.442Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0389246.xsph.ru", + "threat.indicator.url.full": "http://f0389246.xsph.ru/login", + "threat.indicator.url.original": "http://f0389246.xsph.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332400; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--213519c9-f511-4188-89c8-159f35f08008", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-61", + "threatstream-confidence-66", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T02:59:51.442Z", - "threatintel.anomali.name": "mal_url: http://f0389246.xsph.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:01.563Z", + "anomali.limo.name": "mal_url: http://appareluea.com/server/cp.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0389246.xsph.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T02:59:51.442Z", - "threatintel.indicator.first_seen": "2020-01-22T02:59:51.442Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0389246.xsph.ru", - "threatintel.indicator.url.full": "http://f0389246.xsph.ru/login", - "threatintel.indicator.url.original": "http://f0389246.xsph.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://appareluea.com/server/cp.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:01.563Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -663,32 +710,34 @@ "threatstream-confidence-66", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332400; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--213519c9-f511-4188-89c8-159f35f08008", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:01.563Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "appareluea.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://appareluea.com/server/cp.php", + "threat.indicator.url.original": "http://appareluea.com/server/cp.php", + "threat.indicator.url.path": "/server/cp.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332396; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--5a563c85-c528-4e33-babe-2dcff34f73c4", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-66", + "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:01.563Z", - "threatintel.anomali.name": "mal_url: http://appareluea.com/server/cp.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:03.138Z", + "anomali.limo.name": "mal_url: http://nkpotu.xyz/Kpot2/login.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://appareluea.com/server/cp.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:01.563Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:01.563Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "appareluea.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://appareluea.com/server/cp.php", - "threatintel.indicator.url.original": "http://appareluea.com/server/cp.php", - "threatintel.indicator.url.path": "/server/cp.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://nkpotu.xyz/Kpot2/login.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:03.138Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -705,32 +754,34 @@ "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332396; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--5a563c85-c528-4e33-babe-2dcff34f73c4", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:03.138Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "nkpotu.xyz", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://nkpotu.xyz/Kpot2/login.php", + "threat.indicator.url.original": "http://nkpotu.xyz/Kpot2/login.php", + "threat.indicator.url.path": "/Kpot2/login.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332363; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--f3e33aab-e2af-4c15-8cb9-f008a37cf986", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-93", + "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:03.138Z", - "threatintel.anomali.name": "mal_url: http://nkpotu.xyz/Kpot2/login.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:03.396Z", + "anomali.limo.name": "mal_url: http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://nkpotu.xyz/Kpot2/login.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:03.138Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:03.138Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "nkpotu.xyz", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://nkpotu.xyz/Kpot2/login.php", - "threatintel.indicator.url.original": "http://nkpotu.xyz/Kpot2/login.php", - "threatintel.indicator.url.path": "/Kpot2/login.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:03.396Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -747,32 +798,34 @@ "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332363; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--f3e33aab-e2af-4c15-8cb9-f008a37cf986", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:03.396Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "chol.cc", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/Work5/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332320; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--f03f098d-2fa9-49e1-a7dd-02518aa105fa", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-76", + "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:03.396Z", - "threatintel.anomali.name": "mal_url: http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:03.642Z", + "anomali.limo.name": "mal_url: http://mecharnise.ir/ca4/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:03.396Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:03.396Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "chol.cc", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/Work5/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://mecharnise.ir/ca4/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:03.642Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -789,32 +842,34 @@ "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332320; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--f03f098d-2fa9-49e1-a7dd-02518aa105fa", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:03.642Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "mecharnise.ir", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://mecharnise.ir/ca4/panel/admin.php", + "threat.indicator.url.original": "http://mecharnise.ir/ca4/panel/admin.php", + "threat.indicator.url.path": "/ca4/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332367; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--e72e3ba0-7de5-46bb-ab1e-efdf3e0a0b3b", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-87", + "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:03.642Z", - "threatintel.anomali.name": "mal_url: http://mecharnise.ir/ca4/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:27.534Z", + "anomali.limo.name": "mal_url: http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://mecharnise.ir/ca4/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:03.642Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:03.642Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "mecharnise.ir", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://mecharnise.ir/ca4/panel/admin.php", - "threatintel.indicator.url.original": "http://mecharnise.ir/ca4/panel/admin.php", - "threatintel.indicator.url.path": "/ca4/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:27.534Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -831,32 +886,34 @@ "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332367; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--e72e3ba0-7de5-46bb-ab1e-efdf3e0a0b3b", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:27.534Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "chol.cc", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/Work4/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332317; iType: mal_url; State: active; Org: SoftLayer Technologies; Source: CyberCrime", + "anomali.limo.id": "indicator--d6b59b66-5020-4368-85a7-196026856ea9", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-76", + "threatstream-confidence-78", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:27.534Z", - "threatintel.anomali.name": "mal_url: http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:27.591Z", + "anomali.limo.name": "mal_url: http://kironofer.com/webpanel/login.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:27.534Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:27.534Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "chol.cc", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/Work4/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://kironofer.com/webpanel/login.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:27.591Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -873,32 +930,34 @@ "threatstream-confidence-78", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332317; iType: mal_url; State: active; Org: SoftLayer Technologies; Source: CyberCrime", - "threatintel.anomali.id": "indicator--d6b59b66-5020-4368-85a7-196026856ea9", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:27.591Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "kironofer.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://kironofer.com/webpanel/login.php", + "threat.indicator.url.original": "http://kironofer.com/webpanel/login.php", + "threat.indicator.url.path": "/webpanel/login.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332309; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "anomali.limo.id": "indicator--aff7b07f-acc7-4bec-ab19-1fce972bfd09", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-78", + "threatstream-confidence-68", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:27.591Z", - "threatintel.anomali.name": "mal_url: http://kironofer.com/webpanel/login.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:45.787Z", + "anomali.limo.name": "mal_url: http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://kironofer.com/webpanel/login.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:27.591Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:27.591Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "kironofer.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://kironofer.com/webpanel/login.php", - "threatintel.indicator.url.original": "http://kironofer.com/webpanel/login.php", - "threatintel.indicator.url.path": "/webpanel/login.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:45.787Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -915,32 +974,34 @@ "threatstream-confidence-68", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332309; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", - "threatintel.anomali.id": "indicator--aff7b07f-acc7-4bec-ab19-1fce972bfd09", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:45.787Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "worldatdoor.in", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332286; iType: mal_url; State: active; Org: Garanntor-Hosting; Source: CyberCrime", + "anomali.limo.id": "indicator--ba71ba3a-1efd-40da-ab0d-f4397d6fc337", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-68", + "threatstream-confidence-91", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:45.787Z", - "threatintel.anomali.name": "mal_url: http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:45.841Z", + "anomali.limo.name": "mal_url: http://smartlinktelecom.top/kings/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:45.787Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:45.787Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "worldatdoor.in", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://smartlinktelecom.top/kings/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:45.841Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -957,32 +1018,34 @@ "threatstream-confidence-91", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332286; iType: mal_url; State: active; Org: Garanntor-Hosting; Source: CyberCrime", - "threatintel.anomali.id": "indicator--ba71ba3a-1efd-40da-ab0d-f4397d6fc337", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:45.841Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "smartlinktelecom.top", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://smartlinktelecom.top/kings/panel/admin.php", + "threat.indicator.url.original": "http://smartlinktelecom.top/kings/panel/admin.php", + "threat.indicator.url.path": "/kings/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332339; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--17777e7f-3e91-4446-a43d-79139de8a948", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-91", + "threatstream-confidence-64", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:45.841Z", - "threatintel.anomali.name": "mal_url: http://smartlinktelecom.top/kings/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:45.959Z", + "anomali.limo.name": "mal_url: http://carirero.net/login.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://smartlinktelecom.top/kings/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:45.841Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:45.841Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "smartlinktelecom.top", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://smartlinktelecom.top/kings/panel/admin.php", - "threatintel.indicator.url.original": "http://smartlinktelecom.top/kings/panel/admin.php", - "threatintel.indicator.url.path": "/kings/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://carirero.net/login.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:45.959Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -999,32 +1062,34 @@ "threatstream-confidence-64", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332339; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--17777e7f-3e91-4446-a43d-79139de8a948", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:45.959Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "carirero.net", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://carirero.net/login.php", + "threat.indicator.url.original": "http://carirero.net/login.php", + "threat.indicator.url.path": "/login.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332319; iType: mal_ip; State: active; Org: SoftLayer Technologies; Source: CyberCrime", + "anomali.limo.id": "indicator--f6be1804-cfe4-4f41-9338-2b65f5b1dda1", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-64", + "threatstream-confidence-30", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:45.959Z", - "threatintel.anomali.name": "mal_url: http://carirero.net/login.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:46.025Z", + "anomali.limo.name": "mal_ip: 74.116.84.20", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://carirero.net/login.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:45.959Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:45.959Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "carirero.net", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://carirero.net/login.php", - "threatintel.indicator.url.original": "http://carirero.net/login.php", - "threatintel.indicator.url.path": "/login.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '74.116.84.20']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:46.025Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1041,27 +1106,29 @@ "threatstream-confidence-30", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332319; iType: mal_ip; State: active; Org: SoftLayer Technologies; Source: CyberCrime", - "threatintel.anomali.id": "indicator--f6be1804-cfe4-4f41-9338-2b65f5b1dda1", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:46.025Z", + "threat.indicator.ip": "74.116.84.20", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55241332305; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--b4fd8489-9589-4f70-996c-84989245a21b", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-30", + "threatstream-confidence-43", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:46.025Z", - "threatintel.anomali.name": "mal_ip: 74.116.84.20", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:00:57.729Z", + "anomali.limo.name": "mal_url: http://tuu.nu/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '74.116.84.20']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:46.025Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:46.025Z", - "threatintel.indicator.ip": "74.116.84.20", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://tuu.nu/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:00:57.729Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1078,31 +1145,33 @@ "threatstream-confidence-43", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332305; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--b4fd8489-9589-4f70-996c-84989245a21b", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:00:57.729Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "tuu.nu", + "threat.indicator.url.full": "http://tuu.nu/login", + "threat.indicator.url.original": "http://tuu.nu/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332346; iType: mal_url; State: active; Org: Ifx Networks Colombia; Source: CyberCrime", + "anomali.limo.id": "indicator--bc50c62f-a015-4460-87df-2137626877e3", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-43", + "threatstream-confidence-36", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:00:57.729Z", - "threatintel.anomali.name": "mal_url: http://tuu.nu/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:01:02.696Z", + "anomali.limo.name": "mal_url: http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://tuu.nu/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:00:57.729Z", - "threatintel.indicator.first_seen": "2020-01-22T03:00:57.729Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "tuu.nu", - "threatintel.indicator.url.full": "http://tuu.nu/login", - "threatintel.indicator.url.original": "http://tuu.nu/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:01:02.696Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1119,32 +1188,34 @@ "threatstream-confidence-36", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332346; iType: mal_url; State: active; Org: Ifx Networks Colombia; Source: CyberCrime", - "threatintel.anomali.id": "indicator--bc50c62f-a015-4460-87df-2137626877e3", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:01:02.696Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "dulfix.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332323; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", + "anomali.limo.id": "indicator--2765af4b-bfb7-4ac8-82d2-ab6ed8a52461", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-36", + "threatstream-confidence-65", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:01:02.696Z", - "threatintel.anomali.name": "mal_url: http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:01:02.807Z", + "anomali.limo.name": "mal_url: http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:01:02.696Z", - "threatintel.indicator.first_seen": "2020-01-22T03:01:02.696Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "dulfix.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:01:02.807Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1161,32 +1232,34 @@ "threatstream-confidence-65", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332323; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", - "threatintel.anomali.id": "indicator--2765af4b-bfb7-4ac8-82d2-ab6ed8a52461", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:01:02.807Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "deliciasdvally.com.pe", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/includes/gter/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332399; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--9c0e63a1-c32a-470a-bf09-51488e239c63", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-65", + "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:01:02.807Z", - "threatintel.anomali.name": "mal_url: http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:01:24.810Z", + "anomali.limo.name": "mal_url: http://nkpotu.xyz/Kpot1/login.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:01:02.807Z", - "threatintel.indicator.first_seen": "2020-01-22T03:01:02.807Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "deliciasdvally.com.pe", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/includes/gter/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://nkpotu.xyz/Kpot1/login.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:01:24.81Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1203,32 +1276,34 @@ "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332399; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--9c0e63a1-c32a-470a-bf09-51488e239c63", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:01:24.810Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "nkpotu.xyz", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://nkpotu.xyz/Kpot1/login.php", + "threat.indicator.url.original": "http://nkpotu.xyz/Kpot1/login.php", + "threat.indicator.url.path": "/Kpot1/login.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332328; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime", + "anomali.limo.id": "indicator--8047678e-20be-4116-9bc4-7bb7c26554e0", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-93", + "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:01:24.810Z", - "threatintel.anomali.name": "mal_url: http://nkpotu.xyz/Kpot1/login.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:01:41.158Z", + "anomali.limo.name": "mal_ip: 194.87.147.80", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://nkpotu.xyz/Kpot1/login.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:01:24.81Z", - "threatintel.indicator.first_seen": "2020-01-22T03:01:24.810Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "nkpotu.xyz", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://nkpotu.xyz/Kpot1/login.php", - "threatintel.indicator.url.original": "http://nkpotu.xyz/Kpot1/login.php", - "threatintel.indicator.url.path": "/Kpot1/login.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '194.87.147.80']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:01:41.158Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1245,27 +1320,29 @@ "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332328; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime", - "threatintel.anomali.id": "indicator--8047678e-20be-4116-9bc4-7bb7c26554e0", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:01:41.158Z", + "threat.indicator.ip": "194.87.147.80", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55241332377; iType: mal_url; State: active; Org: A100 ROW GmbH; Source: CyberCrime", + "anomali.limo.id": "indicator--c57a880c-1ce0-45de-9bab-fb2910454a61", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-87", + "threatstream-confidence-85", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:01:41.158Z", - "threatintel.anomali.name": "mal_ip: 194.87.147.80", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:01:57.189Z", + "anomali.limo.name": "mal_url: http://35.158.92.3/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '194.87.147.80']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:01:41.158Z", - "threatintel.indicator.first_seen": "2020-01-22T03:01:41.158Z", - "threatintel.indicator.ip": "194.87.147.80", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://35.158.92.3/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:01:57.189Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1282,32 +1359,34 @@ "threatstream-confidence-85", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332377; iType: mal_url; State: active; Org: A100 ROW GmbH; Source: CyberCrime", - "threatintel.anomali.id": "indicator--c57a880c-1ce0-45de-9bab-fb2910454a61", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:01:57.189Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "35.158.92.3", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://35.158.92.3/panel/admin.php", + "threat.indicator.url.original": "http://35.158.92.3/panel/admin.php", + "threat.indicator.url.path": "/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332101; iType: mal_ip; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--6056152c-0fa5-4e34-871a-3c8990f1ee46", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-85", + "threatstream-confidence-42", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:01:57.189Z", - "threatintel.anomali.name": "mal_url: http://35.158.92.3/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:01:57.279Z", + "anomali.limo.name": "mal_ip: 45.95.168.70", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://35.158.92.3/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:01:57.189Z", - "threatintel.indicator.first_seen": "2020-01-22T03:01:57.189Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "35.158.92.3", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://35.158.92.3/panel/admin.php", - "threatintel.indicator.url.original": "http://35.158.92.3/panel/admin.php", - "threatintel.indicator.url.path": "/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '45.95.168.70']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:01:57.279Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1324,27 +1403,29 @@ "threatstream-confidence-42", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332101; iType: mal_ip; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--6056152c-0fa5-4e34-871a-3c8990f1ee46", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:01:57.279Z", + "threat.indicator.ip": "45.95.168.70", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55241332357; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--23215acb-4989-4434-ac6d-8f9367734f0f", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-42", + "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:01:57.279Z", - "threatintel.anomali.name": "mal_ip: 45.95.168.70", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:02:50.570Z", + "anomali.limo.name": "mal_url: http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '45.95.168.70']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:01:57.279Z", - "threatintel.indicator.first_seen": "2020-01-22T03:01:57.279Z", - "threatintel.indicator.ip": "45.95.168.70", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:02:50.57Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1361,32 +1442,34 @@ "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332357; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--23215acb-4989-4434-ac6d-8f9367734f0f", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:02:50.570Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "chol.cc", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/Work7/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332289; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--452ece92-9ff2-4f99-8a7f-fd614ebea8cf", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-76", + "threatstream-confidence-26", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:02:50.570Z", - "threatintel.anomali.name": "mal_url: http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:02:52.496Z", + "anomali.limo.name": "mal_url: http://f0391600.xsph.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:02:50.57Z", - "threatintel.indicator.first_seen": "2020-01-22T03:02:50.570Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "chol.cc", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/Work7/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0391600.xsph.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:02:52.496Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1403,31 +1486,33 @@ "threatstream-confidence-26", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332289; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--452ece92-9ff2-4f99-8a7f-fd614ebea8cf", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:02:52.496Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0391600.xsph.ru", + "threat.indicator.url.full": "http://f0391600.xsph.ru/login", + "threat.indicator.url.original": "http://f0391600.xsph.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332334; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", + "anomali.limo.id": "indicator--10958d74-ec60-41af-a1ab-1613257e670f", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-26", + "threatstream-confidence-94", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:02:52.496Z", - "threatintel.anomali.name": "mal_url: http://f0391600.xsph.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:03:42.819Z", + "anomali.limo.name": "mal_url: http://extraclick.space/login.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0391600.xsph.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:02:52.496Z", - "threatintel.indicator.first_seen": "2020-01-22T03:02:52.496Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0391600.xsph.ru", - "threatintel.indicator.url.full": "http://f0391600.xsph.ru/login", - "threatintel.indicator.url.original": "http://f0391600.xsph.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://extraclick.space/login.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:03:42.819Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1444,32 +1529,34 @@ "threatstream-confidence-94", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332334; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", - "threatintel.anomali.id": "indicator--10958d74-ec60-41af-a1ab-1613257e670f", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:03:42.819Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "extraclick.space", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://extraclick.space/login.php", + "threat.indicator.url.original": "http://extraclick.space/login.php", + "threat.indicator.url.path": "/login.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332326; iType: mal_url; State: active; Org: RUCloud; Source: CyberCrime", + "anomali.limo.id": "indicator--19556daa-6293-400d-8706-d0baa6b16b7a", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-94", + "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:03:42.819Z", - "threatintel.anomali.name": "mal_url: http://extraclick.space/login.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:03:52.044Z", + "anomali.limo.name": "mal_url: http://petrogarmani.pw/login.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://extraclick.space/login.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:03:42.819Z", - "threatintel.indicator.first_seen": "2020-01-22T03:03:42.819Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "extraclick.space", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://extraclick.space/login.php", - "threatintel.indicator.url.original": "http://extraclick.space/login.php", - "threatintel.indicator.url.path": "/login.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://petrogarmani.pw/login.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:03:52.044Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1486,32 +1573,34 @@ "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332326; iType: mal_url; State: active; Org: RUCloud; Source: CyberCrime", - "threatintel.anomali.id": "indicator--19556daa-6293-400d-8706-d0baa6b16b7a", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:03:52.044Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "petrogarmani.pw", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://petrogarmani.pw/login.php", + "threat.indicator.url.original": "http://petrogarmani.pw/login.php", + "threat.indicator.url.path": "/login.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332311; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "anomali.limo.id": "indicator--b09d9be9-6703-4a7d-a066-2baebb6418fc", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-87", + "threatstream-confidence-68", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:03:52.044Z", - "threatintel.anomali.name": "mal_url: http://petrogarmani.pw/login.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:04:01.650Z", + "anomali.limo.name": "mal_url: http://worldatdoor.in/mighty/32/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://petrogarmani.pw/login.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:03:52.044Z", - "threatintel.indicator.first_seen": "2020-01-22T03:03:52.044Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "petrogarmani.pw", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://petrogarmani.pw/login.php", - "threatintel.indicator.url.original": "http://petrogarmani.pw/login.php", - "threatintel.indicator.url.path": "/login.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://worldatdoor.in/mighty/32/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:04:01.65Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1528,32 +1617,34 @@ "threatstream-confidence-68", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332311; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", - "threatintel.anomali.id": "indicator--b09d9be9-6703-4a7d-a066-2baebb6418fc", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:04:01.650Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "worldatdoor.in", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://worldatdoor.in/mighty/32/panel/admin.php", + "threat.indicator.url.original": "http://worldatdoor.in/mighty/32/panel/admin.php", + "threat.indicator.url.path": "/mighty/32/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332341; iType: mal_url; State: active; Org: Institute of Philosophy, Russian Academy of Scienc; Source: CyberCrime", + "anomali.limo.id": "indicator--43febf7d-4185-4a12-a868-e7be690b14aa", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-68", + "threatstream-confidence-92", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:04:01.650Z", - "threatintel.anomali.name": "mal_url: http://worldatdoor.in/mighty/32/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:04:32.717Z", + "anomali.limo.name": "mal_url: http://zanlma.com/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://worldatdoor.in/mighty/32/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:04:01.65Z", - "threatintel.indicator.first_seen": "2020-01-22T03:04:01.650Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "worldatdoor.in", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://worldatdoor.in/mighty/32/panel/admin.php", - "threatintel.indicator.url.original": "http://worldatdoor.in/mighty/32/panel/admin.php", - "threatintel.indicator.url.path": "/mighty/32/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://zanlma.com/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:04:32.717Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1570,31 +1661,33 @@ "threatstream-confidence-92", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332341; iType: mal_url; State: active; Org: Institute of Philosophy, Russian Academy of Scienc; Source: CyberCrime", - "threatintel.anomali.id": "indicator--43febf7d-4185-4a12-a868-e7be690b14aa", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:04:32.717Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "zanlma.com", + "threat.indicator.url.full": "http://zanlma.com/login", + "threat.indicator.url.original": "http://zanlma.com/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332303; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--a34728e6-f91d-47e6-a4d8-a69176299e45", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-92", + "threatstream-confidence-84", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:04:32.717Z", - "threatintel.anomali.name": "mal_url: http://zanlma.com/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:04:56.858Z", + "anomali.limo.name": "mal_url: http://f0369688.xsph.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://zanlma.com/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:04:32.717Z", - "threatintel.indicator.first_seen": "2020-01-22T03:04:32.717Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "zanlma.com", - "threatintel.indicator.url.full": "http://zanlma.com/login", - "threatintel.indicator.url.original": "http://zanlma.com/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0369688.xsph.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:04:56.858Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1611,31 +1704,33 @@ "threatstream-confidence-84", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332303; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--a34728e6-f91d-47e6-a4d8-a69176299e45", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:04:56.858Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0369688.xsph.ru", + "threat.indicator.url.full": "http://f0369688.xsph.ru/login", + "threat.indicator.url.original": "http://f0369688.xsph.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55241332380; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--ac821704-5eb2-4f8f-a8b6-2a168dbd0e54", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-84", + "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:04:56.858Z", - "threatintel.anomali.name": "mal_url: http://f0369688.xsph.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-22T03:04:59.245Z", + "anomali.limo.name": "mal_url: http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0369688.xsph.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:04:56.858Z", - "threatintel.indicator.first_seen": "2020-01-22T03:04:56.858Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0369688.xsph.ru", - "threatintel.indicator.url.full": "http://f0369688.xsph.ru/login", - "threatintel.indicator.url.original": "http://f0369688.xsph.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-22T03:04:59.245Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1652,32 +1747,34 @@ "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55241332380; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--ac821704-5eb2-4f8f-a8b6-2a168dbd0e54", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-22T03:04:59.245Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "chol.cc", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/Work2/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55245868747; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", + "anomali.limo.id": "indicator--0d3e1bd8-0f16-4c22-b8a1-663ec255ad79", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-76", + "threatstream-confidence-57", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-22T03:04:59.245Z", - "threatintel.anomali.name": "mal_url: http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-23T03:00:22.287Z", + "anomali.limo.name": "mal_ip: 192.185.214.199", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-22T03:04:59.245Z", - "threatintel.indicator.first_seen": "2020-01-22T03:04:59.245Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "chol.cc", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/Work2/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '192.185.214.199']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-23T03:00:22.287Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1694,27 +1791,29 @@ "threatstream-confidence-57", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55245868747; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", - "threatintel.anomali.id": "indicator--0d3e1bd8-0f16-4c22-b8a1-663ec255ad79", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-23T03:00:22.287Z", + "threat.indicator.ip": "192.185.214.199", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55245868770; iType: mal_url; State: active; Org: Mills College; Source: CyberCrime", + "anomali.limo.id": "indicator--2cdd130a-c884-402d-b63c-e03f9448f5d9", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-57", + "threatstream-confidence-24", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-23T03:00:22.287Z", - "threatintel.anomali.name": "mal_ip: 192.185.214.199", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-23T03:01:11.329Z", + "anomali.limo.name": "mal_url: http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '192.185.214.199']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-23T03:00:22.287Z", - "threatintel.indicator.first_seen": "2020-01-23T03:00:22.287Z", - "threatintel.indicator.ip": "192.185.214.199", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-23T03:01:11.329Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1731,32 +1830,34 @@ "threatstream-confidence-24", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55245868770; iType: mal_url; State: active; Org: Mills College; Source: CyberCrime", - "threatintel.anomali.id": "indicator--2cdd130a-c884-402d-b63c-e03f9448f5d9", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-23T03:01:11.329Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "softtouchcollars.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55245868769; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", + "anomali.limo.id": "indicator--88e98e13-4bfd-4188-941a-f696a7b86b71", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-24", + "threatstream-confidence-61", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-23T03:01:11.329Z", - "threatintel.anomali.name": "mal_url: http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-23T03:01:36.682Z", + "anomali.limo.name": "mal_url: http://imobiliariatirol.com/gh/panelnew/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-23T03:01:11.329Z", - "threatintel.indicator.first_seen": "2020-01-23T03:01:11.329Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "softtouchcollars.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://imobiliariatirol.com/gh/panelnew/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-23T03:01:36.682Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1773,32 +1874,34 @@ "threatstream-confidence-61", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55245868769; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", - "threatintel.anomali.id": "indicator--88e98e13-4bfd-4188-941a-f696a7b86b71", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-23T03:01:36.682Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "imobiliariatirol.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://imobiliariatirol.com/gh/panelnew/admin.php", + "threat.indicator.url.original": "http://imobiliariatirol.com/gh/panelnew/admin.php", + "threat.indicator.url.path": "/gh/panelnew/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55245868772; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "anomali.limo.id": "indicator--27323b7d-85d3-4e89-8249-b7696925a772", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-61", + "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-23T03:01:36.682Z", - "threatintel.anomali.name": "mal_url: http://imobiliariatirol.com/gh/panelnew/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-23T03:02:15.854Z", + "anomali.limo.name": "mal_url: http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://imobiliariatirol.com/gh/panelnew/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-23T03:01:36.682Z", - "threatintel.indicator.first_seen": "2020-01-23T03:01:36.682Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "imobiliariatirol.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://imobiliariatirol.com/gh/panelnew/admin.php", - "threatintel.indicator.url.original": "http://imobiliariatirol.com/gh/panelnew/admin.php", - "threatintel.indicator.url.path": "/gh/panelnew/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-23T03:02:15.854Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1815,32 +1918,34 @@ "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55245868772; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", - "threatintel.anomali.id": "indicator--27323b7d-85d3-4e89-8249-b7696925a772", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-23T03:02:15.854Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "deliveryexpressworld.xyz", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55245868766; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--b0639721-de55-48c6-b237-3859d61aecfb", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-93", + "threatstream-confidence-62", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-23T03:02:15.854Z", - "threatintel.anomali.name": "mal_url: http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-23T03:02:47.364Z", + "anomali.limo.name": "mal_url: http://f0392261.xsph.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-23T03:02:15.854Z", - "threatintel.indicator.first_seen": "2020-01-23T03:02:15.854Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "deliveryexpressworld.xyz", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0392261.xsph.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-23T03:02:47.364Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1857,31 +1962,33 @@ "threatstream-confidence-62", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55245868766; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--b0639721-de55-48c6-b237-3859d61aecfb", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-23T03:02:47.364Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0392261.xsph.ru", + "threat.indicator.url.full": "http://f0392261.xsph.ru/login", + "threat.indicator.url.original": "http://f0392261.xsph.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55245868749; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", + "anomali.limo.id": "indicator--677e714d-c237-42a1-b6b7-9145acd13eee", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-62", + "threatstream-confidence-80", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-23T03:02:47.364Z", - "threatintel.anomali.name": "mal_url: http://f0392261.xsph.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-23T03:03:05.048Z", + "anomali.limo.name": "mal_url: http://104.168.99.168/panel/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0392261.xsph.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-23T03:02:47.364Z", - "threatintel.indicator.first_seen": "2020-01-23T03:02:47.364Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0392261.xsph.ru", - "threatintel.indicator.url.full": "http://f0392261.xsph.ru/login", - "threatintel.indicator.url.original": "http://f0392261.xsph.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://104.168.99.168/panel/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-23T03:03:05.048Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1898,32 +2005,34 @@ "threatstream-confidence-80", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55245868749; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", - "threatintel.anomali.id": "indicator--677e714d-c237-42a1-b6b7-9145acd13eee", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-23T03:03:05.048Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "104.168.99.168", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://104.168.99.168/panel/panel/admin.php", + "threat.indicator.url.original": "http://104.168.99.168/panel/panel/admin.php", + "threat.indicator.url.path": "/panel/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55245868767; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--5baa1dbd-d74e-408c-92b5-0a9f97e4b87a", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-80", + "threatstream-confidence-69", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-23T03:03:05.048Z", - "threatintel.anomali.name": "mal_url: http://104.168.99.168/panel/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-23T03:03:15.734Z", + "anomali.limo.name": "mal_url: http://f0387404.xsph.ru/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://104.168.99.168/panel/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-23T03:03:05.048Z", - "threatintel.indicator.first_seen": "2020-01-23T03:03:05.048Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "104.168.99.168", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://104.168.99.168/panel/panel/admin.php", - "threatintel.indicator.url.original": "http://104.168.99.168/panel/panel/admin.php", - "threatintel.indicator.url.path": "/panel/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0387404.xsph.ru/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-23T03:03:15.734Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1940,32 +2049,34 @@ "threatstream-confidence-69", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55245868767; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--5baa1dbd-d74e-408c-92b5-0a9f97e4b87a", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-23T03:03:15.734Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0387404.xsph.ru", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://f0387404.xsph.ru/panel/admin.php", + "threat.indicator.url.original": "http://f0387404.xsph.ru/panel/admin.php", + "threat.indicator.url.path": "/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55245868768; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--4563241e-5d2f-41a7-adb9-3925a5eeb1b1", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-69", + "threatstream-confidence-72", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-23T03:03:15.734Z", - "threatintel.anomali.name": "mal_url: http://f0387404.xsph.ru/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-23T03:03:42.599Z", + "anomali.limo.name": "mal_url: http://a0386457.xsph.ru/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0387404.xsph.ru/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-23T03:03:15.734Z", - "threatintel.indicator.first_seen": "2020-01-23T03:03:15.734Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0387404.xsph.ru", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://f0387404.xsph.ru/panel/admin.php", - "threatintel.indicator.url.original": "http://f0387404.xsph.ru/panel/admin.php", - "threatintel.indicator.url.path": "/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://a0386457.xsph.ru/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-23T03:03:42.599Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -1982,32 +2093,34 @@ "threatstream-confidence-72", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55245868768; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--4563241e-5d2f-41a7-adb9-3925a5eeb1b1", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-23T03:03:42.599Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "a0386457.xsph.ru", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://a0386457.xsph.ru/panel/admin.php", + "threat.indicator.url.original": "http://a0386457.xsph.ru/panel/admin.php", + "threat.indicator.url.path": "/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078037; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--70cb5d42-91d3-4efe-8c47-995fc0ac4141", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-72", + "threatstream-confidence-74", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-23T03:03:42.599Z", - "threatintel.anomali.name": "mal_url: http://a0386457.xsph.ru/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:57:04.821Z", + "anomali.limo.name": "mal_url: http://defenseisrael.com/dis/index.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://a0386457.xsph.ru/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-23T03:03:42.599Z", - "threatintel.indicator.first_seen": "2020-01-23T03:03:42.599Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "a0386457.xsph.ru", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://a0386457.xsph.ru/panel/admin.php", - "threatintel.indicator.url.original": "http://a0386457.xsph.ru/panel/admin.php", - "threatintel.indicator.url.path": "/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://defenseisrael.com/dis/index.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:57:04.821Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2024,32 +2137,34 @@ "threatstream-confidence-74", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078037; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--70cb5d42-91d3-4efe-8c47-995fc0ac4141", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:57:04.821Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "defenseisrael.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://defenseisrael.com/dis/index.php", + "threat.indicator.url.original": "http://defenseisrael.com/dis/index.php", + "threat.indicator.url.path": "/dis/index.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078030; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime", + "anomali.limo.id": "indicator--3aa712bb-b5d4-4632-bf50-48a4aeeaeb6d", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-74", + "threatstream-confidence-83", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:57:04.821Z", - "threatintel.anomali.name": "mal_url: http://defenseisrael.com/dis/index.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:57:04.857Z", + "anomali.limo.name": "mal_ip: 91.215.170.249", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://defenseisrael.com/dis/index.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:57:04.821Z", - "threatintel.indicator.first_seen": "2020-01-24T02:57:04.821Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "defenseisrael.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://defenseisrael.com/dis/index.php", - "threatintel.indicator.url.original": "http://defenseisrael.com/dis/index.php", - "threatintel.indicator.url.path": "/dis/index.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '91.215.170.249']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:57:04.857Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2066,27 +2181,29 @@ "threatstream-confidence-83", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078030; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime", - "threatintel.anomali.id": "indicator--3aa712bb-b5d4-4632-bf50-48a4aeeaeb6d", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:57:04.857Z", + "threat.indicator.ip": "91.215.170.249", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55250078019; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", + "anomali.limo.id": "indicator--64227c7d-86ea-4146-a868-3decb5aa5f1d", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-83", + "threatstream-confidence-79", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:57:04.857Z", - "threatintel.anomali.name": "mal_ip: 91.215.170.249", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:57:04.883Z", + "anomali.limo.name": "mal_url: http://lbfb3f03.justinstalledpanel.com/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '91.215.170.249']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:57:04.857Z", - "threatintel.indicator.first_seen": "2020-01-24T02:57:04.857Z", - "threatintel.indicator.ip": "91.215.170.249", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://lbfb3f03.justinstalledpanel.com/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:57:04.883Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2103,31 +2220,33 @@ "threatstream-confidence-79", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078019; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", - "threatintel.anomali.id": "indicator--64227c7d-86ea-4146-a868-3decb5aa5f1d", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:57:04.883Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "lbfb3f03.justinstalledpanel.com", + "threat.indicator.url.full": "http://lbfb3f03.justinstalledpanel.com/login", + "threat.indicator.url.original": "http://lbfb3f03.justinstalledpanel.com/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078035; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--37fcf9a7-1a90-4d81-be0a-e824a4fa938e", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-79", + "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:57:04.883Z", - "threatintel.anomali.name": "mal_url: http://lbfb3f03.justinstalledpanel.com/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:57:12.997Z", + "anomali.limo.name": "mal_url: http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://lbfb3f03.justinstalledpanel.com/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:57:04.883Z", - "threatintel.indicator.first_seen": "2020-01-24T02:57:04.883Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "lbfb3f03.justinstalledpanel.com", - "threatintel.indicator.url.full": "http://lbfb3f03.justinstalledpanel.com/login", - "threatintel.indicator.url.original": "http://lbfb3f03.justinstalledpanel.com/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:57:12.997Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2144,32 +2263,34 @@ "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078035; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--37fcf9a7-1a90-4d81-be0a-e824a4fa938e", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:57:12.997Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "byedtronchgroup.yt", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078008; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", + "anomali.limo.id": "indicator--5a38786f-107e-4060-a7c9-ea8a5ded6aac", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-93", + "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:57:12.997Z", - "threatintel.anomali.name": "mal_url: http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:57:13.025Z", + "anomali.limo.name": "mal_url: http://199.192.28.11/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:57:12.997Z", - "threatintel.indicator.first_seen": "2020-01-24T02:57:12.997Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "byedtronchgroup.yt", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://199.192.28.11/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:57:13.025Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2186,32 +2307,34 @@ "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078008; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", - "threatintel.anomali.id": "indicator--5a38786f-107e-4060-a7c9-ea8a5ded6aac", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:57:13.025Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "199.192.28.11", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://199.192.28.11/panel/admin.php", + "threat.indicator.url.original": "http://199.192.28.11/panel/admin.php", + "threat.indicator.url.path": "/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078038; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--3eb79b31-1d6d-438c-a848-24a3407f6e32", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-87", + "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:57:13.025Z", - "threatintel.anomali.name": "mal_url: http://199.192.28.11/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:57:32.901Z", + "anomali.limo.name": "mal_url: http://217.8.117.51/aW8bVds1/login.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://199.192.28.11/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:57:13.025Z", - "threatintel.indicator.first_seen": "2020-01-24T02:57:13.025Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "199.192.28.11", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://199.192.28.11/panel/admin.php", - "threatintel.indicator.url.original": "http://199.192.28.11/panel/admin.php", - "threatintel.indicator.url.path": "/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://217.8.117.51/aW8bVds1/login.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:57:32.901Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2228,32 +2351,34 @@ "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078038; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--3eb79b31-1d6d-438c-a848-24a3407f6e32", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:57:32.901Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "217.8.117.51", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://217.8.117.51/aW8bVds1/login.php", + "threat.indicator.url.original": "http://217.8.117.51/aW8bVds1/login.php", + "threat.indicator.url.path": "/aW8bVds1/login.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078026; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime", + "anomali.limo.id": "indicator--a050832c-db6e-49a0-8470-7a3cd8f17178", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-82", + "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:57:32.901Z", - "threatintel.anomali.name": "mal_url: http://217.8.117.51/aW8bVds1/login.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:57:32.929Z", + "anomali.limo.name": "mal_url: http://lansome.site/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://217.8.117.51/aW8bVds1/login.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:57:32.901Z", - "threatintel.indicator.first_seen": "2020-01-24T02:57:32.901Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "217.8.117.51", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://217.8.117.51/aW8bVds1/login.php", - "threatintel.indicator.url.original": "http://217.8.117.51/aW8bVds1/login.php", - "threatintel.indicator.url.path": "/aW8bVds1/login.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://lansome.site/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:57:32.929Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2270,31 +2395,33 @@ "threatstream-confidence-93", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078026; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime", - "threatintel.anomali.id": "indicator--a050832c-db6e-49a0-8470-7a3cd8f17178", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:57:32.929Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "lansome.site", + "threat.indicator.url.full": "http://lansome.site/login", + "threat.indicator.url.original": "http://lansome.site/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078034; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime", + "anomali.limo.id": "indicator--e88008f4-76fc-428d-831a-4b389e48b712", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-93", + "threatstream-confidence-83", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:57:32.929Z", - "threatintel.anomali.name": "mal_url: http://lansome.site/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:57:49.028Z", + "anomali.limo.name": "mal_url: http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://lansome.site/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:57:32.929Z", - "threatintel.indicator.first_seen": "2020-01-24T02:57:32.929Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "lansome.site", - "threatintel.indicator.url.full": "http://lansome.site/login", - "threatintel.indicator.url.original": "http://lansome.site/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:57:49.028Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2311,32 +2438,34 @@ "threatstream-confidence-83", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078034; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime", - "threatintel.anomali.id": "indicator--e88008f4-76fc-428d-831a-4b389e48b712", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:57:49.028Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "iplusvietnam.com.vn", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078032; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", + "anomali.limo.id": "indicator--dafe91cf-787c-471c-9afe-f7bb20a1b93f", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-83", + "threatstream-confidence-94", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:57:49.028Z", - "threatintel.anomali.name": "mal_url: http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:58:03.345Z", + "anomali.limo.name": "mal_url: http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:57:49.028Z", - "threatintel.indicator.first_seen": "2020-01-24T02:57:49.028Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "iplusvietnam.com.vn", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:58:03.345Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2353,32 +2482,34 @@ "threatstream-confidence-94", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078032; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", - "threatintel.anomali.id": "indicator--dafe91cf-787c-471c-9afe-f7bb20a1b93f", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:58:03.345Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "leakaryadeen.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/parl/id345/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078031; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime", + "anomali.limo.id": "indicator--232bdc34-44cb-4f41-af52-f6f1cd28818e", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-94", + "threatstream-confidence-81", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:58:03.345Z", - "threatintel.anomali.name": "mal_url: http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:58:16.318Z", + "anomali.limo.name": "mal_url: http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:58:03.345Z", - "threatintel.indicator.first_seen": "2020-01-24T02:58:03.345Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "leakaryadeen.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/parl/id345/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:58:16.318Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2395,32 +2526,34 @@ "threatstream-confidence-81", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078031; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime", - "threatintel.anomali.id": "indicator--232bdc34-44cb-4f41-af52-f6f1cd28818e", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:58:16.318Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "oaa-my.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/clap/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078027; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime", + "anomali.limo.id": "indicator--4adabe80-3be4-401a-948a-f9724c872374", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-81", + "threatstream-confidence-66", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:58:16.318Z", - "threatintel.anomali.name": "mal_url: http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:58:16.358Z", + "anomali.limo.name": "mal_url: http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:58:16.318Z", - "threatintel.indicator.first_seen": "2020-01-24T02:58:16.318Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "oaa-my.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/clap/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:58:16.358Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2437,32 +2570,34 @@ "threatstream-confidence-66", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078027; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime", - "threatintel.anomali.id": "indicator--4adabe80-3be4-401a-948a-f9724c872374", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:58:16.358Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "thaubenuocngam.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078013; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--1d7051c0-a42b-4801-bd7f-f0abf2cc125c", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-66", + "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:58:16.358Z", - "threatintel.anomali.name": "mal_url: http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:58:32.126Z", + "anomali.limo.name": "mal_url: http://suspiciousactivity.xyz/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:58:16.358Z", - "threatintel.indicator.first_seen": "2020-01-24T02:58:16.358Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "thaubenuocngam.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://suspiciousactivity.xyz/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:58:32.126Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2479,31 +2614,33 @@ "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078013; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--1d7051c0-a42b-4801-bd7f-f0abf2cc125c", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:58:32.126Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "suspiciousactivity.xyz", + "threat.indicator.url.full": "http://suspiciousactivity.xyz/login", + "threat.indicator.url.original": "http://suspiciousactivity.xyz/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078017; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--fb06856c-8aad-4fae-92fc-b73aae4f6dc7", + "anomali.limo.labels": [ "malicious-activity", "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:58:32.126Z", - "threatintel.anomali.name": "mal_url: http://suspiciousactivity.xyz/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:58:37.603Z", + "anomali.limo.name": "mal_url: http://217.8.117.8/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://suspiciousactivity.xyz/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:58:32.126Z", - "threatintel.indicator.first_seen": "2020-01-24T02:58:32.126Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "suspiciousactivity.xyz", - "threatintel.indicator.url.full": "http://suspiciousactivity.xyz/login", - "threatintel.indicator.url.original": "http://suspiciousactivity.xyz/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://217.8.117.8/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:58:37.603Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2520,31 +2657,33 @@ "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078017; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--fb06856c-8aad-4fae-92fc-b73aae4f6dc7", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:58:37.603Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "217.8.117.8", + "threat.indicator.url.full": "http://217.8.117.8/login", + "threat.indicator.url.original": "http://217.8.117.8/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078012; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--33e674f5-a64a-48f4-9d8c-248348356135", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-82", + "threatstream-confidence-71", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:58:37.603Z", - "threatintel.anomali.name": "mal_url: http://217.8.117.8/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:58:37.643Z", + "anomali.limo.name": "mal_url: http://f0387550.xsph.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://217.8.117.8/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:58:37.603Z", - "threatintel.indicator.first_seen": "2020-01-24T02:58:37.603Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "217.8.117.8", - "threatintel.indicator.url.full": "http://217.8.117.8/login", - "threatintel.indicator.url.original": "http://217.8.117.8/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0387550.xsph.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:58:37.643Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2561,31 +2700,33 @@ "threatstream-confidence-71", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078012; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--33e674f5-a64a-48f4-9d8c-248348356135", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:58:37.643Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0387550.xsph.ru", + "threat.indicator.url.full": "http://f0387550.xsph.ru/login", + "threat.indicator.url.original": "http://f0387550.xsph.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078018; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", + "anomali.limo.id": "indicator--6311f539-1d5d-423f-a238-d0c1dc167432", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-71", + "threatstream-confidence-84", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:58:37.643Z", - "threatintel.anomali.name": "mal_url: http://f0387550.xsph.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:58:39.465Z", + "anomali.limo.name": "mal_url: http://lf4e4abf.justinstalledpanel.com/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0387550.xsph.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:58:37.643Z", - "threatintel.indicator.first_seen": "2020-01-24T02:58:37.643Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0387550.xsph.ru", - "threatintel.indicator.url.full": "http://f0387550.xsph.ru/login", - "threatintel.indicator.url.original": "http://f0387550.xsph.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://lf4e4abf.justinstalledpanel.com/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:58:39.465Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2602,31 +2743,33 @@ "threatstream-confidence-84", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078018; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", - "threatintel.anomali.id": "indicator--6311f539-1d5d-423f-a238-d0c1dc167432", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:58:39.465Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "lf4e4abf.justinstalledpanel.com", + "threat.indicator.url.full": "http://lf4e4abf.justinstalledpanel.com/login", + "threat.indicator.url.original": "http://lf4e4abf.justinstalledpanel.com/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078033; iType: mal_ip; State: active; Org: ColoCrossing; Source: CyberCrime", + "anomali.limo.id": "indicator--1c91f219-cfa6-44c7-a5ee-1c760489b43c", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-84", + "threatstream-confidence-81", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:58:39.465Z", - "threatintel.anomali.name": "mal_url: http://lf4e4abf.justinstalledpanel.com/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:59:02.031Z", + "anomali.limo.name": "mal_ip: 206.217.131.245", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://lf4e4abf.justinstalledpanel.com/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:58:39.465Z", - "threatintel.indicator.first_seen": "2020-01-24T02:58:39.465Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "lf4e4abf.justinstalledpanel.com", - "threatintel.indicator.url.full": "http://lf4e4abf.justinstalledpanel.com/login", - "threatintel.indicator.url.original": "http://lf4e4abf.justinstalledpanel.com/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '206.217.131.245']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:59:02.031Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2643,27 +2786,29 @@ "threatstream-confidence-81", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078033; iType: mal_ip; State: active; Org: ColoCrossing; Source: CyberCrime", - "threatintel.anomali.id": "indicator--1c91f219-cfa6-44c7-a5ee-1c760489b43c", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:59:02.031Z", + "threat.indicator.ip": "206.217.131.245", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55250078010; iType: mal_url; State: active; Org: QuadraNet; Source: CyberCrime", + "anomali.limo.id": "indicator--c58983e2-18fd-47b8-aab4-6c8a2e2dcb35", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-81", + "threatstream-confidence-52", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:59:02.031Z", - "threatintel.anomali.name": "mal_ip: 206.217.131.245", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:59:15.878Z", + "anomali.limo.name": "mal_url: http://67.215.224.101/a1/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '206.217.131.245']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:59:02.031Z", - "threatintel.indicator.first_seen": "2020-01-24T02:59:02.031Z", - "threatintel.indicator.ip": "206.217.131.245", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://67.215.224.101/a1/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:59:15.878Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2680,32 +2825,34 @@ "threatstream-confidence-52", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078010; iType: mal_url; State: active; Org: QuadraNet; Source: CyberCrime", - "threatintel.anomali.id": "indicator--c58983e2-18fd-47b8-aab4-6c8a2e2dcb35", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:59:15.878Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "67.215.224.101", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://67.215.224.101/a1/panel/admin.php", + "threat.indicator.url.original": "http://67.215.224.101/a1/panel/admin.php", + "threat.indicator.url.path": "/a1/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078000; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", + "anomali.limo.id": "indicator--1ab178a8-7991-4879-b9aa-8da49f40e92e", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-52", + "threatstream-confidence-58", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:59:15.878Z", - "threatintel.anomali.name": "mal_url: http://67.215.224.101/a1/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:59:29.155Z", + "anomali.limo.name": "mal_ip: 162.241.73.163", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://67.215.224.101/a1/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:59:15.878Z", - "threatintel.indicator.first_seen": "2020-01-24T02:59:15.878Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "67.215.224.101", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://67.215.224.101/a1/panel/admin.php", - "threatintel.indicator.url.original": "http://67.215.224.101/a1/panel/admin.php", - "threatintel.indicator.url.path": "/a1/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '162.241.73.163']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:59:29.155Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2722,27 +2869,29 @@ "threatstream-confidence-58", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078000; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", - "threatintel.anomali.id": "indicator--1ab178a8-7991-4879-b9aa-8da49f40e92e", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:59:29.155Z", + "threat.indicator.ip": "162.241.73.163", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55250078020; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", + "anomali.limo.id": "indicator--d5bdff38-6939-4a47-8e11-b910520565c4", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-58", + "threatstream-confidence-78", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:59:29.155Z", - "threatintel.anomali.name": "mal_ip: 162.241.73.163", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:59:50.233Z", + "anomali.limo.name": "mal_url: http://l60bdd58.justinstalledpanel.com/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '162.241.73.163']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:59:29.155Z", - "threatintel.indicator.first_seen": "2020-01-24T02:59:29.155Z", - "threatintel.indicator.ip": "162.241.73.163", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://l60bdd58.justinstalledpanel.com/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:59:50.233Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2759,31 +2908,33 @@ "threatstream-confidence-78", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078020; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", - "threatintel.anomali.id": "indicator--d5bdff38-6939-4a47-8e11-b910520565c4", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:59:50.233Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "l60bdd58.justinstalledpanel.com", + "threat.indicator.url.full": "http://l60bdd58.justinstalledpanel.com/login", + "threat.indicator.url.original": "http://l60bdd58.justinstalledpanel.com/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078009; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", + "anomali.limo.id": "indicator--1be74977-5aa6-4175-99dd-32b54863a06b", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-78", + "threatstream-confidence-25", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:59:50.233Z", - "threatintel.anomali.name": "mal_url: http://l60bdd58.justinstalledpanel.com/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:59:50.255Z", + "anomali.limo.name": "mal_url: http://107.175.150.73/~giftioz/.azma/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://l60bdd58.justinstalledpanel.com/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:59:50.233Z", - "threatintel.indicator.first_seen": "2020-01-24T02:59:50.233Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "l60bdd58.justinstalledpanel.com", - "threatintel.indicator.url.full": "http://l60bdd58.justinstalledpanel.com/login", - "threatintel.indicator.url.original": "http://l60bdd58.justinstalledpanel.com/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://107.175.150.73/~giftioz/.azma/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:59:50.255Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2800,32 +2951,34 @@ "threatstream-confidence-25", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078009; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", - "threatintel.anomali.id": "indicator--1be74977-5aa6-4175-99dd-32b54863a06b", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:59:50.255Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "107.175.150.73", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://107.175.150.73/~giftioz/.azma/panel/admin.php", + "threat.indicator.url.original": "http://107.175.150.73/~giftioz/.azma/panel/admin.php", + "threat.indicator.url.path": "/~giftioz/.azma/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078023; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", + "anomali.limo.id": "indicator--eacc25ce-584c-4b40-98ab-7935dabd5cb1", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-25", + "threatstream-confidence-78", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:59:50.255Z", - "threatintel.anomali.name": "mal_url: http://107.175.150.73/~giftioz/.azma/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:59:52.536Z", + "anomali.limo.name": "mal_url: http://5.188.60.52/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://107.175.150.73/~giftioz/.azma/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:59:50.255Z", - "threatintel.indicator.first_seen": "2020-01-24T02:59:50.255Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "107.175.150.73", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://107.175.150.73/~giftioz/.azma/panel/admin.php", - "threatintel.indicator.url.original": "http://107.175.150.73/~giftioz/.azma/panel/admin.php", - "threatintel.indicator.url.path": "/~giftioz/.azma/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://5.188.60.52/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:59:52.536Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2842,31 +2995,33 @@ "threatstream-confidence-78", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078023; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", - "threatintel.anomali.id": "indicator--eacc25ce-584c-4b40-98ab-7935dabd5cb1", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:59:52.536Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "5.188.60.52", + "threat.indicator.url.full": "http://5.188.60.52/login", + "threat.indicator.url.original": "http://5.188.60.52/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078025; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", + "anomali.limo.id": "indicator--504f4011-eaea-4921-aad5-f102bef7c798", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-78", + "threatstream-confidence-85", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:59:52.536Z", - "threatintel.anomali.name": "mal_url: http://5.188.60.52/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:59:54.784Z", + "anomali.limo.name": "mal_url: http://trotdeiman.ga/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://5.188.60.52/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:59:52.536Z", - "threatintel.indicator.first_seen": "2020-01-24T02:59:52.536Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "5.188.60.52", - "threatintel.indicator.url.full": "http://5.188.60.52/login", - "threatintel.indicator.url.original": "http://5.188.60.52/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://trotdeiman.ga/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:59:54.784Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2883,31 +3038,33 @@ "threatstream-confidence-85", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078025; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", - "threatintel.anomali.id": "indicator--504f4011-eaea-4921-aad5-f102bef7c798", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:59:54.784Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "trotdeiman.ga", + "threat.indicator.url.full": "http://trotdeiman.ga/login", + "threat.indicator.url.original": "http://trotdeiman.ga/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078014; iType: mal_ip; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--e3ffb953-6c59-461a-8242-0d26c2b5c358", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-85", + "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:59:54.784Z", - "threatintel.anomali.name": "mal_url: http://trotdeiman.ga/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T02:59:54.815Z", + "anomali.limo.name": "mal_ip: 217.8.117.8", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://trotdeiman.ga/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:59:54.784Z", - "threatintel.indicator.first_seen": "2020-01-24T02:59:54.784Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "trotdeiman.ga", - "threatintel.indicator.url.full": "http://trotdeiman.ga/login", - "threatintel.indicator.url.original": "http://trotdeiman.ga/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '217.8.117.8']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T02:59:54.815Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2924,27 +3081,29 @@ "threatstream-confidence-82", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078014; iType: mal_ip; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--e3ffb953-6c59-461a-8242-0d26c2b5c358", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T02:59:54.815Z", + "threat.indicator.ip": "217.8.117.8", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55250078036; iType: mal_ip; State: active; Org: Global Frag Networks; Source: CyberCrime", + "anomali.limo.id": "indicator--3a47ad46-930d-4ced-b0e7-dc9d0776153e", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-82", + "threatstream-confidence-83", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T02:59:54.815Z", - "threatintel.anomali.name": "mal_ip: 217.8.117.8", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T03:00:01.726Z", + "anomali.limo.name": "mal_ip: 104.223.170.113", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '217.8.117.8']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T02:59:54.815Z", - "threatintel.indicator.first_seen": "2020-01-24T02:59:54.815Z", - "threatintel.indicator.ip": "217.8.117.8", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '104.223.170.113']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T03:00:01.726Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2961,27 +3120,29 @@ "threatstream-confidence-83", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078036; iType: mal_ip; State: active; Org: Global Frag Networks; Source: CyberCrime", - "threatintel.anomali.id": "indicator--3a47ad46-930d-4ced-b0e7-dc9d0776153e", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T03:00:01.726Z", + "threat.indicator.ip": "104.223.170.113", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55250078011; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", + "anomali.limo.id": "indicator--0e10924c-745c-4a58-8e27-ab3a6bacd666", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-83", + "threatstream-confidence-58", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T03:00:01.726Z", - "threatintel.anomali.name": "mal_ip: 104.223.170.113", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T03:00:01.762Z", + "anomali.limo.name": "mal_url: http://tavim.org/includes/firmino/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '104.223.170.113']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T03:00:01.726Z", - "threatintel.indicator.first_seen": "2020-01-24T03:00:01.726Z", - "threatintel.indicator.ip": "104.223.170.113", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://tavim.org/includes/firmino/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T03:00:01.762Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -2998,32 +3159,34 @@ "threatstream-confidence-58", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078011; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", - "threatintel.anomali.id": "indicator--0e10924c-745c-4a58-8e27-ab3a6bacd666", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T03:00:01.762Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "tavim.org", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://tavim.org/includes/firmino/admin.php", + "threat.indicator.url.original": "http://tavim.org/includes/firmino/admin.php", + "threat.indicator.url.path": "/includes/firmino/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078015; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--c3fb816a-cc3b-4442-be4d-d62113ae5168", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-58", + "threatstream-confidence-84", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T03:00:01.762Z", - "threatintel.anomali.name": "mal_url: http://tavim.org/includes/firmino/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T03:00:10.928Z", + "anomali.limo.name": "mal_url: http://onlinesecuritycenter.xyz/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://tavim.org/includes/firmino/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T03:00:01.762Z", - "threatintel.indicator.first_seen": "2020-01-24T03:00:01.762Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "tavim.org", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://tavim.org/includes/firmino/admin.php", - "threatintel.indicator.url.original": "http://tavim.org/includes/firmino/admin.php", - "threatintel.indicator.url.path": "/includes/firmino/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://onlinesecuritycenter.xyz/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T03:00:10.928Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3040,31 +3203,33 @@ "threatstream-confidence-84", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078015; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--c3fb816a-cc3b-4442-be4d-d62113ae5168", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T03:00:10.928Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "onlinesecuritycenter.xyz", + "threat.indicator.url.full": "http://onlinesecuritycenter.xyz/login", + "threat.indicator.url.original": "http://onlinesecuritycenter.xyz/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078029; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime", + "anomali.limo.id": "indicator--9159e46d-f3a4-464b-ac68-8beaf87e1a8f", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-84", + "threatstream-confidence-81", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T03:00:10.928Z", - "threatintel.anomali.name": "mal_url: http://onlinesecuritycenter.xyz/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T03:00:20.166Z", + "anomali.limo.name": "mal_url: http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://onlinesecuritycenter.xyz/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T03:00:10.928Z", - "threatintel.indicator.first_seen": "2020-01-24T03:00:10.928Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "onlinesecuritycenter.xyz", - "threatintel.indicator.url.full": "http://onlinesecuritycenter.xyz/login", - "threatintel.indicator.url.original": "http://onlinesecuritycenter.xyz/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T03:00:20.166Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3081,32 +3246,34 @@ "threatstream-confidence-81", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078029; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime", - "threatintel.anomali.id": "indicator--9159e46d-f3a4-464b-ac68-8beaf87e1a8f", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T03:00:20.166Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "oaa-my.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/cutter/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078016; iType: mal_url; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--fefa8e76-ae0f-41ab-84e7-ea43ab055573", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-81", + "threatstream-confidence-90", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T03:00:20.166Z", - "threatintel.anomali.name": "mal_url: http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T03:00:24.048Z", + "anomali.limo.name": "mal_url: http://jumbajumbadun.fun/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T03:00:20.166Z", - "threatintel.indicator.first_seen": "2020-01-24T03:00:20.166Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "oaa-my.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/cutter/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://jumbajumbadun.fun/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T03:00:24.048Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3123,31 +3290,33 @@ "threatstream-confidence-90", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078016; iType: mal_url; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--fefa8e76-ae0f-41ab-84e7-ea43ab055573", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T03:00:24.048Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "jumbajumbadun.fun", + "threat.indicator.url.full": "http://jumbajumbadun.fun/login", + "threat.indicator.url.original": "http://jumbajumbadun.fun/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078024; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", + "anomali.limo.id": "indicator--6a76fa89-4d5f-40d0-9b03-671bdb2d5b4b", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-90", + "threatstream-confidence-58", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T03:00:24.048Z", - "threatintel.anomali.name": "mal_url: http://jumbajumbadun.fun/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T03:00:55.816Z", + "anomali.limo.name": "mal_url: http://tavim.org/includes/salah/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://jumbajumbadun.fun/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T03:00:24.048Z", - "threatintel.indicator.first_seen": "2020-01-24T03:00:24.048Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "jumbajumbadun.fun", - "threatintel.indicator.url.full": "http://jumbajumbadun.fun/login", - "threatintel.indicator.url.original": "http://jumbajumbadun.fun/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://tavim.org/includes/salah/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T03:00:55.816Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3164,32 +3333,34 @@ "threatstream-confidence-58", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078024; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", - "threatintel.anomali.id": "indicator--6a76fa89-4d5f-40d0-9b03-671bdb2d5b4b", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T03:00:55.816Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "tavim.org", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://tavim.org/includes/salah/admin.php", + "threat.indicator.url.original": "http://tavim.org/includes/salah/admin.php", + "threat.indicator.url.path": "/includes/salah/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078022; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", + "anomali.limo.id": "indicator--21055dfd-d0cb-42ec-93bd-ffaeadd11d80", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-58", + "threatstream-confidence-80", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T03:00:55.816Z", - "threatintel.anomali.name": "mal_url: http://tavim.org/includes/salah/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T03:01:10.501Z", + "anomali.limo.name": "mal_url: http://l0c23205.justinstalledpanel.com/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://tavim.org/includes/salah/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T03:00:55.816Z", - "threatintel.indicator.first_seen": "2020-01-24T03:00:55.816Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "tavim.org", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://tavim.org/includes/salah/admin.php", - "threatintel.indicator.url.original": "http://tavim.org/includes/salah/admin.php", - "threatintel.indicator.url.path": "/includes/salah/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://l0c23205.justinstalledpanel.com/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T03:01:10.501Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3206,31 +3377,33 @@ "threatstream-confidence-80", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078022; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", - "threatintel.anomali.id": "indicator--21055dfd-d0cb-42ec-93bd-ffaeadd11d80", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T03:01:10.501Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "l0c23205.justinstalledpanel.com", + "threat.indicator.url.full": "http://l0c23205.justinstalledpanel.com/login", + "threat.indicator.url.original": "http://l0c23205.justinstalledpanel.com/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078021; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", + "anomali.limo.id": "indicator--7471a595-e8b0-4c41-be4c-0a3e55675630", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-80", + "threatstream-confidence-83", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T03:01:10.501Z", - "threatintel.anomali.name": "mal_url: http://l0c23205.justinstalledpanel.com/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T03:01:10.518Z", + "anomali.limo.name": "mal_url: http://l535e9e5.justinstalledpanel.com/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://l0c23205.justinstalledpanel.com/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T03:01:10.501Z", - "threatintel.indicator.first_seen": "2020-01-24T03:01:10.501Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "l0c23205.justinstalledpanel.com", - "threatintel.indicator.url.full": "http://l0c23205.justinstalledpanel.com/login", - "threatintel.indicator.url.original": "http://l0c23205.justinstalledpanel.com/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://l535e9e5.justinstalledpanel.com/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T03:01:10.518Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3247,31 +3420,33 @@ "threatstream-confidence-83", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078021; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", - "threatintel.anomali.id": "indicator--7471a595-e8b0-4c41-be4c-0a3e55675630", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T03:01:10.518Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "l535e9e5.justinstalledpanel.com", + "threat.indicator.url.full": "http://l535e9e5.justinstalledpanel.com/login", + "threat.indicator.url.original": "http://l535e9e5.justinstalledpanel.com/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55250078007; iType: mal_ip; State: active; Source: CyberCrime", + "anomali.limo.id": "indicator--ead1e7e5-fdb3-47c2-9476-aa82741c038e", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-83", + "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T03:01:10.518Z", - "threatintel.anomali.name": "mal_url: http://l535e9e5.justinstalledpanel.com/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-24T03:01:14.843Z", + "anomali.limo.name": "mal_ip: 217.8.117.47", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://l535e9e5.justinstalledpanel.com/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T03:01:10.518Z", - "threatintel.indicator.first_seen": "2020-01-24T03:01:10.518Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "l535e9e5.justinstalledpanel.com", - "threatintel.indicator.url.full": "http://l535e9e5.justinstalledpanel.com/login", - "threatintel.indicator.url.original": "http://l535e9e5.justinstalledpanel.com/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '217.8.117.47']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-24T03:01:14.843Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3288,27 +3463,29 @@ "threatstream-confidence-76", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55250078007; iType: mal_ip; State: active; Source: CyberCrime", - "threatintel.anomali.id": "indicator--ead1e7e5-fdb3-47c2-9476-aa82741c038e", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-24T03:01:14.843Z", + "threat.indicator.ip": "217.8.117.47", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55253484365; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime", + "anomali.limo.id": "indicator--b0aee6bf-32f4-4f65-8de6-f65e04e92b15", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-76", + "threatstream-confidence-67", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-24T03:01:14.843Z", - "threatintel.anomali.name": "mal_ip: 217.8.117.47", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:57:12.699Z", + "anomali.limo.name": "mal_url: http://46.161.27.57/northon/", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '217.8.117.47']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-24T03:01:14.843Z", - "threatintel.indicator.first_seen": "2020-01-24T03:01:14.843Z", - "threatintel.indicator.ip": "217.8.117.47", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://46.161.27.57/northon/']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:57:12.699Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3325,31 +3502,33 @@ "threatstream-confidence-67", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484365; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime", - "threatintel.anomali.id": "indicator--b0aee6bf-32f4-4f65-8de6-f65e04e92b15", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:57:12.699Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "46.161.27.57", + "threat.indicator.url.full": "http://46.161.27.57/northon/", + "threat.indicator.url.original": "http://46.161.27.57/northon/", + "threat.indicator.url.path": "/northon/", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484350; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", + "anomali.limo.id": "indicator--54afbceb-72f3-484e-aee4-904f77beeff6", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-67", + "threatstream-confidence-90", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:57:12.699Z", - "threatintel.anomali.name": "mal_url: http://46.161.27.57/northon/", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:57:28.034Z", + "anomali.limo.name": "mal_url: http://104.168.99.170/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://46.161.27.57/northon/']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:57:12.699Z", - "threatintel.indicator.first_seen": "2020-01-25T02:57:12.699Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "46.161.27.57", - "threatintel.indicator.url.full": "http://46.161.27.57/northon/", - "threatintel.indicator.url.original": "http://46.161.27.57/northon/", - "threatintel.indicator.url.path": "/northon/", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://104.168.99.170/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:57:28.034Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3366,31 +3545,33 @@ "threatstream-confidence-90", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484350; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", - "threatintel.anomali.id": "indicator--54afbceb-72f3-484e-aee4-904f77beeff6", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:57:28.034Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "104.168.99.170", + "threat.indicator.url.full": "http://104.168.99.170/login", + "threat.indicator.url.original": "http://104.168.99.170/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484356; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", + "anomali.limo.id": "indicator--da030e10-af9f-462d-bda8-33abb223e950", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-90", + "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:57:28.034Z", - "threatintel.anomali.name": "mal_url: http://104.168.99.170/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:57:38.187Z", + "anomali.limo.name": "mal_url: http://officelog.org/inc/js/jstree/scan/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://104.168.99.170/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:57:28.034Z", - "threatintel.indicator.first_seen": "2020-01-25T02:57:28.034Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "104.168.99.170", - "threatintel.indicator.url.full": "http://104.168.99.170/login", - "threatintel.indicator.url.original": "http://104.168.99.170/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/scan/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:57:38.187Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3407,32 +3588,34 @@ "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484356; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", - "threatintel.anomali.id": "indicator--da030e10-af9f-462d-bda8-33abb223e950", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:57:38.187Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "officelog.org", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://officelog.org/inc/js/jstree/scan/panel/admin.php", + "threat.indicator.url.original": "http://officelog.org/inc/js/jstree/scan/panel/admin.php", + "threat.indicator.url.path": "/inc/js/jstree/scan/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484343; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--d38e051a-bc5b-4723-884a-65e017d98299", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-89", + "threatstream-confidence-65", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:57:38.187Z", - "threatintel.anomali.name": "mal_url: http://officelog.org/inc/js/jstree/scan/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:57:38.214Z", + "anomali.limo.name": "mal_url: http://f0391587.xsph.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/scan/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:57:38.187Z", - "threatintel.indicator.first_seen": "2020-01-25T02:57:38.187Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "officelog.org", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://officelog.org/inc/js/jstree/scan/panel/admin.php", - "threatintel.indicator.url.original": "http://officelog.org/inc/js/jstree/scan/panel/admin.php", - "threatintel.indicator.url.path": "/inc/js/jstree/scan/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0391587.xsph.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:57:38.214Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3449,31 +3632,33 @@ "threatstream-confidence-65", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484343; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--d38e051a-bc5b-4723-884a-65e017d98299", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:57:38.214Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0391587.xsph.ru", + "threat.indicator.url.full": "http://f0391587.xsph.ru/login", + "threat.indicator.url.original": "http://f0391587.xsph.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484367; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime", + "anomali.limo.id": "indicator--46491826-6ba1-4217-a35e-1eb0081a9e6a", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-65", + "threatstream-confidence-67", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:57:38.214Z", - "threatintel.anomali.name": "mal_url: http://f0391587.xsph.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:57:47.281Z", + "anomali.limo.name": "mal_url: http://46.161.27.57:8080/northon/", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0391587.xsph.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:57:38.214Z", - "threatintel.indicator.first_seen": "2020-01-25T02:57:38.214Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0391587.xsph.ru", - "threatintel.indicator.url.full": "http://f0391587.xsph.ru/login", - "threatintel.indicator.url.original": "http://f0391587.xsph.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://46.161.27.57:8080/northon/']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:57:47.281Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3490,32 +3675,34 @@ "threatstream-confidence-67", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484367; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime", - "threatintel.anomali.id": "indicator--46491826-6ba1-4217-a35e-1eb0081a9e6a", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:57:47.281Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "46.161.27.57", + "threat.indicator.url.full": "http://46.161.27.57:8080/northon/", + "threat.indicator.url.original": "http://46.161.27.57:8080/northon/", + "threat.indicator.url.path": "/northon/", + "threat.indicator.url.port": 8080, + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484342; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", + "anomali.limo.id": "indicator--b9715fd5-b89a-4859-b19f-55e052709227", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-67", + "threatstream-confidence-79", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:57:47.281Z", - "threatintel.anomali.name": "mal_url: http://46.161.27.57:8080/northon/", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:57:51.296Z", + "anomali.limo.name": "mal_url: http://f0393086.xsph.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://46.161.27.57:8080/northon/']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:57:47.281Z", - "threatintel.indicator.first_seen": "2020-01-25T02:57:47.281Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "46.161.27.57", - "threatintel.indicator.url.full": "http://46.161.27.57:8080/northon/", - "threatintel.indicator.url.original": "http://46.161.27.57:8080/northon/", - "threatintel.indicator.url.path": "/northon/", - "threatintel.indicator.url.port": 8080, - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://f0393086.xsph.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:57:51.296Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3532,31 +3719,33 @@ "threatstream-confidence-79", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484342; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", - "threatintel.anomali.id": "indicator--b9715fd5-b89a-4859-b19f-55e052709227", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:57:51.296Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "f0393086.xsph.ru", + "threat.indicator.url.full": "http://f0393086.xsph.ru/login", + "threat.indicator.url.original": "http://f0393086.xsph.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484363; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "anomali.limo.id": "indicator--e3177515-f481-46c8-bad8-582ba0858ef3", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-79", + "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:57:51.296Z", - "threatintel.anomali.name": "mal_url: http://f0393086.xsph.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:57:56.007Z", + "anomali.limo.name": "mal_url: http://insuncos.com/files1/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://f0393086.xsph.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:57:51.296Z", - "threatintel.indicator.first_seen": "2020-01-25T02:57:51.296Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "f0393086.xsph.ru", - "threatintel.indicator.url.full": "http://f0393086.xsph.ru/login", - "threatintel.indicator.url.original": "http://f0393086.xsph.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://insuncos.com/files1/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:57:56.007Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3573,32 +3762,34 @@ "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484363; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", - "threatintel.anomali.id": "indicator--e3177515-f481-46c8-bad8-582ba0858ef3", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:57:56.007Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "insuncos.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://insuncos.com/files1/panel/admin.php", + "threat.indicator.url.original": "http://insuncos.com/files1/panel/admin.php", + "threat.indicator.url.path": "/files1/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484339; iType: mal_url; State: active; Org: DDoS-GUARD GmbH; Source: CyberCrime", + "anomali.limo.id": "indicator--33cdeaeb-5201-4fbb-b9ae-9c23377e7533", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-87", + "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:57:56.007Z", - "threatintel.anomali.name": "mal_url: http://insuncos.com/files1/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:57:56.044Z", + "anomali.limo.name": "mal_url: http://tg-h.ru/login", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://insuncos.com/files1/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:57:56.007Z", - "threatintel.indicator.first_seen": "2020-01-25T02:57:56.007Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "insuncos.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://insuncos.com/files1/panel/admin.php", - "threatintel.indicator.url.original": "http://insuncos.com/files1/panel/admin.php", - "threatintel.indicator.url.path": "/files1/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://tg-h.ru/login']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:57:56.044Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3615,31 +3806,33 @@ "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484339; iType: mal_url; State: active; Org: DDoS-GUARD GmbH; Source: CyberCrime", - "threatintel.anomali.id": "indicator--33cdeaeb-5201-4fbb-b9ae-9c23377e7533", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:57:56.044Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "tg-h.ru", + "threat.indicator.url.full": "http://tg-h.ru/login", + "threat.indicator.url.original": "http://tg-h.ru/login", + "threat.indicator.url.path": "/login", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484351; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "anomali.limo.id": "indicator--2baaa5f0-c2f6-4bd1-b59d-3a75931da735", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-89", + "threatstream-confidence-86", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:57:56.044Z", - "threatintel.anomali.name": "mal_url: http://tg-h.ru/login", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:58:11.038Z", + "anomali.limo.name": "mal_url: http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://tg-h.ru/login']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:57:56.044Z", - "threatintel.indicator.first_seen": "2020-01-25T02:57:56.044Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "tg-h.ru", - "threatintel.indicator.url.full": "http://tg-h.ru/login", - "threatintel.indicator.url.original": "http://tg-h.ru/login", - "threatintel.indicator.url.path": "/login", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:58:11.038Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3656,32 +3849,34 @@ "threatstream-confidence-86", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484351; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", - "threatintel.anomali.id": "indicator--2baaa5f0-c2f6-4bd1-b59d-3a75931da735", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:58:11.038Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "wusetwo.xyz", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484366; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime", + "anomali.limo.id": "indicator--f1bdef49-666f-46b5-a323-efa1f1446b62", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-86", + "threatstream-confidence-64", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:58:11.038Z", - "threatintel.anomali.name": "mal_url: http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:58:20.420Z", + "anomali.limo.name": "mal_url: http://185.234.217.36/northon/", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:58:11.038Z", - "threatintel.indicator.first_seen": "2020-01-25T02:58:11.038Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "wusetwo.xyz", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://185.234.217.36/northon/']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:58:20.42Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3698,31 +3893,33 @@ "threatstream-confidence-64", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484366; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime", - "threatintel.anomali.id": "indicator--f1bdef49-666f-46b5-a323-efa1f1446b62", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:58:20.420Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "185.234.217.36", + "threat.indicator.url.full": "http://185.234.217.36/northon/", + "threat.indicator.url.original": "http://185.234.217.36/northon/", + "threat.indicator.url.path": "/northon/", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484354; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime", + "anomali.limo.id": "indicator--a173f4b1-67ce-44f8-a6d0-bd8a24e8c593", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-64", + "threatstream-confidence-84", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:58:20.420Z", - "threatintel.anomali.name": "mal_url: http://185.234.217.36/northon/", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:58:20.448Z", + "anomali.limo.name": "mal_url: http://topik07.mcdir.ru/papka/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://185.234.217.36/northon/']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:58:20.42Z", - "threatintel.indicator.first_seen": "2020-01-25T02:58:20.420Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "185.234.217.36", - "threatintel.indicator.url.full": "http://185.234.217.36/northon/", - "threatintel.indicator.url.original": "http://185.234.217.36/northon/", - "threatintel.indicator.url.path": "/northon/", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://topik07.mcdir.ru/papka/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:58:20.448Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3739,32 +3936,34 @@ "threatstream-confidence-84", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484354; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime", - "threatintel.anomali.id": "indicator--a173f4b1-67ce-44f8-a6d0-bd8a24e8c593", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:58:20.448Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "topik07.mcdir.ru", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://topik07.mcdir.ru/papka/admin.php", + "threat.indicator.url.original": "http://topik07.mcdir.ru/papka/admin.php", + "threat.indicator.url.path": "/papka/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484362; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "anomali.limo.id": "indicator--b53dded1-d293-4cd1-9e63-b6e0cbd850f0", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-84", + "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:58:20.448Z", - "threatintel.anomali.name": "mal_url: http://topik07.mcdir.ru/papka/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:58:33.189Z", + "anomali.limo.name": "mal_url: http://insuncos.com/files2/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://topik07.mcdir.ru/papka/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:58:20.448Z", - "threatintel.indicator.first_seen": "2020-01-25T02:58:20.448Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "topik07.mcdir.ru", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://topik07.mcdir.ru/papka/admin.php", - "threatintel.indicator.url.original": "http://topik07.mcdir.ru/papka/admin.php", - "threatintel.indicator.url.path": "/papka/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://insuncos.com/files2/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:58:33.189Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3781,32 +3980,34 @@ "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484362; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", - "threatintel.anomali.id": "indicator--b53dded1-d293-4cd1-9e63-b6e0cbd850f0", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:58:33.189Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "insuncos.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://insuncos.com/files2/panel/admin.php", + "threat.indicator.url.original": "http://insuncos.com/files2/panel/admin.php", + "threat.indicator.url.path": "/files2/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484364; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime", + "anomali.limo.id": "indicator--2b30f8fe-13e8-4a7d-8eba-3e59c288bef7", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-87", + "threatstream-confidence-47", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:58:33.189Z", - "threatintel.anomali.name": "mal_url: http://insuncos.com/files2/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:58:49.056Z", + "anomali.limo.name": "mal_url: http://185.234.218.68/kaspersky/", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://insuncos.com/files2/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:58:33.189Z", - "threatintel.indicator.first_seen": "2020-01-25T02:58:33.189Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "insuncos.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://insuncos.com/files2/panel/admin.php", - "threatintel.indicator.url.original": "http://insuncos.com/files2/panel/admin.php", - "threatintel.indicator.url.path": "/files2/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://185.234.218.68/kaspersky/']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:58:49.056Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3823,31 +4024,33 @@ "threatstream-confidence-47", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484364; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime", - "threatintel.anomali.id": "indicator--2b30f8fe-13e8-4a7d-8eba-3e59c288bef7", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:58:49.056Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "185.234.218.68", + "threat.indicator.url.full": "http://185.234.218.68/kaspersky/", + "threat.indicator.url.original": "http://185.234.218.68/kaspersky/", + "threat.indicator.url.path": "/kaspersky/", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484357; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", + "anomali.limo.id": "indicator--f502199a-17a4-404b-a114-fb5eda28c32c", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-47", + "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:58:49.056Z", - "threatintel.anomali.name": "mal_url: http://185.234.218.68/kaspersky/", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:58:59.472Z", + "anomali.limo.name": "mal_url: http://officelog.org/inc/js/jstree/mh/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://185.234.218.68/kaspersky/']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:58:49.056Z", - "threatintel.indicator.first_seen": "2020-01-25T02:58:49.056Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "185.234.218.68", - "threatintel.indicator.url.full": "http://185.234.218.68/kaspersky/", - "threatintel.indicator.url.original": "http://185.234.218.68/kaspersky/", - "threatintel.indicator.url.path": "/kaspersky/", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/mh/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:58:59.472Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3864,32 +4067,34 @@ "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484357; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", - "threatintel.anomali.id": "indicator--f502199a-17a4-404b-a114-fb5eda28c32c", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:58:59.472Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "officelog.org", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://officelog.org/inc/js/jstree/mh/panel/admin.php", + "threat.indicator.url.original": "http://officelog.org/inc/js/jstree/mh/panel/admin.php", + "threat.indicator.url.path": "/inc/js/jstree/mh/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484359; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", + "anomali.limo.id": "indicator--af7422eb-5d8e-4878-bdd1-395313434dae", + "anomali.limo.labels": [ "malicious-activity", "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:58:59.472Z", - "threatintel.anomali.name": "mal_url: http://officelog.org/inc/js/jstree/mh/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:59:27.070Z", + "anomali.limo.name": "mal_url: http://officelog.org/inc/js/jstree/ch/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/mh/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:58:59.472Z", - "threatintel.indicator.first_seen": "2020-01-25T02:58:59.472Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "officelog.org", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://officelog.org/inc/js/jstree/mh/panel/admin.php", - "threatintel.indicator.url.original": "http://officelog.org/inc/js/jstree/mh/panel/admin.php", - "threatintel.indicator.url.path": "/inc/js/jstree/mh/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/ch/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:59:27.07Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3906,32 +4111,34 @@ "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484359; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", - "threatintel.anomali.id": "indicator--af7422eb-5d8e-4878-bdd1-395313434dae", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:59:27.070Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "officelog.org", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://officelog.org/inc/js/jstree/ch/panel/admin.php", + "threat.indicator.url.original": "http://officelog.org/inc/js/jstree/ch/panel/admin.php", + "threat.indicator.url.path": "/inc/js/jstree/ch/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484358; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", + "anomali.limo.id": "indicator--71b36c05-86dd-4685-81c0-5a99e2e14c23", + "anomali.limo.labels": [ "malicious-activity", "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:59:27.070Z", - "threatintel.anomali.name": "mal_url: http://officelog.org/inc/js/jstree/ch/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:59:28.967Z", + "anomali.limo.name": "mal_url: http://officelog.org/inc/js/jstree/dar/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/ch/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:59:27.07Z", - "threatintel.indicator.first_seen": "2020-01-25T02:59:27.070Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "officelog.org", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://officelog.org/inc/js/jstree/ch/panel/admin.php", - "threatintel.indicator.url.original": "http://officelog.org/inc/js/jstree/ch/panel/admin.php", - "threatintel.indicator.url.path": "/inc/js/jstree/ch/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/dar/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:59:28.967Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3948,32 +4155,34 @@ "threatstream-confidence-89", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484358; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", - "threatintel.anomali.id": "indicator--71b36c05-86dd-4685-81c0-5a99e2e14c23", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:59:28.967Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "officelog.org", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://officelog.org/inc/js/jstree/dar/panel/admin.php", + "threat.indicator.url.original": "http://officelog.org/inc/js/jstree/dar/panel/admin.php", + "threat.indicator.url.path": "/inc/js/jstree/dar/panel/admin.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484352; iType: mal_url; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime", + "anomali.limo.id": "indicator--9d948509-dfb4-45b6-b8bc-780df88a213f", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-89", + "threatstream-confidence-81", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:59:28.967Z", - "threatintel.anomali.name": "mal_url: http://officelog.org/inc/js/jstree/dar/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:59:37.661Z", + "anomali.limo.name": "mal_url: http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://officelog.org/inc/js/jstree/dar/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:59:28.967Z", - "threatintel.indicator.first_seen": "2020-01-25T02:59:28.967Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "officelog.org", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://officelog.org/inc/js/jstree/dar/panel/admin.php", - "threatintel.indicator.url.original": "http://officelog.org/inc/js/jstree/dar/panel/admin.php", - "threatintel.indicator.url.path": "/inc/js/jstree/dar/panel/admin.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[url:value = 'http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:59:37.661Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -3990,32 +4199,34 @@ "threatstream-confidence-81", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484352; iType: mal_url; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime", - "threatintel.anomali.id": "indicator--9d948509-dfb4-45b6-b8bc-780df88a213f", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:59:37.661Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "oaa-my.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.original": "http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.path": "/cage/five/PvqDq929BSx_A_D_M1n_a.php", + "threat.indicator.url.scheme": "http" + }, + { + "anomali.limo.description": "TS ID: 55253484224; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime", + "anomali.limo.id": "indicator--9f613f8e-2040-4eee-8044-044023a8093e", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-81", + "threatstream-confidence-53", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:59:37.661Z", - "threatintel.anomali.name": "mal_url: http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:59:37.692Z", + "anomali.limo.name": "mal_ip: 192.64.118.56", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[url:value = 'http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:59:37.661Z", - "threatintel.indicator.first_seen": "2020-01-25T02:59:37.661Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "oaa-my.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.original": "http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.path": "/cage/five/PvqDq929BSx_A_D_M1n_a.php", - "threatintel.indicator.url.scheme": "http" - }, - { + "anomali.limo.pattern": "[ipv4-addr:value = '192.64.118.56']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:59:37.692Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -4032,27 +4243,29 @@ "threatstream-confidence-53", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484224; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime", - "threatintel.anomali.id": "indicator--9f613f8e-2040-4eee-8044-044023a8093e", - "threatintel.anomali.labels": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:59:37.692Z", + "threat.indicator.ip": "192.64.118.56", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "ipv4-addr" + }, + { + "anomali.limo.description": "TS ID: 55253484361; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", + "anomali.limo.id": "indicator--518c3959-6c26-413f-9a5f-c8f76d86185a", + "anomali.limo.labels": [ "malicious-activity", - "threatstream-confidence-53", + "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.modified": "2020-01-25T02:59:37.692Z", - "threatintel.anomali.name": "mal_ip: 192.64.118.56", - "threatintel.anomali.object_marking_refs": [ + "anomali.limo.modified": "2020-01-25T02:59:54.296Z", + "anomali.limo.name": "mal_url: http://insuncos.com/files3/panel/admin.php", + "anomali.limo.object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], - "threatintel.anomali.pattern": "[ipv4-addr:value = '192.64.118.56']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:59:37.692Z", - "threatintel.indicator.first_seen": "2020-01-25T02:59:37.692Z", - "threatintel.indicator.ip": "192.64.118.56", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "ipv4-addr" - }, - { + "anomali.limo.pattern": "[url:value = 'http://insuncos.com/files3/panel/admin.php']", + "anomali.limo.type": "indicator", + "anomali.limo.valid_from": "2020-01-25T02:59:54.296Z", "event.category": "threat", "event.dataset": "threatintel.anomali", "event.kind": "enrichment", @@ -4069,29 +4282,16 @@ "threatstream-confidence-87", "threatstream-severity-medium" ], - "threatintel.anomali.description": "TS ID: 55253484361; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", - "threatintel.anomali.id": "indicator--518c3959-6c26-413f-9a5f-c8f76d86185a", - "threatintel.anomali.labels": [ - "malicious-activity", - "threatstream-confidence-87", - "threatstream-severity-medium" - ], - "threatintel.anomali.modified": "2020-01-25T02:59:54.296Z", - "threatintel.anomali.name": "mal_url: http://insuncos.com/files3/panel/admin.php", - "threatintel.anomali.object_marking_refs": [ - "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" - ], - "threatintel.anomali.pattern": "[url:value = 'http://insuncos.com/files3/panel/admin.php']", - "threatintel.anomali.type": "indicator", - "threatintel.anomali.valid_from": "2020-01-25T02:59:54.296Z", - "threatintel.indicator.first_seen": "2020-01-25T02:59:54.296Z", - "threatintel.indicator.provider": "CyberCrime", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "insuncos.com", - "threatintel.indicator.url.extension": "php", - "threatintel.indicator.url.full": "http://insuncos.com/files3/panel/admin.php", - "threatintel.indicator.url.original": "http://insuncos.com/files3/panel/admin.php", - "threatintel.indicator.url.path": "/files3/panel/admin.php", - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali Limo", + "threat.indicator.first_seen": "2020-01-25T02:59:54.296Z", + "threat.indicator.provider": "CyberCrime", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "insuncos.com", + "threat.indicator.url.extension": "php", + "threat.indicator.url.full": "http://insuncos.com/files3/panel/admin.php", + "threat.indicator.url.original": "http://insuncos.com/files3/panel/admin.php", + "threat.indicator.url.path": "/files3/panel/admin.php", + "threat.indicator.url.scheme": "http" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/_meta/fields.yml b/x-pack/filebeat/module/threatintel/anomalithreatstream/_meta/fields.yml index de0ededab33..41fae21921c 100644 --- a/x-pack/filebeat/module/threatintel/anomalithreatstream/_meta/fields.yml +++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/_meta/fields.yml @@ -1,4 +1,4 @@ -- name: anomalithreatstream +- name: anomali.threatstream type: group description: > Fields for Anomali ThreatStream diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/config/config.yml b/x-pack/filebeat/module/threatintel/anomalithreatstream/config/config.yml index f6cfe024305..4d814c03fe5 100644 --- a/x-pack/filebeat/module/threatintel/anomalithreatstream/config/config.yml +++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/config/config.yml @@ -1,7 +1,6 @@ {{ if eq .input "http_endpoint" }} type: http_endpoint -enabled: true listen_address: {{ .listen_address }} listen_port: {{ .listen_port }} @@ -16,12 +15,12 @@ hmac: prefix: sha256= {{ end }} -{{ if .ssl_certificate }} -ssl: - enabled: true - certificate: {{ .ssl_certificate }} - key: {{ .ssl_key }} - verification_mode: none +{{ if .ssl }} +ssl: {{ .ssl | tojson }} +{{ end }} + +{{ if .preserve_original_event }} +preserve_original_event: true {{ end }} {{ else if eq .input "file" }} @@ -35,24 +34,12 @@ exclude_files: [".gz$"] json.add_error_key: true {{ end }} -tags: {{.tags | tojson}} - -processors: - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 - - fingerprint: - fields: - - event.dataset - - json.id - target_field: '@metadata._id' - encoding: base64 - - script: - lang: javascript - id: my_filter - source: > - function process(event) { - event.Put("@metadata.op_type", "index"); - } +tags: +{{if .preserve_original_event}} + - preserve_original_event +{{end}} +{{range $val := .tags}} + - {{$val}} +{{end}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml index 22644d79518..50b5c6c7bb2 100644 --- a/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml @@ -1,19 +1,21 @@ +--- description: Pipeline for parsing Anomali ThreatStream processors: - # - # Safeguard against feeding the pipeline with documents other - # that the ones generated by Filebeat's http_endpoint input. - # - - fail: - if: "ctx.json == null || !(ctx.json instanceof Map)" - message: "missing json object in input document" - # # Set basic ECS fields. # - set: field: event.ingested value: "{{{ _ingest.timestamp }}}" + - set: + field: ecs.version + value: "1.12" + - fingerprint: + fields: + - event.dataset + - json.id + target_field: "_id" + ignore_missing: true - set: field: event.kind value: enrichment @@ -24,14 +26,21 @@ processors: field: event.type value: indicator + - set: + field: threat.feed.name + value: "[Filebeat] Anomali ThreatStream" + - set: + field: threat.feed.dashboard_id + value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f" + # - # Map itype field to STIX 2.0 Cyber Observable values (threatintel.indicator.type). + # Map itype field to STIX 2.0 Cyber Observable values (threat.indicator.type). # - script: lang: painless if: "ctx.json.itype != null" description: > - Map itype field to STIX 2.0 Cyber Observable values (threatintel.indicator.type). + Map itype field to STIX 2.0 Cyber Observable values (threat.indicator.type). params: actor_ip: ipv4-addr adware_domain: domain-name @@ -125,26 +134,26 @@ processors: - rename: field: threatintel_indicator_type - target_field: threatintel.indicator.type + target_field: threat.indicator.type ignore_missing: true # # Detect ipv6 for ipv4-addr types. # - set: - field: threatintel.indicator.type + field: threat.indicator.type value: ipv6-addr - if: 'ctx.threatintel?.indicator?.type == "ipv4-addr" && ctx.json.srcip != null && ctx.json.srcip.contains(":")' + if: 'ctx.threat?.indicator?.type == "ipv4-addr" && ctx.json?.srcip != null && ctx.json.srcip.contains(":")' # # Map first and last seen dates. # - date: field: json.date_first - target_field: threatintel.indicator.first_seen + target_field: threat.indicator.first_seen formats: - ISO8601 - if: "ctx.json.date_first != null" + if: "ctx.json?.date_first != null" on_failure: - append: field: error.message @@ -152,10 +161,10 @@ processors: - date: field: json.date_last - target_field: threatintel.indicator.last_seen + target_field: threat.indicator.last_seen formats: - ISO8601 - if: "ctx.json.date_last != null" + if: "ctx.json?.date_last != null" on_failure: - append: field: error.message @@ -166,18 +175,18 @@ processors: # - convert: field: json.lat - target_field: threatintel.indicator.geo.location.lat + target_field: threat.indicator.geo.location.lat type: double - if: "ctx.json.lat != null && ctx.json.lon != null" + if: "ctx.json?.lat != null && ctx.json?.lon != null" on_failure: - append: field: error.message value: 'Cannot convert lat field "{{{ json.lat }}}" to double: {{{ _ingest.on_failure_message }}}' - convert: field: json.lon - target_field: threatintel.indicator.geo.location.lon + target_field: threat.indicator.geo.location.lon type: double - if: "ctx.json.lat != null && ctx.json.lon != null" + if: "ctx.json?.lat != null && ctx.json?.lon != null" on_failure: - append: field: error.message @@ -190,25 +199,40 @@ processors: # private => Amber ("Limited disclosure, restricted to participants’ organizations."). # - append: - field: threatintel.indicator.marking.tlp + field: threat.indicator.marking.tlp value: Amber - if: 'ctx.json.classification == "private"' + if: 'ctx.json?.classification == "private"' - append: - field: threatintel.indicator.marking.tlp + field: threat.indicator.marking.tlp value: White - if: 'ctx.json.classification == "public"' + if: 'ctx.json?.classification == "public"' # # Convert confidence field (-1..100) to ECS confidence (0..10). # - script: lang: painless + if: ctx.json?.confidence != null description: > Normalize confidence level. source: > def value = ctx.json.confidence; - if (value == null || value < 0.0 || value > 100.0) return; - ctx["threatintel_indicator_confidence"] = (long)Math.round((double)value / 10.0); + if (value <= 0.0 || value > 100.0) { + ctx["threatintel_indicator_confidence"] = "None"; + return; + } + if (value >= 1.0 && value <= 29.0) { + ctx["threatintel_indicator_confidence"] = "Low"; + return; + } + if (value >= 30.0 && value <= 69.0) { + ctx["threatintel_indicator_confidence"] = "Med"; + return; + } + if (value >= 70 && value <= 100) { + ctx["threatintel_indicator_confidence"] = "High"; + return; + } on_failure: - append: field: error.message @@ -216,7 +240,7 @@ processors: - rename: field: threatintel_indicator_confidence - target_field: threatintel.indicator.confidence + target_field: threat.indicator.confidence ignore_missing: true # @@ -224,7 +248,7 @@ processors: # - convert: field: json.asn - target_field: threatintel.indicator.as.number + target_field: threat.indicator.as.number type: long ignore_missing: true on_failure: @@ -234,41 +258,41 @@ processors: - rename: field: json.org - target_field: threatintel.indicator.as.organization.name + target_field: threat.indicator.as.organization.name ignore_missing: true - rename: field: json.email - target_field: threatintel.indicator.email.address + target_field: threat.indicator.email.address ignore_missing: true - rename: field: json.srcip - target_field: threatintel.indicator.ip + target_field: threat.indicator.ip ignore_missing: true - uri_parts: field: json.url - target_field: threatintel.indicator.url + target_field: threat.indicator.url keep_original: true remove_if_successful: true - if: "ctx.json.url != null" + if: "ctx.json?.url != null" on_failure: - append: field: error.message value: "Cannot parse url field `{{{ json.url }}}`: {{{ _ingest.on_failure_message }}}" - set: - field: threatintel.indicator.url.full - value: "{{{threatintel.indicator.url.original}}}" + field: threat.indicator.url.full + value: "{{{threat.indicator.url.original}}}" ignore_empty_value: true - rename: field: json.domain - target_field: threatintel.indicator.url.domain + target_field: threat.indicator.url.domain ignore_missing: true - if: ctx.threatintel?.indicator?.url?.domain == null + if: ctx.threat?.indicator?.url?.domain == null - rename: field: json.country - target_field: threatintel.indicator.geo.country_iso_code + target_field: threat.indicator.geo.country_iso_code ignore_missing: true # @@ -277,27 +301,27 @@ processors: # - rename: field: json.md5 - target_field: threatintel.indicator.file.hash.md5 - if: "ctx.json.md5 != null && ctx.json.md5.length() == 32" + target_field: threat.indicator.file.hash.md5 + if: "ctx.json?.md5 != null && ctx.json.md5.length() == 32" - rename: field: json.md5 - target_field: threatintel.indicator.file.hash.sha1 - if: "ctx.json.md5 != null && ctx.json.md5.length() == 40" + target_field: threat.indicator.file.hash.sha1 + if: "ctx.json?.md5 != null && ctx.json.md5.length() == 40" - rename: field: json.md5 - target_field: threatintel.indicator.file.hash.sha256 - if: "ctx.json.md5 != null && ctx.json.md5.length() == 64" + target_field: threat.indicator.file.hash.sha256 + if: "ctx.json?.md5 != null && ctx.json.md5.length() == 64" - rename: field: json.md5 - target_field: threatintel.indicator.file.hash.sha512 - if: "ctx.json.md5 != null && ctx.json.md5.length() == 128" + target_field: threat.indicator.file.hash.sha512 + if: "ctx.json?.md5 != null && ctx.json.md5.length() == 128" - rename: field: json.source - target_field: threatintel.indicator.provider + target_field: threat.indicator.provider ignore_missing: true # @@ -310,22 +334,22 @@ processors: - set: field: event.severity value: 3 - if: 'ctx.json.severity == "low"' + if: 'ctx.json?.severity == "low"' - set: field: event.severity value: 5 - if: 'ctx.json.severity == "medium"' + if: 'ctx.json?.severity == "medium"' - set: field: event.severity value: 7 - if: 'ctx.json.severity == "high"' + if: 'ctx.json?.severity == "high"' - set: field: event.severity value: 9 - if: 'ctx.json.severity == "very-high"' + if: 'ctx.json?.severity == "very-high"' # # Field trusted_circles_ids is a comma-separated string @@ -335,24 +359,16 @@ processors: # - script: lang: painless - if: "ctx.json.trusted_circle_ids != null && ctx.json.trusted_circle_ids instanceof String" + if: "ctx.json?.trusted_circle_ids != null && ctx.json?.trusted_circle_ids instanceof String" description: > Convert trusted_circles_ids from CSV to an array. source: > - def lst = - Stream.of(ctx.json.trusted_circle_ids.splitOnToken(",")) - .filter(s -> !s.isEmpty()) - .toArray(String[]::new); - if (lst.length > 0) { + def lst = Stream.of(ctx.json.trusted_circle_ids.splitOnToken(',')).filter(s -> !s.isEmpty()).collect(Collectors.toList()); + if (lst.size() > 0) { ctx.json.trusted_circle_ids = lst; } else { ctx.json.remove('trusted_circle_ids'); } - on_failure: - - append: - field: error.message - value: 'unable to split trusted_circle_ids "{{{ json.trusted_circle_ids }}}": {{{ _ingest.on_failure_message }}}' - # # Split detail field and append each component to ECS tags field. # @@ -372,10 +388,33 @@ processors: append: field: tags value: "{{{ _ingest._value }}}" - + # + # Convert certain fields to the correct value + # + - convert: + field: json.id + type: string + if: "ctx.json?.id != null" + - convert: + field: json.source_feed_id + type: string + if: "ctx.json?.source_feed_id != null" + - convert: + field: json.update_id + type: string + if: "ctx.json?.update_id != null" + - convert: + field: json.import_session_id + type: string + if: "ctx.json?.import_session_id != null" # # Remove fields converted to an ECS field. # + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true - remove: field: - json.asn @@ -391,7 +430,7 @@ processors: # - rename: field: json - target_field: threatintel.anomalithreatstream + target_field: anomali.threatstream on_failure: - append: diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/manifest.yml b/x-pack/filebeat/module/threatintel/anomalithreatstream/manifest.yml index de6faeea227..011e2bb553e 100644 --- a/x-pack/filebeat/module/threatintel/anomalithreatstream/manifest.yml +++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/manifest.yml @@ -8,13 +8,15 @@ var: - name: listen_port default: 8080 - name: secret - - name: ssl_certificate - - name: ssl_key + - name: ssl - name: paths default: /path/to/testing.log - name: tags default: - threatintel-anomalithreatstream + - forwarded + - name: preserve_original_event + default: false ingest_pipeline: - ingest/pipeline.yml input: config/config.yml diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/test/generated.log-expected.json b/x-pack/filebeat/module/threatintel/anomalithreatstream/test/generated.log-expected.json index 21c627dde57..b101076a9e1 100644 --- a/x-pack/filebeat/module/threatintel/anomalithreatstream/test/generated.log-expected.json +++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/test/generated.log-expected.json @@ -1,5 +1,20 @@ [ { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 20, + "anomali.threatstream.detail2": "imported by user 184", + "anomali.threatstream.id": "3135167627", + "anomali.threatstream.import_session_id": "1400", + "anomali.threatstream.itype": "mal_domain", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P46279656657/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "3143", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "122" + ], + "anomali.threatstream.update_id": "3786618776", + "anomali.threatstream.value_type": "domain", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -11,39 +26,44 @@ "log.offset": 0, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 20, - "threatintel.anomalithreatstream.detail2": "imported by user 184", - "threatintel.anomalithreatstream.id": 3135167627, - "threatintel.anomalithreatstream.import_session_id": 1400, - "threatintel.anomalithreatstream.itype": "mal_domain", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P46279656657/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 3143, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "122" - ], - "threatintel.anomalithreatstream.update_id": 3786618776, - "threatintel.anomalithreatstream.value_type": "domain", - "threatintel.indicator.as.organization.name": "OVH Hosting", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-08T12:21:50.000Z", - "threatintel.indicator.geo.country_iso_code": "FR", - "threatintel.indicator.geo.location.lat": -49.1, - "threatintel.indicator.geo.location.lon": 94.4, - "threatintel.indicator.ip": "203.0.113.35", - "threatintel.indicator.last_seen": "2020-10-08T12:24:42.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.as.organization.name": "OVH Hosting", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-08T12:21:50.000Z", + "threat.indicator.geo.country_iso_code": "FR", + "threat.indicator.geo.location.lat": -49.1, + "threat.indicator.geo.location.lon": 94.4, + "threat.indicator.ip": "203.0.113.35", + "threat.indicator.last_seen": "2020-10-08T12:24:42.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "d4xgfj.example.net" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "d4xgfj.example.net" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 51, + "anomali.threatstream.detail2": "imported by user 979", + "anomali.threatstream.id": "2465691587", + "anomali.threatstream.import_session_id": "1934", + "anomali.threatstream.itype": "mal_ip", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P26893014825/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "639", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "355", + "386", + "461" + ], + "anomali.threatstream.update_id": "3311633654", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -55,40 +75,42 @@ "log.offset": 575, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 51, - "threatintel.anomalithreatstream.detail2": "imported by user 979", - "threatintel.anomalithreatstream.id": 2465691587, - "threatintel.anomalithreatstream.import_session_id": 1934, - "threatintel.anomalithreatstream.itype": "mal_ip", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P26893014825/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 639, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "355", - "386", - "461" - ], - "threatintel.anomalithreatstream.update_id": 3311633654, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.as.organization.name": "IP Khnykin Vitaliy Yakovlevich", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-08T12:21:59.000Z", - "threatintel.indicator.geo.country_iso_code": "RU", - "threatintel.indicator.geo.location.lat": -51.2, - "threatintel.indicator.geo.location.lon": -64.7, - "threatintel.indicator.ip": "2001:db8:fc77:2510:5ab8:7bc8:65a3:4894", - "threatintel.indicator.last_seen": "2020-10-08T12:24:42.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.as.organization.name": "IP Khnykin Vitaliy Yakovlevich", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-08T12:21:59.000Z", + "threat.indicator.geo.country_iso_code": "RU", + "threat.indicator.geo.location.lat": -51.2, + "threat.indicator.geo.location.lon": -64.7, + "threat.indicator.ip": "2001:db8:fc77:2510:5ab8:7bc8:65a3:4894", + "threat.indicator.last_seen": "2020-10-08T12:24:42.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv6-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv6-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 24, + "anomali.threatstream.detail2": "imported by user 830", + "anomali.threatstream.id": "1886961414", + "anomali.threatstream.import_session_id": "3569", + "anomali.threatstream.itype": "mal_ip", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P16938191113/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "2564", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "740", + "954" + ], + "anomali.threatstream.update_id": "1860329541", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -100,40 +122,45 @@ "log.offset": 1163, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 24, - "threatintel.anomalithreatstream.detail2": "imported by user 830", - "threatintel.anomalithreatstream.id": 1886961414, - "threatintel.anomalithreatstream.import_session_id": 3569, - "threatintel.anomalithreatstream.itype": "mal_ip", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P16938191113/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 2564, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "740", - "954" - ], - "threatintel.anomalithreatstream.update_id": 1860329541, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.as.number": 22773, - "threatintel.indicator.as.organization.name": "Cox Communications", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-08T12:22:11.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.geo.location.lat": 38.4, - "threatintel.indicator.geo.location.lon": 0.0, - "threatintel.indicator.ip": "192.0.2.8", - "threatintel.indicator.last_seen": "2020-10-08T12:24:42.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.as.number": 22773, + "threat.indicator.as.organization.name": "Cox Communications", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-08T12:22:11.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.geo.location.lat": 38.4, + "threat.indicator.geo.location.lon": 0.0, + "threat.indicator.ip": "192.0.2.8", + "threat.indicator.last_seen": "2020-10-08T12:24:42.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 56, + "anomali.threatstream.detail2": "imported by user 723", + "anomali.threatstream.id": "1785659799", + "anomali.threatstream.import_session_id": "244", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.md5": "6466e2", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P44706407813/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "3759", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "439", + "801", + "942" + ], + "anomali.threatstream.update_id": "3898969521", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -145,36 +172,38 @@ "log.offset": 1720, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 56, - "threatintel.anomalithreatstream.detail2": "imported by user 723", - "threatintel.anomalithreatstream.id": 1785659799, - "threatintel.anomalithreatstream.import_session_id": 244, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.md5": "6466e2", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P44706407813/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 3759, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "439", - "801", - "942" - ], - "threatintel.anomalithreatstream.update_id": 3898969521, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-08T12:22:16.000Z", - "threatintel.indicator.last_seen": "2020-10-08T12:24:42.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-08T12:22:16.000Z", + "threat.indicator.last_seen": "2020-10-08T12:24:42.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 61, + "anomali.threatstream.detail2": "imported by user 16", + "anomali.threatstream.id": "2788278724", + "anomali.threatstream.import_session_id": "3146", + "anomali.threatstream.itype": "mal_ip", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P39996084337/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "1834", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "310", + "553", + "709" + ], + "anomali.threatstream.update_id": "1925356831", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -186,41 +215,43 @@ "log.offset": 2195, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 61, - "threatintel.anomalithreatstream.detail2": "imported by user 16", - "threatintel.anomalithreatstream.id": 2788278724, - "threatintel.anomalithreatstream.import_session_id": 3146, - "threatintel.anomalithreatstream.itype": "mal_ip", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P39996084337/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 1834, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "310", - "553", - "709" - ], - "threatintel.anomalithreatstream.update_id": 1925356831, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.as.number": 20001, - "threatintel.indicator.as.organization.name": "Spectrum", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-08T12:28:50.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.geo.location.lat": -64.8, - "threatintel.indicator.geo.location.lon": -129.3, - "threatintel.indicator.ip": "192.0.2.235", - "threatintel.indicator.last_seen": "2020-10-09T18:49:37.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.as.number": 20001, + "threat.indicator.as.organization.name": "Spectrum", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-08T12:28:50.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.geo.location.lat": -64.8, + "threat.indicator.geo.location.lon": -129.3, + "threat.indicator.ip": "192.0.2.235", + "threat.indicator.last_seen": "2020-10-09T18:49:37.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 31, + "anomali.threatstream.detail2": "imported by user 659", + "anomali.threatstream.id": "2979716207", + "anomali.threatstream.import_session_id": "2369", + "anomali.threatstream.itype": "mal_ip", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P24601068254/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "2122", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "297", + "811" + ], + "anomali.threatstream.update_id": "1327494837", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -232,40 +263,44 @@ "log.offset": 2757, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 31, - "threatintel.anomalithreatstream.detail2": "imported by user 659", - "threatintel.anomalithreatstream.id": 2979716207, - "threatintel.anomalithreatstream.import_session_id": 2369, - "threatintel.anomalithreatstream.itype": "mal_ip", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P24601068254/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 2122, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "297", - "811" - ], - "threatintel.anomalithreatstream.update_id": 1327494837, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.as.number": 11351, - "threatintel.indicator.as.organization.name": "Spectrum", - "threatintel.indicator.confidence": 3, - "threatintel.indicator.first_seen": "2020-10-08T12:29:01.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.geo.location.lat": 72.1, - "threatintel.indicator.geo.location.lon": -52.2, - "threatintel.indicator.ip": "2001:db8:df14:f43b:a986:5e2a:8ce9:4523", - "threatintel.indicator.last_seen": "2020-10-09T18:49:37.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.as.number": 11351, + "threat.indicator.as.organization.name": "Spectrum", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-08T12:29:01.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.geo.location.lat": 72.1, + "threat.indicator.geo.location.lon": -52.2, + "threat.indicator.ip": "2001:db8:df14:f43b:a986:5e2a:8ce9:4523", + "threat.indicator.last_seen": "2020-10-09T18:49:37.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv6-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv6-addr" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 72, + "anomali.threatstream.detail2": "imported by user 50", + "anomali.threatstream.id": "3763825895", + "anomali.threatstream.itype": "c2_domain", + "anomali.threatstream.maltype": "malware:r47agu9", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P49850231022/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "967", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "238", + "259", + "537" + ], + "anomali.threatstream.update_id": "1356750652", + "anomali.threatstream.value_type": "domain", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -281,6 +316,7 @@ "Botnet-1QZ2U", "Botnet-VXPC5QK8T", "first_seen=2020-07-24T07:36:41", + "forwarded", "mask=2001:db8:867f:42a1:d692:b396:4f14:548c", "popularity=high", "popularity=high", @@ -288,35 +324,37 @@ "threatintel-anomalithreatstream", "type=2" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 72, - "threatintel.anomalithreatstream.detail2": "imported by user 50", - "threatintel.anomalithreatstream.id": 3763825895, - "threatintel.anomalithreatstream.itype": "c2_domain", - "threatintel.anomalithreatstream.maltype": "malware:r47agu9", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P49850231022/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 967, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "238", - "259", - "537" - ], - "threatintel.anomalithreatstream.update_id": 1356750652, - "threatintel.anomalithreatstream.value_type": "domain", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2020-10-09T18:14:43.000Z", - "threatintel.indicator.ip": "203.0.113.130", - "threatintel.indicator.last_seen": "2020-10-09T18:14:43.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:14:43.000Z", + "threat.indicator.ip": "203.0.113.130", + "threat.indicator.last_seen": "2020-10-09T18:14:43.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "ei1im6skd.example.com" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "ei1im6skd.example.com" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 60, + "anomali.threatstream.detail2": "imported by user 167", + "anomali.threatstream.id": "3178646499", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.md5": "0f321db9", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P35792781031/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "1743", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "112", + "455", + "761" + ], + "anomali.threatstream.update_id": "1585930018", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -328,35 +366,37 @@ "log.offset": 4049, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 60, - "threatintel.anomalithreatstream.detail2": "imported by user 167", - "threatintel.anomalithreatstream.id": 3178646499, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.md5": "0f321db9", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P35792781031/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 1743, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "112", - "455", - "761" - ], - "threatintel.anomalithreatstream.update_id": 1585930018, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:30:10.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:30:10.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:30:10.000Z", + "threat.indicator.last_seen": "2020-10-09T18:30:10.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 70, + "anomali.threatstream.detail2": "imported by user 654", + "anomali.threatstream.id": "2435568409", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:9rb9", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P41264495308/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "3940", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "633", + "641" + ], + "anomali.threatstream.update_id": "2070423140", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -368,43 +408,46 @@ "log.offset": 4495, "service.type": "threatintel", "tags": [ + "forwarded", "jn5jpvg", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 70, - "threatintel.anomalithreatstream.detail2": "imported by user 654", - "threatintel.anomalithreatstream.id": 2435568409, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:9rb9", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P41264495308/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 3940, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "633", - "641" - ], - "threatintel.anomalithreatstream.update_id": 2070423140, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2020-10-09T18:30:13.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.236", - "threatintel.indicator.last_seen": "2020-10-09T18:30:13.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:30:13.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.236", + "threat.indicator.last_seen": "2020-10-09T18:30:13.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ax1a6o38z.example.org", - "threatintel.indicator.url.full": "https://ax1a6o38z.example.org/enec3i/f1n8fv?4shpqq9=fbo9osx8p", - "threatintel.indicator.url.original": "https://ax1a6o38z.example.org/enec3i/f1n8fv?4shpqq9=fbo9osx8p", - "threatintel.indicator.url.path": "/enec3i/f1n8fv", - "threatintel.indicator.url.query": "4shpqq9=fbo9osx8p", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ax1a6o38z.example.org", + "threat.indicator.url.full": "https://ax1a6o38z.example.org/enec3i/f1n8fv?4shpqq9=fbo9osx8p", + "threat.indicator.url.original": "https://ax1a6o38z.example.org/enec3i/f1n8fv?4shpqq9=fbo9osx8p", + "threat.indicator.url.path": "/enec3i/f1n8fv", + "threat.indicator.url.query": "4shpqq9=fbo9osx8p", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 35, + "anomali.threatstream.detail2": "imported by user 81", + "anomali.threatstream.id": "1404936664", + "anomali.threatstream.itype": "mal_url", + "anomali.threatstream.maltype": "malware:4p1lc0bf", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P22799247040/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "2236", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "424", + "718" + ], + "anomali.threatstream.update_id": "2151391711", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -417,43 +460,46 @@ "service.type": "threatintel", "tags": [ "7zhsn5t7", + "forwarded", "threatintel-anomalithreatstream", "xl4" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 35, - "threatintel.anomalithreatstream.detail2": "imported by user 81", - "threatintel.anomalithreatstream.id": 1404936664, - "threatintel.anomalithreatstream.itype": "mal_url", - "threatintel.anomalithreatstream.maltype": "malware:4p1lc0bf", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P22799247040/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 2236, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "424", - "718" - ], - "threatintel.anomalithreatstream.update_id": 2151391711, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 4, - "threatintel.indicator.first_seen": "2020-10-09T18:30:13.000Z", - "threatintel.indicator.geo.country_iso_code": "CN", - "threatintel.indicator.ip": "2001:db8:62cc:2fd2:f406:9c03:e2e8:617d", - "threatintel.indicator.last_seen": "2020-10-09T18:30:13.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:30:13.000Z", + "threat.indicator.geo.country_iso_code": "CN", + "threat.indicator.ip": "2001:db8:62cc:2fd2:f406:9c03:e2e8:617d", + "threat.indicator.last_seen": "2020-10-09T18:30:13.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "beko3.example.com", - "threatintel.indicator.url.full": "https://beko3.example.com/vkelnz/jdz6zf-ga?g39fu=88309ge", - "threatintel.indicator.url.original": "https://beko3.example.com/vkelnz/jdz6zf-ga?g39fu=88309ge", - "threatintel.indicator.url.path": "/vkelnz/jdz6zf-ga", - "threatintel.indicator.url.query": "g39fu=88309ge", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "beko3.example.com", + "threat.indicator.url.full": "https://beko3.example.com/vkelnz/jdz6zf-ga?g39fu=88309ge", + "threat.indicator.url.original": "https://beko3.example.com/vkelnz/jdz6zf-ga?g39fu=88309ge", + "threat.indicator.url.path": "/vkelnz/jdz6zf-ga", + "threat.indicator.url.query": "g39fu=88309ge", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 7, + "anomali.threatstream.detail2": "imported by user 993", + "anomali.threatstream.id": "1300368058", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:s7-t", + "anomali.threatstream.md5": "b91c", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P43593676062/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "1581", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "812" + ], + "anomali.threatstream.update_id": "1852221746", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -467,34 +513,39 @@ "tags": [ "aampq5", "d6-", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 7, - "threatintel.anomalithreatstream.detail2": "imported by user 993", - "threatintel.anomalithreatstream.id": 1300368058, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:s7-t", - "threatintel.anomalithreatstream.md5": "b91c", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P43593676062/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 1581, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "812" - ], - "threatintel.anomalithreatstream.update_id": 1852221746, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2020-10-09T18:30:22.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:30:22.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:30:22.000Z", + "threat.indicator.last_seen": "2020-10-09T18:30:22.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 63, + "anomali.threatstream.detail2": "imported by user 963", + "anomali.threatstream.id": "1511736215", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:0vnvp84", + "anomali.threatstream.md5": "3c49c", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P47666251160/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "1695", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "29", + "537", + "879" + ], + "anomali.threatstream.update_id": "3048270616", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -507,36 +558,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 63, - "threatintel.anomalithreatstream.detail2": "imported by user 963", - "threatintel.anomalithreatstream.id": 1511736215, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:0vnvp84", - "threatintel.anomalithreatstream.md5": "3c49c", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P47666251160/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 1695, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "29", - "537", - "879" - ], - "threatintel.anomalithreatstream.update_id": 3048270616, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:30:23.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:30:23.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:30:23.000Z", + "threat.indicator.last_seen": "2020-10-09T18:30:23.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 95, + "anomali.threatstream.detail2": "imported by user 302", + "anomali.threatstream.id": "2213035853", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:25iv", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P11608678465/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "787", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "154", + "766" + ], + "anomali.threatstream.update_id": "2851232102", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -549,42 +601,46 @@ "service.type": "threatintel", "tags": [ "22nciqjs", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 95, - "threatintel.anomalithreatstream.detail2": "imported by user 302", - "threatintel.anomalithreatstream.id": 2213035853, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:25iv", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P11608678465/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 787, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "154", - "766" - ], - "threatintel.anomalithreatstream.update_id": 2851232102, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 10, - "threatintel.indicator.first_seen": "2020-10-09T18:30:30.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "192.0.2.162", - "threatintel.indicator.last_seen": "2020-10-09T18:30:30.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:30:30.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "192.0.2.162", + "threat.indicator.last_seen": "2020-10-09T18:30:30.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "sevs82.example.com", - "threatintel.indicator.url.full": "http://sevs82.example.com/c5-d/hdajog?4rs78hl=wvwi", - "threatintel.indicator.url.original": "http://sevs82.example.com/c5-d/hdajog?4rs78hl=wvwi", - "threatintel.indicator.url.path": "/c5-d/hdajog", - "threatintel.indicator.url.query": "4rs78hl=wvwi", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "sevs82.example.com", + "threat.indicator.url.full": "http://sevs82.example.com/c5-d/hdajog?4rs78hl=wvwi", + "threat.indicator.url.original": "http://sevs82.example.com/c5-d/hdajog?4rs78hl=wvwi", + "threat.indicator.url.path": "/c5-d/hdajog", + "threat.indicator.url.query": "4rs78hl=wvwi", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 18, + "anomali.threatstream.detail2": "imported by user 548", + "anomali.threatstream.id": "2594216423", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:i6z9qr", + "anomali.threatstream.md5": "e29608b", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P32471582403/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "1475", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "539", + "6" + ], + "anomali.threatstream.update_id": "2328838402", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -597,36 +653,38 @@ "service.type": "threatintel", "tags": [ "26sg-3-", + "forwarded", "threatintel-anomalithreatstream", "vnx4nu7c" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 18, - "threatintel.anomalithreatstream.detail2": "imported by user 548", - "threatintel.anomalithreatstream.id": 2594216423, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:i6z9qr", - "threatintel.anomalithreatstream.md5": "e29608b", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P32471582403/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 1475, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "539", - "6" - ], - "threatintel.anomalithreatstream.update_id": 2328838402, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:30:37.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:30:37.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:30:37.000Z", + "threat.indicator.last_seen": "2020-10-09T18:30:37.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 54, + "anomali.threatstream.detail2": "imported by user 438", + "anomali.threatstream.id": "1133111133", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:4rs9qpc1", + "anomali.threatstream.md5": "c38d2e6d", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P20539380512/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "3600", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "762" + ], + "anomali.threatstream.update_id": "1784507596", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -639,34 +697,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 54, - "threatintel.anomalithreatstream.detail2": "imported by user 438", - "threatintel.anomalithreatstream.id": 1133111133, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:4rs9qpc1", - "threatintel.anomalithreatstream.md5": "c38d2e6d", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P20539380512/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 3600, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "762" - ], - "threatintel.anomalithreatstream.update_id": 1784507596, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:30:40.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:30:40.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:30:40.000Z", + "threat.indicator.last_seen": "2020-10-09T18:30:40.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 78, + "anomali.threatstream.detail2": "imported by user 690", + "anomali.threatstream.id": "2543010039", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:ghdl7nwwq", + "anomali.threatstream.md5": "67808c", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P16167095005/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "926", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "751" + ], + "anomali.threatstream.update_id": "2343991526", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -679,35 +740,40 @@ "service.type": "threatintel", "tags": [ "8ahl", + "forwarded", "ica", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 78, - "threatintel.anomalithreatstream.detail2": "imported by user 690", - "threatintel.anomalithreatstream.id": 2543010039, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:ghdl7nwwq", - "threatintel.anomalithreatstream.md5": "67808c", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P16167095005/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 926, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "751" - ], - "threatintel.anomalithreatstream.update_id": 2343991526, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 8, - "threatintel.indicator.first_seen": "2020-10-09T18:30:45.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:30:45.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:30:45.000Z", + "threat.indicator.last_seen": "2020-10-09T18:30:45.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 0, + "anomali.threatstream.detail2": "imported by user 517", + "anomali.threatstream.id": "3233930917", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:m5pk44o", + "anomali.threatstream.md5": "efa99", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P15758111412/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "2010", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "390", + "519", + "909" + ], + "anomali.threatstream.update_id": "3008175946", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -719,38 +785,41 @@ "log.offset": 8774, "service.type": "threatintel", "tags": [ + "forwarded", "gyu-", "iop", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 0, - "threatintel.anomalithreatstream.detail2": "imported by user 517", - "threatintel.anomalithreatstream.id": 3233930917, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:m5pk44o", - "threatintel.anomalithreatstream.md5": "efa99", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P15758111412/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 2010, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "390", - "519", - "909" - ], - "threatintel.anomalithreatstream.update_id": 3008175946, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 0, - "threatintel.indicator.first_seen": "2020-10-09T18:30:54.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:30:54.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:30:54.000Z", + "threat.indicator.last_seen": "2020-10-09T18:30:54.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 34, + "anomali.threatstream.detail2": "imported by user 303", + "anomali.threatstream.id": "1777540600", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:-fesxy", + "anomali.threatstream.md5": "e8c1", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P13990676648/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "3201", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "109", + "621", + "718" + ], + "anomali.threatstream.update_id": "2404949482", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -763,36 +832,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 34, - "threatintel.anomalithreatstream.detail2": "imported by user 303", - "threatintel.anomalithreatstream.id": 1777540600, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:-fesxy", - "threatintel.anomalithreatstream.md5": "e8c1", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P13990676648/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 3201, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "109", - "621", - "718" - ], - "threatintel.anomalithreatstream.update_id": 2404949482, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 3, - "threatintel.indicator.first_seen": "2020-10-09T18:30:59.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:30:59.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:30:59.000Z", + "threat.indicator.last_seen": "2020-10-09T18:30:59.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 15, + "anomali.threatstream.detail2": "imported by user 219", + "anomali.threatstream.id": "2796250594", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:c1b7kt7", + "anomali.threatstream.md5": "be24", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P13506696048/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "3205", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "559" + ], + "anomali.threatstream.update_id": "3529199846", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -805,34 +875,39 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 15, - "threatintel.anomalithreatstream.detail2": "imported by user 219", - "threatintel.anomalithreatstream.id": 2796250594, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:c1b7kt7", - "threatintel.anomalithreatstream.md5": "be24", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P13506696048/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 3205, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "559" - ], - "threatintel.anomalithreatstream.update_id": 3529199846, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:31:10.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:31:10.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:31:10.000Z", + "threat.indicator.last_seen": "2020-10-09T18:31:10.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 56, + "anomali.threatstream.detail2": "imported by user 762", + "anomali.threatstream.id": "2310429917", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:slwl", + "anomali.threatstream.md5": "a2678fc", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P35629727989/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "885", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "190", + "495", + "959" + ], + "anomali.threatstream.update_id": "3510871820", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -845,36 +920,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 56, - "threatintel.anomalithreatstream.detail2": "imported by user 762", - "threatintel.anomalithreatstream.id": 2310429917, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:slwl", - "threatintel.anomalithreatstream.md5": "a2678fc", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P35629727989/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 885, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "190", - "495", - "959" - ], - "threatintel.anomalithreatstream.update_id": 3510871820, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:31:16.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:31:16.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:31:16.000Z", + "threat.indicator.last_seen": "2020-10-09T18:31:16.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 11, + "anomali.threatstream.detail2": "imported by user 616", + "anomali.threatstream.id": "2853859039", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:voc", + "anomali.threatstream.md5": "2ee715a9b", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P39948074871/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "586", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "454", + "562" + ], + "anomali.threatstream.update_id": "3756244435", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -887,35 +964,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 11, - "threatintel.anomalithreatstream.detail2": "imported by user 616", - "threatintel.anomalithreatstream.id": 2853859039, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:voc", - "threatintel.anomalithreatstream.md5": "2ee715a9b", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P39948074871/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 586, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "454", - "562" - ], - "threatintel.anomalithreatstream.update_id": 3756244435, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2020-10-09T18:31:22.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:31:22.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:31:22.000Z", + "threat.indicator.last_seen": "2020-10-09T18:31:22.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 51, + "anomali.threatstream.detail2": "imported by user 510", + "anomali.threatstream.id": "2328858169", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:yuq33pg5", + "anomali.threatstream.md5": "e1df8d", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P30902643017/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "826", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "362", + "846" + ], + "anomali.threatstream.update_id": "1410682100", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -928,39 +1008,41 @@ "service.type": "threatintel", "tags": [ "etukwxhs", + "forwarded", "g0vc9", "gcgm1we6l", "mask=203.0.113.182", "threat=bm-uj8c12", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 51, - "threatintel.anomalithreatstream.detail2": "imported by user 510", - "threatintel.anomalithreatstream.id": 2328858169, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:yuq33pg5", - "threatintel.anomalithreatstream.md5": "e1df8d", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P30902643017/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 826, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "362", - "846" - ], - "threatintel.anomalithreatstream.update_id": 1410682100, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:31:27.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:31:27.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:31:27.000Z", + "threat.indicator.last_seen": "2020-10-09T18:31:27.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": -1, + "anomali.threatstream.detail2": "imported by user 14", + "anomali.threatstream.id": "1145199430", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:qc6c9qt", + "anomali.threatstream.md5": "9006d07f", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P14842247088/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "1793", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "305" + ], + "anomali.threatstream.update_id": "1592676961", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -973,33 +1055,36 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": -1, - "threatintel.anomalithreatstream.detail2": "imported by user 14", - "threatintel.anomalithreatstream.id": 1145199430, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:qc6c9qt", - "threatintel.anomalithreatstream.md5": "9006d07f", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P14842247088/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 1793, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "305" - ], - "threatintel.anomalithreatstream.update_id": 1592676961, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.first_seen": "2020-10-09T18:31:29.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:31:29.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:31:29.000Z", + "threat.indicator.last_seen": "2020-10-09T18:31:29.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 2, + "anomali.threatstream.detail2": "imported by user 600", + "anomali.threatstream.id": "1726466938", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:t52oo3", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P39735553093/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "1965", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "553" + ], + "anomali.threatstream.update_id": "2718905308", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1011,42 +1096,46 @@ "log.offset": 12237, "service.type": "threatintel", "tags": [ + "forwarded", "g1wn0g", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 2, - "threatintel.anomalithreatstream.detail2": "imported by user 600", - "threatintel.anomalithreatstream.id": 1726466938, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:t52oo3", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P39735553093/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 1965, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "553" - ], - "threatintel.anomalithreatstream.update_id": 2718905308, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 0, - "threatintel.indicator.first_seen": "2020-10-09T18:31:34.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.229", - "threatintel.indicator.last_seen": "2020-10-09T18:31:34.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:31:34.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.229", + "threat.indicator.last_seen": "2020-10-09T18:31:34.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "faahk3drf.example.net", - "threatintel.indicator.url.full": "http://faahk3drf.example.net/julf98x5/0g1t8f?cbffxs2qv=vwgz", - "threatintel.indicator.url.original": "http://faahk3drf.example.net/julf98x5/0g1t8f?cbffxs2qv=vwgz", - "threatintel.indicator.url.path": "/julf98x5/0g1t8f", - "threatintel.indicator.url.query": "cbffxs2qv=vwgz", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "faahk3drf.example.net", + "threat.indicator.url.full": "http://faahk3drf.example.net/julf98x5/0g1t8f?cbffxs2qv=vwgz", + "threat.indicator.url.original": "http://faahk3drf.example.net/julf98x5/0g1t8f?cbffxs2qv=vwgz", + "threat.indicator.url.path": "/julf98x5/0g1t8f", + "threat.indicator.url.query": "cbffxs2qv=vwgz", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 71, + "anomali.threatstream.detail2": "imported by user 976", + "anomali.threatstream.id": "1457264389", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:nx1qwwprl", + "anomali.threatstream.md5": "f5d", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P20794801988/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "1437", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "866" + ], + "anomali.threatstream.update_id": "2310970191", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1059,35 +1148,40 @@ "service.type": "threatintel", "tags": [ "6rblg", + "forwarded", "pzs4xlqy", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 71, - "threatintel.anomalithreatstream.detail2": "imported by user 976", - "threatintel.anomalithreatstream.id": 1457264389, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:nx1qwwprl", - "threatintel.anomalithreatstream.md5": "f5d", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P20794801988/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 1437, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "866" - ], - "threatintel.anomalithreatstream.update_id": 2310970191, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2020-10-09T18:31:36.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:31:36.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:31:36.000Z", + "threat.indicator.last_seen": "2020-10-09T18:31:36.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 70, + "anomali.threatstream.detail2": "imported by user 761", + "anomali.threatstream.id": "3532094043", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:k1y", + "anomali.threatstream.md5": "cfd9", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P48760414603/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "2198", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "68", + "70", + "789" + ], + "anomali.threatstream.update_id": "1487534287", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1100,36 +1194,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 70, - "threatintel.anomalithreatstream.detail2": "imported by user 761", - "threatintel.anomalithreatstream.id": 3532094043, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:k1y", - "threatintel.anomalithreatstream.md5": "cfd9", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P48760414603/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 2198, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "68", - "70", - "789" - ], - "threatintel.anomalithreatstream.update_id": 1487534287, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2020-10-09T18:31:39.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:31:39.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:31:39.000Z", + "threat.indicator.last_seen": "2020-10-09T18:31:39.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 23, + "anomali.threatstream.detail2": "imported by user 680", + "anomali.threatstream.id": "1753194968", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:ixlyb", + "anomali.threatstream.md5": "93daa", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P36997562731/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "2101", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "15" + ], + "anomali.threatstream.update_id": "1772862647", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1142,35 +1237,38 @@ "service.type": "threatintel", "tags": [ "6rw", + "forwarded", "g80r1d4sj", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 23, - "threatintel.anomalithreatstream.detail2": "imported by user 680", - "threatintel.anomalithreatstream.id": 1753194968, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:ixlyb", - "threatintel.anomalithreatstream.md5": "93daa", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P36997562731/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 2101, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "15" - ], - "threatintel.anomalithreatstream.update_id": 1772862647, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:31:43.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:31:43.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:31:43.000Z", + "threat.indicator.last_seen": "2020-10-09T18:31:43.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 0, + "anomali.threatstream.detail2": "imported by user 820", + "anomali.threatstream.id": "3285278133", + "anomali.threatstream.itype": "scan_ip", + "anomali.threatstream.maltype": "malware:1u76t", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P45121980169/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "1152", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "390", + "7" + ], + "anomali.threatstream.update_id": "2657969647", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1183,36 +1281,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 0, - "threatintel.anomalithreatstream.detail2": "imported by user 820", - "threatintel.anomalithreatstream.id": 3285278133, - "threatintel.anomalithreatstream.itype": "scan_ip", - "threatintel.anomalithreatstream.maltype": "malware:1u76t", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P45121980169/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 1152, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "390", - "7" - ], - "threatintel.anomalithreatstream.update_id": 2657969647, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 0, - "threatintel.indicator.first_seen": "2020-10-09T18:31:49.000Z", - "threatintel.indicator.geo.country_iso_code": "DE", - "threatintel.indicator.ip": "192.0.2.219", - "threatintel.indicator.last_seen": "2020-10-09T18:31:49.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:31:49.000Z", + "threat.indicator.geo.country_iso_code": "DE", + "threat.indicator.ip": "192.0.2.219", + "threat.indicator.last_seen": "2020-10-09T18:31:49.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 45, + "anomali.threatstream.detail2": "imported by user 894", + "anomali.threatstream.id": "2098390184", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:hc-wh", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P33231447204/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "3354", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "846" + ], + "anomali.threatstream.update_id": "2110937414", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1224,42 +1324,46 @@ "log.offset": 14812, "service.type": "threatintel", "tags": [ + "forwarded", "om0z7", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 45, - "threatintel.anomalithreatstream.detail2": "imported by user 894", - "threatintel.anomalithreatstream.id": 2098390184, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:hc-wh", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P33231447204/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 3354, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "846" - ], - "threatintel.anomalithreatstream.update_id": 2110937414, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:31:49.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "192.0.2.208", - "threatintel.indicator.last_seen": "2020-10-09T18:31:49.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:31:49.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "192.0.2.208", + "threat.indicator.last_seen": "2020-10-09T18:31:49.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "p9okf0.example.org", - "threatintel.indicator.url.full": "http://p9okf0.example.org/jyb3n8f/f55vfyt48?s2n=0t2d", - "threatintel.indicator.url.original": "http://p9okf0.example.org/jyb3n8f/f55vfyt48?s2n=0t2d", - "threatintel.indicator.url.path": "/jyb3n8f/f55vfyt48", - "threatintel.indicator.url.query": "s2n=0t2d", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "p9okf0.example.org", + "threat.indicator.url.full": "http://p9okf0.example.org/jyb3n8f/f55vfyt48?s2n=0t2d", + "threat.indicator.url.original": "http://p9okf0.example.org/jyb3n8f/f55vfyt48?s2n=0t2d", + "threat.indicator.url.path": "/jyb3n8f/f55vfyt48", + "threat.indicator.url.query": "s2n=0t2d", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 34, + "anomali.threatstream.detail2": "imported by user 747", + "anomali.threatstream.id": "3367490507", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:0ua9", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P34959401147/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "959", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "404", + "574" + ], + "anomali.threatstream.update_id": "2335801340", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1272,42 +1376,47 @@ "service.type": "threatintel", "tags": [ "adeba89", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 34, - "threatintel.anomalithreatstream.detail2": "imported by user 747", - "threatintel.anomalithreatstream.id": 3367490507, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:0ua9", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P34959401147/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 959, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "404", - "574" - ], - "threatintel.anomalithreatstream.update_id": 2335801340, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 3, - "threatintel.indicator.first_seen": "2020-10-09T18:31:58.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.105", - "threatintel.indicator.last_seen": "2020-10-09T18:31:58.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:31:58.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.105", + "threat.indicator.last_seen": "2020-10-09T18:31:58.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "fxkeo24m.example.com", - "threatintel.indicator.url.full": "https://fxkeo24m.example.com/y75tg7sw/jnnu9xmc?apus=ob1hnba4", - "threatintel.indicator.url.original": "https://fxkeo24m.example.com/y75tg7sw/jnnu9xmc?apus=ob1hnba4", - "threatintel.indicator.url.path": "/y75tg7sw/jnnu9xmc", - "threatintel.indicator.url.query": "apus=ob1hnba4", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "fxkeo24m.example.com", + "threat.indicator.url.full": "https://fxkeo24m.example.com/y75tg7sw/jnnu9xmc?apus=ob1hnba4", + "threat.indicator.url.original": "https://fxkeo24m.example.com/y75tg7sw/jnnu9xmc?apus=ob1hnba4", + "threat.indicator.url.path": "/y75tg7sw/jnnu9xmc", + "threat.indicator.url.query": "apus=ob1hnba4", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 14, + "anomali.threatstream.detail2": "imported by user 604", + "anomali.threatstream.id": "1998649659", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:s0anj", + "anomali.threatstream.md5": "b4dd5cf7", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P21831217400/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "1405", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "422", + "749", + "852" + ], + "anomali.threatstream.update_id": "1339527388", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1320,36 +1429,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 14, - "threatintel.anomalithreatstream.detail2": "imported by user 604", - "threatintel.anomalithreatstream.id": 1998649659, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:s0anj", - "threatintel.anomalithreatstream.md5": "b4dd5cf7", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P21831217400/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 1405, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "422", - "749", - "852" - ], - "threatintel.anomalithreatstream.update_id": 1339527388, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2020-10-09T18:32:02.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:32:02.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:32:02.000Z", + "threat.indicator.last_seen": "2020-10-09T18:32:02.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 85, + "anomali.threatstream.detail2": "imported by user 386", + "anomali.threatstream.id": "3005939184", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:hn5uajghq", + "anomali.threatstream.md5": "b890cdad", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P23229581043/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "652", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "120" + ], + "anomali.threatstream.update_id": "1316735853", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1362,35 +1472,40 @@ "service.type": "threatintel", "tags": [ "a-e8lz", + "forwarded", "nj3f", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 85, - "threatintel.anomalithreatstream.detail2": "imported by user 386", - "threatintel.anomalithreatstream.id": 3005939184, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:hn5uajghq", - "threatintel.anomalithreatstream.md5": "b890cdad", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P23229581043/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 652, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "120" - ], - "threatintel.anomalithreatstream.update_id": 1316735853, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 9, - "threatintel.indicator.first_seen": "2020-10-09T18:32:03.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:32:03.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:32:03.000Z", + "threat.indicator.last_seen": "2020-10-09T18:32:03.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 31, + "anomali.threatstream.detail2": "imported by user 706", + "anomali.threatstream.id": "1900495748", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:3taf", + "anomali.threatstream.md5": "817", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P35660572297/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "506", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "718", + "828", + "98" + ], + "anomali.threatstream.update_id": "3243777736", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1403,36 +1518,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 31, - "threatintel.anomalithreatstream.detail2": "imported by user 706", - "threatintel.anomalithreatstream.id": 1900495748, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:3taf", - "threatintel.anomalithreatstream.md5": "817", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P35660572297/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 506, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "718", - "828", - "98" - ], - "threatintel.anomalithreatstream.update_id": 3243777736, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 3, - "threatintel.indicator.first_seen": "2020-10-09T18:32:04.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:32:04.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:32:04.000Z", + "threat.indicator.last_seen": "2020-10-09T18:32:04.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 50, + "anomali.threatstream.detail2": "imported by user 222", + "anomali.threatstream.id": "1040883425", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:wsge", + "anomali.threatstream.md5": "a06b", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P33297645928/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "146", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "539", + "959" + ], + "anomali.threatstream.update_id": "1284922297", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1445,35 +1562,39 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 50, - "threatintel.anomalithreatstream.detail2": "imported by user 222", - "threatintel.anomalithreatstream.id": 1040883425, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:wsge", - "threatintel.anomalithreatstream.md5": "a06b", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P33297645928/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 146, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "539", - "959" - ], - "threatintel.anomalithreatstream.update_id": 1284922297, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:32:08.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:32:08.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:32:08.000Z", + "threat.indicator.last_seen": "2020-10-09T18:32:08.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 50, + "anomali.threatstream.detail2": "imported by user 414", + "anomali.threatstream.id": "1703603090", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:yid8n1", + "anomali.threatstream.md5": "ebd6108", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P25381157923/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "294", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "124", + "394", + "820" + ], + "anomali.threatstream.update_id": "1405107391", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1486,36 +1607,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 50, - "threatintel.anomalithreatstream.detail2": "imported by user 414", - "threatintel.anomalithreatstream.id": 1703603090, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:yid8n1", - "threatintel.anomalithreatstream.md5": "ebd6108", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P25381157923/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 294, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "124", - "394", - "820" - ], - "threatintel.anomalithreatstream.update_id": 1405107391, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:32:11.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:32:11.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:32:11.000Z", + "threat.indicator.last_seen": "2020-10-09T18:32:11.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 6, + "anomali.threatstream.detail2": "imported by user 872", + "anomali.threatstream.id": "1393798645", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:aeu2f0", + "anomali.threatstream.md5": "5afe0a", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P34100122259/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "1256", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "386", + "980" + ], + "anomali.threatstream.update_id": "2194495180", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1528,35 +1651,36 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 6, - "threatintel.anomalithreatstream.detail2": "imported by user 872", - "threatintel.anomalithreatstream.id": 1393798645, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:aeu2f0", - "threatintel.anomalithreatstream.md5": "5afe0a", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P34100122259/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 1256, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "386", - "980" - ], - "threatintel.anomalithreatstream.update_id": 2194495180, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2020-10-09T18:32:19.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:32:19.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:32:19.000Z", + "threat.indicator.last_seen": "2020-10-09T18:32:19.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 46, + "anomali.threatstream.detail2": "imported by user 237", + "anomali.threatstream.id": "3384379889", + "anomali.threatstream.itype": "scan_ip", + "anomali.threatstream.maltype": "malware:w3rx", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P38445847685/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "773", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "830" + ], + "anomali.threatstream.update_id": "2280522298", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1569,35 +1693,40 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 46, - "threatintel.anomalithreatstream.detail2": "imported by user 237", - "threatintel.anomalithreatstream.id": 3384379889, - "threatintel.anomalithreatstream.itype": "scan_ip", - "threatintel.anomalithreatstream.maltype": "malware:w3rx", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P38445847685/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 773, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "830" - ], - "threatintel.anomalithreatstream.update_id": 2280522298, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:32:30.000Z", - "threatintel.indicator.geo.country_iso_code": "CN", - "threatintel.indicator.ip": "2001:db8:b94f:43d3:f1ef:8964:c8e3:48d4", - "threatintel.indicator.last_seen": "2020-10-09T18:32:30.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:32:30.000Z", + "threat.indicator.geo.country_iso_code": "CN", + "threat.indicator.ip": "2001:db8:b94f:43d3:f1ef:8964:c8e3:48d4", + "threat.indicator.last_seen": "2020-10-09T18:32:30.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv6-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv6-addr" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 60, + "anomali.threatstream.detail2": "imported by user 317", + "anomali.threatstream.id": "1291701932", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:upf65oc8", + "anomali.threatstream.md5": "758a81", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P40886917073/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "2980", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "407", + "437" + ], + "anomali.threatstream.update_id": "1128332354", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1610,35 +1739,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 60, - "threatintel.anomalithreatstream.detail2": "imported by user 317", - "threatintel.anomalithreatstream.id": 1291701932, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:upf65oc8", - "threatintel.anomalithreatstream.md5": "758a81", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P40886917073/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 2980, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "407", - "437" - ], - "threatintel.anomalithreatstream.update_id": 1128332354, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:32:35.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:32:35.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:32:35.000Z", + "threat.indicator.last_seen": "2020-10-09T18:32:35.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": -1, + "anomali.threatstream.detail2": "imported by user 352", + "anomali.threatstream.id": "3279148213", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:u0e", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P37449871811/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "2315", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "29", + "817", + "831" + ], + "anomali.threatstream.update_id": "2267992225", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1650,43 +1782,47 @@ "log.offset": 19948, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream", "ziqdk" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": -1, - "threatintel.anomalithreatstream.detail2": "imported by user 352", - "threatintel.anomalithreatstream.id": 3279148213, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:u0e", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P37449871811/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 2315, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "29", - "817", - "831" - ], - "threatintel.anomalithreatstream.update_id": 2267992225, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.first_seen": "2020-10-09T18:33:10.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.16", - "threatintel.indicator.last_seen": "2020-10-09T18:33:10.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:33:10.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.16", + "threat.indicator.last_seen": "2020-10-09T18:33:10.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ke4ffyj5.example.com", - "threatintel.indicator.url.full": "http://ke4ffyj5.example.com/t-9ikyrtt/ai91?s6u=3y1", - "threatintel.indicator.url.original": "http://ke4ffyj5.example.com/t-9ikyrtt/ai91?s6u=3y1", - "threatintel.indicator.url.path": "/t-9ikyrtt/ai91", - "threatintel.indicator.url.query": "s6u=3y1", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ke4ffyj5.example.com", + "threat.indicator.url.full": "http://ke4ffyj5.example.com/t-9ikyrtt/ai91?s6u=3y1", + "threat.indicator.url.original": "http://ke4ffyj5.example.com/t-9ikyrtt/ai91?s6u=3y1", + "threat.indicator.url.path": "/t-9ikyrtt/ai91", + "threat.indicator.url.query": "s6u=3y1", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 42, + "anomali.threatstream.detail2": "imported by user 768", + "anomali.threatstream.id": "2138145846", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:-shiotjs", + "anomali.threatstream.md5": "c9b4", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P24530928152/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "837", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "322", + "410" + ], + "anomali.threatstream.update_id": "3812327380", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1699,35 +1835,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 42, - "threatintel.anomalithreatstream.detail2": "imported by user 768", - "threatintel.anomalithreatstream.id": 2138145846, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:-shiotjs", - "threatintel.anomalithreatstream.md5": "c9b4", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P24530928152/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 837, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "322", - "410" - ], - "threatintel.anomalithreatstream.update_id": 3812327380, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 4, - "threatintel.indicator.first_seen": "2020-10-09T18:33:13.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:33:13.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:33:13.000Z", + "threat.indicator.last_seen": "2020-10-09T18:33:13.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 25, + "anomali.threatstream.detail2": "imported by user 148", + "anomali.threatstream.id": "1502954738", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:c8f0r5d4", + "anomali.threatstream.md5": "ad0", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P43216360516/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "3786", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "520", + "695" + ], + "anomali.threatstream.update_id": "2085432040", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1740,35 +1879,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 25, - "threatintel.anomalithreatstream.detail2": "imported by user 148", - "threatintel.anomalithreatstream.id": 1502954738, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:c8f0r5d4", - "threatintel.anomalithreatstream.md5": "ad0", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P43216360516/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 3786, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "520", - "695" - ], - "threatintel.anomalithreatstream.update_id": 2085432040, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 3, - "threatintel.indicator.first_seen": "2020-10-09T18:33:14.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:33:14.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:33:14.000Z", + "threat.indicator.last_seen": "2020-10-09T18:33:14.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 56, + "anomali.threatstream.detail2": "imported by user 649", + "anomali.threatstream.id": "2730182815", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:2vsd1miq", + "anomali.threatstream.md5": "571957", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P23842171060/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "2923", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "127" + ], + "anomali.threatstream.update_id": "3768246717", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1781,34 +1922,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 56, - "threatintel.anomalithreatstream.detail2": "imported by user 649", - "threatintel.anomalithreatstream.id": 2730182815, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:2vsd1miq", - "threatintel.anomalithreatstream.md5": "571957", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P23842171060/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 2923, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "127" - ], - "threatintel.anomalithreatstream.update_id": 3768246717, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:33:14.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:33:14.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:33:14.000Z", + "threat.indicator.last_seen": "2020-10-09T18:33:14.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": -1, + "anomali.threatstream.detail2": "imported by user 132", + "anomali.threatstream.id": "1649793681", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:d1q-sdovn", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P13727067406/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "1993", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "176", + "715", + "824" + ], + "anomali.threatstream.update_id": "3498000116", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1821,42 +1966,45 @@ "service.type": "threatintel", "tags": [ "73d", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": -1, - "threatintel.anomalithreatstream.detail2": "imported by user 132", - "threatintel.anomalithreatstream.id": 1649793681, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:d1q-sdovn", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P13727067406/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 1993, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "176", - "715", - "824" - ], - "threatintel.anomalithreatstream.update_id": 3498000116, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.first_seen": "2020-10-09T18:33:22.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "192.0.2.154", - "threatintel.indicator.last_seen": "2020-10-09T18:33:22.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:33:22.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "192.0.2.154", + "threat.indicator.last_seen": "2020-10-09T18:33:22.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "rl27d.example.net", - "threatintel.indicator.url.full": "https://rl27d.example.net/ko6/4rtt?b12=o4mgzz2kk", - "threatintel.indicator.url.original": "https://rl27d.example.net/ko6/4rtt?b12=o4mgzz2kk", - "threatintel.indicator.url.path": "/ko6/4rtt", - "threatintel.indicator.url.query": "b12=o4mgzz2kk", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "rl27d.example.net", + "threat.indicator.url.full": "https://rl27d.example.net/ko6/4rtt?b12=o4mgzz2kk", + "threat.indicator.url.original": "https://rl27d.example.net/ko6/4rtt?b12=o4mgzz2kk", + "threat.indicator.url.path": "/ko6/4rtt", + "threat.indicator.url.query": "b12=o4mgzz2kk", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 48, + "anomali.threatstream.detail2": "imported by user 137", + "anomali.threatstream.id": "2195098028", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:886x", + "anomali.threatstream.md5": "7f4", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P39956518309/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "1936", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "469" + ], + "anomali.threatstream.update_id": "1238197737", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1869,35 +2017,38 @@ "service.type": "threatintel", "tags": [ "e3mm2h", + "forwarded", "knjq-wt", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 48, - "threatintel.anomalithreatstream.detail2": "imported by user 137", - "threatintel.anomalithreatstream.id": 2195098028, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:886x", - "threatintel.anomalithreatstream.md5": "7f4", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P39956518309/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 1936, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "469" - ], - "threatintel.anomalithreatstream.update_id": 1238197737, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:33:24.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:33:24.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:33:24.000Z", + "threat.indicator.last_seen": "2020-10-09T18:33:24.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 62, + "anomali.threatstream.detail2": "imported by user 76", + "anomali.threatstream.id": "2273277634", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:eem8vy0", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P28216636081/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "2583", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "143", + "22" + ], + "anomali.threatstream.update_id": "3547953290", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1909,43 +2060,45 @@ "log.offset": 23077, "service.type": "threatintel", "tags": [ + "forwarded", "rb2my5u7", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 62, - "threatintel.anomalithreatstream.detail2": "imported by user 76", - "threatintel.anomalithreatstream.id": 2273277634, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:eem8vy0", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P28216636081/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 2583, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "143", - "22" - ], - "threatintel.anomalithreatstream.update_id": 3547953290, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:33:26.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.228", - "threatintel.indicator.last_seen": "2020-10-09T18:33:26.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:33:26.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.228", + "threat.indicator.last_seen": "2020-10-09T18:33:26.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "6ygk0y.example.com", - "threatintel.indicator.url.full": "http://6ygk0y.example.com/t520/4twe?ql4bhkpop=yfpkef", - "threatintel.indicator.url.original": "http://6ygk0y.example.com/t520/4twe?ql4bhkpop=yfpkef", - "threatintel.indicator.url.path": "/t520/4twe", - "threatintel.indicator.url.query": "ql4bhkpop=yfpkef", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "6ygk0y.example.com", + "threat.indicator.url.full": "http://6ygk0y.example.com/t520/4twe?ql4bhkpop=yfpkef", + "threat.indicator.url.original": "http://6ygk0y.example.com/t520/4twe?ql4bhkpop=yfpkef", + "threat.indicator.url.path": "/t520/4twe", + "threat.indicator.url.query": "ql4bhkpop=yfpkef", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 47, + "anomali.threatstream.detail2": "imported by user 304", + "anomali.threatstream.id": "1593951372", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:lrfqa", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P18416887501/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "1922", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "281" + ], + "anomali.threatstream.update_id": "3726618139", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -1958,41 +2111,47 @@ "service.type": "threatintel", "tags": [ "3jujb6j", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 47, - "threatintel.anomalithreatstream.detail2": "imported by user 304", - "threatintel.anomalithreatstream.id": 1593951372, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:lrfqa", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P18416887501/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 1922, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "281" - ], - "threatintel.anomalithreatstream.update_id": 3726618139, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:33:27.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.38", - "threatintel.indicator.last_seen": "2020-10-09T18:33:27.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:33:27.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.38", + "threat.indicator.last_seen": "2020-10-09T18:33:27.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "rcsr9o.example.net", - "threatintel.indicator.url.full": "http://rcsr9o.example.net/e6f/08b?8d2y=d-42fr-", - "threatintel.indicator.url.original": "http://rcsr9o.example.net/e6f/08b?8d2y=d-42fr-", - "threatintel.indicator.url.path": "/e6f/08b", - "threatintel.indicator.url.query": "8d2y=d-42fr-", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "rcsr9o.example.net", + "threat.indicator.url.full": "http://rcsr9o.example.net/e6f/08b?8d2y=d-42fr-", + "threat.indicator.url.original": "http://rcsr9o.example.net/e6f/08b?8d2y=d-42fr-", + "threat.indicator.url.path": "/e6f/08b", + "threat.indicator.url.query": "8d2y=d-42fr-", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": -1, + "anomali.threatstream.detail2": "imported by user 578", + "anomali.threatstream.id": "2881597176", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:wpo", + "anomali.threatstream.md5": "89a0a684", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P37162617510/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "1312", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "450", + "588", + "873" + ], + "anomali.threatstream.update_id": "2444963851", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2006,35 +2165,39 @@ "tags": [ "2uu9b", "f7ciq9", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": -1, - "threatintel.anomalithreatstream.detail2": "imported by user 578", - "threatintel.anomalithreatstream.id": 2881597176, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:wpo", - "threatintel.anomalithreatstream.md5": "89a0a684", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P37162617510/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 1312, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "450", - "588", - "873" - ], - "threatintel.anomalithreatstream.update_id": 2444963851, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.first_seen": "2020-10-09T18:33:29.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:33:29.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:33:29.000Z", + "threat.indicator.last_seen": "2020-10-09T18:33:29.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 51, + "anomali.threatstream.detail2": "imported by user 347", + "anomali.threatstream.id": "1789877636", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:f7l", + "anomali.threatstream.md5": "a41f", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P15884312830/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "1250", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "299", + "501", + "551" + ], + "anomali.threatstream.update_id": "3210446946", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2047,36 +2210,39 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 51, - "threatintel.anomalithreatstream.detail2": "imported by user 347", - "threatintel.anomalithreatstream.id": 1789877636, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:f7l", - "threatintel.anomalithreatstream.md5": "a41f", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P15884312830/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 1250, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "299", - "501", - "551" - ], - "threatintel.anomalithreatstream.update_id": 3210446946, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:33:43.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:33:43.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:33:43.000Z", + "threat.indicator.last_seen": "2020-10-09T18:33:43.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 56, + "anomali.threatstream.detail2": "imported by user 182", + "anomali.threatstream.id": "1300434967", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:5kjd", + "anomali.threatstream.md5": "d0f5f32", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P44427200974/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "1603", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "122", + "460", + "615" + ], + "anomali.threatstream.update_id": "2994196701", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2089,37 +2255,38 @@ "service.type": "threatintel", "tags": [ "f5c6pl", + "forwarded", "kpjt", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 56, - "threatintel.anomalithreatstream.detail2": "imported by user 182", - "threatintel.anomalithreatstream.id": 1300434967, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:5kjd", - "threatintel.anomalithreatstream.md5": "d0f5f32", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P44427200974/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 1603, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "122", - "460", - "615" - ], - "threatintel.anomalithreatstream.update_id": 2994196701, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:33:45.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:33:45.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:33:45.000Z", + "threat.indicator.last_seen": "2020-10-09T18:33:45.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 79, + "anomali.threatstream.detail2": "imported by user 976", + "anomali.threatstream.id": "2448066635", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:7x9cgytj", + "anomali.threatstream.md5": "4f984375b", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P15169037907/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "814", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "804" + ], + "anomali.threatstream.update_id": "2396481494", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2132,34 +2299,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 79, - "threatintel.anomalithreatstream.detail2": "imported by user 976", - "threatintel.anomalithreatstream.id": 2448066635, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:7x9cgytj", - "threatintel.anomalithreatstream.md5": "4f984375b", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P15169037907/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 814, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "804" - ], - "threatintel.anomalithreatstream.update_id": 2396481494, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 8, - "threatintel.indicator.first_seen": "2020-10-09T18:33:45.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:33:45.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:33:45.000Z", + "threat.indicator.last_seen": "2020-10-09T18:33:45.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 15, + "anomali.threatstream.detail2": "imported by user 408", + "anomali.threatstream.id": "1693329110", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:1l5tib0", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P46598563676/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "3431", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "301", + "374" + ], + "anomali.threatstream.update_id": "1425004305", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2172,42 +2342,47 @@ "service.type": "threatintel", "tags": [ "5w8i", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 15, - "threatintel.anomalithreatstream.detail2": "imported by user 408", - "threatintel.anomalithreatstream.id": 1693329110, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:1l5tib0", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P46598563676/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 3431, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "301", - "374" - ], - "threatintel.anomalithreatstream.update_id": 1425004305, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:33:48.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "192.0.2.115", - "threatintel.indicator.last_seen": "2020-10-09T18:33:48.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:33:48.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "192.0.2.115", + "threat.indicator.last_seen": "2020-10-09T18:33:48.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cc7d.example.com", - "threatintel.indicator.url.full": "https://cc7d.example.com/kxxwobg/hd6omn?tr8=essb", - "threatintel.indicator.url.original": "https://cc7d.example.com/kxxwobg/hd6omn?tr8=essb", - "threatintel.indicator.url.path": "/kxxwobg/hd6omn", - "threatintel.indicator.url.query": "tr8=essb", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cc7d.example.com", + "threat.indicator.url.full": "https://cc7d.example.com/kxxwobg/hd6omn?tr8=essb", + "threat.indicator.url.original": "https://cc7d.example.com/kxxwobg/hd6omn?tr8=essb", + "threat.indicator.url.path": "/kxxwobg/hd6omn", + "threat.indicator.url.query": "tr8=essb", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 35, + "anomali.threatstream.detail2": "imported by user 843", + "anomali.threatstream.id": "1522150430", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:8-8a", + "anomali.threatstream.md5": "9c67037e6", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P28645937174/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "2342", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "27", + "396", + "989" + ], + "anomali.threatstream.update_id": "3573181354", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2220,36 +2395,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 35, - "threatintel.anomalithreatstream.detail2": "imported by user 843", - "threatintel.anomalithreatstream.id": 1522150430, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:8-8a", - "threatintel.anomalithreatstream.md5": "9c67037e6", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P28645937174/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 2342, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "27", - "396", - "989" - ], - "threatintel.anomalithreatstream.update_id": 3573181354, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 4, - "threatintel.indicator.first_seen": "2020-10-09T18:33:51.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:33:51.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:33:51.000Z", + "threat.indicator.last_seen": "2020-10-09T18:33:51.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 71, + "anomali.threatstream.detail2": "imported by user 831", + "anomali.threatstream.id": "1760436567", + "anomali.threatstream.itype": "scan_ip", + "anomali.threatstream.maltype": "malware:vy02k4", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P14276852864/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "271", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "342", + "504" + ], + "anomali.threatstream.update_id": "1253389383", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2262,36 +2438,38 @@ "service.type": "threatintel", "tags": [ "f3ctz7j", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 71, - "threatintel.anomalithreatstream.detail2": "imported by user 831", - "threatintel.anomalithreatstream.id": 1760436567, - "threatintel.anomalithreatstream.itype": "scan_ip", - "threatintel.anomalithreatstream.maltype": "malware:vy02k4", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P14276852864/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 271, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "342", - "504" - ], - "threatintel.anomalithreatstream.update_id": 1253389383, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2020-10-09T18:33:57.000Z", - "threatintel.indicator.geo.country_iso_code": "VN", - "threatintel.indicator.ip": "192.0.2.61", - "threatintel.indicator.last_seen": "2020-10-09T18:33:57.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:33:57.000Z", + "threat.indicator.geo.country_iso_code": "VN", + "threat.indicator.ip": "192.0.2.61", + "threat.indicator.last_seen": "2020-10-09T18:33:57.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 85, + "anomali.threatstream.detail2": "imported by user 650", + "anomali.threatstream.id": "1925240476", + "anomali.threatstream.itype": "scan_ip", + "anomali.threatstream.maltype": "malware:2bnikxoma", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P15033658538/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "1067", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "51" + ], + "anomali.threatstream.update_id": "1098288836", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2304,35 +2482,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 85, - "threatintel.anomalithreatstream.detail2": "imported by user 650", - "threatintel.anomalithreatstream.id": 1925240476, - "threatintel.anomalithreatstream.itype": "scan_ip", - "threatintel.anomalithreatstream.maltype": "malware:2bnikxoma", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P15033658538/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 1067, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "51" - ], - "threatintel.anomalithreatstream.update_id": 1098288836, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 9, - "threatintel.indicator.first_seen": "2020-10-09T18:34:00.000Z", - "threatintel.indicator.geo.country_iso_code": "DE", - "threatintel.indicator.ip": "192.0.2.233", - "threatintel.indicator.last_seen": "2020-10-09T18:34:00.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:34:00.000Z", + "threat.indicator.geo.country_iso_code": "DE", + "threat.indicator.ip": "192.0.2.233", + "threat.indicator.last_seen": "2020-10-09T18:34:00.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 91, + "anomali.threatstream.detail2": "imported by user 489", + "anomali.threatstream.id": "3001806953", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:ak63t", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P34696300225/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "782", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "484" + ], + "anomali.threatstream.update_id": "2722308334", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2344,42 +2525,45 @@ "log.offset": 28355, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream", "v9ycq" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 91, - "threatintel.anomalithreatstream.detail2": "imported by user 489", - "threatintel.anomalithreatstream.id": 3001806953, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:ak63t", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P34696300225/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 782, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "484" - ], - "threatintel.anomalithreatstream.update_id": 2722308334, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 9, - "threatintel.indicator.first_seen": "2020-10-09T18:34:00.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "2001:db8:9850:9607:e204:423b:cade:837e", - "threatintel.indicator.last_seen": "2020-10-09T18:34:00.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:34:00.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "2001:db8:9850:9607:e204:423b:cade:837e", + "threat.indicator.last_seen": "2020-10-09T18:34:00.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "v9aqrp81q.example.net", - "threatintel.indicator.url.full": "http://v9aqrp81q.example.net/psuj4bs/rvp?qufy=ymryh", - "threatintel.indicator.url.original": "http://v9aqrp81q.example.net/psuj4bs/rvp?qufy=ymryh", - "threatintel.indicator.url.path": "/psuj4bs/rvp", - "threatintel.indicator.url.query": "qufy=ymryh", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "v9aqrp81q.example.net", + "threat.indicator.url.full": "http://v9aqrp81q.example.net/psuj4bs/rvp?qufy=ymryh", + "threat.indicator.url.original": "http://v9aqrp81q.example.net/psuj4bs/rvp?qufy=ymryh", + "threat.indicator.url.path": "/psuj4bs/rvp", + "threat.indicator.url.query": "qufy=ymryh", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": -1, + "anomali.threatstream.detail2": "imported by user 453", + "anomali.threatstream.id": "3933431319", + "anomali.threatstream.itype": "scan_ip", + "anomali.threatstream.maltype": "malware:ejrypgr", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P46019487828/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "1904", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "444" + ], + "anomali.threatstream.update_id": "3520784497", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2392,34 +2576,40 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": -1, - "threatintel.anomalithreatstream.detail2": "imported by user 453", - "threatintel.anomalithreatstream.id": 3933431319, - "threatintel.anomalithreatstream.itype": "scan_ip", - "threatintel.anomalithreatstream.maltype": "malware:ejrypgr", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P46019487828/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 1904, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "444" - ], - "threatintel.anomalithreatstream.update_id": 3520784497, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.first_seen": "2020-10-09T18:34:00.000Z", - "threatintel.indicator.geo.country_iso_code": "IN", - "threatintel.indicator.ip": "192.0.2.234", - "threatintel.indicator.last_seen": "2020-10-09T18:34:00.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:34:00.000Z", + "threat.indicator.geo.country_iso_code": "IN", + "threat.indicator.ip": "192.0.2.234", + "threat.indicator.last_seen": "2020-10-09T18:34:00.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 95, + "anomali.threatstream.detail2": "imported by user 722", + "anomali.threatstream.id": "1356788940", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:q4a", + "anomali.threatstream.md5": "a4fa", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P30118085912/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "3698", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "743", + "936" + ], + "anomali.threatstream.update_id": "3707298072", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2431,37 +2621,41 @@ "log.offset": 29493, "service.type": "threatintel", "tags": [ + "forwarded", "qxwn7lw", "threatintel-anomalithreatstream", "xva1ki" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 95, - "threatintel.anomalithreatstream.detail2": "imported by user 722", - "threatintel.anomalithreatstream.id": 1356788940, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:q4a", - "threatintel.anomalithreatstream.md5": "a4fa", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P30118085912/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 3698, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "743", - "936" - ], - "threatintel.anomalithreatstream.update_id": 3707298072, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 10, - "threatintel.indicator.first_seen": "2020-10-09T18:34:02.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:02.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:34:02.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:02.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 6, + "anomali.threatstream.detail2": "imported by user 236", + "anomali.threatstream.id": "3804309005", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:2sclqws1s", + "anomali.threatstream.md5": "5e11299", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P14689465586/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "342", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "50", + "642", + "948" + ], + "anomali.threatstream.update_id": "3749914856", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2473,38 +2667,39 @@ "log.offset": 29986, "service.type": "threatintel", "tags": [ + "forwarded", "r81f4", "threatintel-anomalithreatstream", "wwsw" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 6, - "threatintel.anomalithreatstream.detail2": "imported by user 236", - "threatintel.anomalithreatstream.id": 3804309005, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:2sclqws1s", - "threatintel.anomalithreatstream.md5": "5e11299", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P14689465586/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 342, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "50", - "642", - "948" - ], - "threatintel.anomalithreatstream.update_id": 3749914856, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2020-10-09T18:34:05.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:05.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:34:05.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:05.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 15, + "anomali.threatstream.detail2": "imported by user 488", + "anomali.threatstream.id": "1022859708", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:9cfecc", + "anomali.threatstream.md5": "22315f8", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P33092174596/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "2811", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "1" + ], + "anomali.threatstream.update_id": "1637146862", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2517,34 +2712,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 15, - "threatintel.anomalithreatstream.detail2": "imported by user 488", - "threatintel.anomalithreatstream.id": 1022859708, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:9cfecc", - "threatintel.anomalithreatstream.md5": "22315f8", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P33092174596/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 2811, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "1" - ], - "threatintel.anomalithreatstream.update_id": 1637146862, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:34:11.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:11.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:34:11.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:11.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 54, + "anomali.threatstream.detail2": "imported by user 310", + "anomali.threatstream.id": "1581368214", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:r7vbej", + "anomali.threatstream.md5": "d4a", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P28408487114/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "1371", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "810", + "910" + ], + "anomali.threatstream.update_id": "1671617316", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2557,35 +2756,36 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 54, - "threatintel.anomalithreatstream.detail2": "imported by user 310", - "threatintel.anomalithreatstream.id": 1581368214, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:r7vbej", - "threatintel.anomalithreatstream.md5": "d4a", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P28408487114/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 1371, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "810", - "910" - ], - "threatintel.anomalithreatstream.update_id": 1671617316, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:34:12.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:12.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:34:12.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:12.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": -1, + "anomali.threatstream.detail2": "imported by user 376", + "anomali.threatstream.id": "3576055846", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:0qqrz", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P27429039546/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "1808", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "660" + ], + "anomali.threatstream.update_id": "2477226249", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2597,41 +2797,48 @@ "log.offset": 31451, "service.type": "threatintel", "tags": [ + "forwarded", "gry2doqf", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": -1, - "threatintel.anomalithreatstream.detail2": "imported by user 376", - "threatintel.anomalithreatstream.id": 3576055846, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:0qqrz", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P27429039546/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 1808, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "660" - ], - "threatintel.anomalithreatstream.update_id": 2477226249, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.first_seen": "2020-10-09T18:34:17.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.83", - "threatintel.indicator.last_seen": "2020-10-09T18:34:17.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:34:17.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.83", + "threat.indicator.last_seen": "2020-10-09T18:34:17.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "o4kqv8b8.example.net", - "threatintel.indicator.url.full": "https://o4kqv8b8.example.net/gm4d-9gt/v2iqt?x65ry67ao=skta9rp", - "threatintel.indicator.url.original": "https://o4kqv8b8.example.net/gm4d-9gt/v2iqt?x65ry67ao=skta9rp", - "threatintel.indicator.url.path": "/gm4d-9gt/v2iqt", - "threatintel.indicator.url.query": "x65ry67ao=skta9rp", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "o4kqv8b8.example.net", + "threat.indicator.url.full": "https://o4kqv8b8.example.net/gm4d-9gt/v2iqt?x65ry67ao=skta9rp", + "threat.indicator.url.original": "https://o4kqv8b8.example.net/gm4d-9gt/v2iqt?x65ry67ao=skta9rp", + "threat.indicator.url.path": "/gm4d-9gt/v2iqt", + "threat.indicator.url.query": "x65ry67ao=skta9rp", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 89, + "anomali.threatstream.detail2": "imported by user 748", + "anomali.threatstream.id": "1315247197", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:r38g5hbgx", + "anomali.threatstream.md5": "3eac", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P15092591036/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "206", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "19", + "6", + "954" + ], + "anomali.threatstream.update_id": "1760504719", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2644,37 +2851,39 @@ "service.type": "threatintel", "tags": [ "1l9tule2", + "forwarded", "k6p", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 89, - "threatintel.anomalithreatstream.detail2": "imported by user 748", - "threatintel.anomalithreatstream.id": 1315247197, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:r38g5hbgx", - "threatintel.anomalithreatstream.md5": "3eac", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P15092591036/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 206, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "19", - "6", - "954" - ], - "threatintel.anomalithreatstream.update_id": 1760504719, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 9, - "threatintel.indicator.first_seen": "2020-10-09T18:34:20.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:20.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:34:20.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:20.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 25, + "anomali.threatstream.detail2": "imported by user 380", + "anomali.threatstream.id": "1562423716", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:882dlx", + "anomali.threatstream.md5": "59893613", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P35184012550/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "3446", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "392", + "581" + ], + "anomali.threatstream.update_id": "2530088908", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2687,36 +2896,40 @@ "service.type": "threatintel", "tags": [ "d9qquxe", + "forwarded", "threatintel-anomalithreatstream", "ulx" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 25, - "threatintel.anomalithreatstream.detail2": "imported by user 380", - "threatintel.anomalithreatstream.id": 1562423716, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:882dlx", - "threatintel.anomalithreatstream.md5": "59893613", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P35184012550/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 3446, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "392", - "581" - ], - "threatintel.anomalithreatstream.update_id": 2530088908, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 3, - "threatintel.indicator.first_seen": "2020-10-09T18:34:20.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:20.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:34:20.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:20.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 4, + "anomali.threatstream.detail2": "imported by user 423", + "anomali.threatstream.id": "1470897088", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:rwo6s", + "anomali.threatstream.md5": "5facf1f", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P10368659748/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "599", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "591", + "663", + "848" + ], + "anomali.threatstream.update_id": "1937893007", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2728,38 +2941,39 @@ "log.offset": 33043, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream", "wsu7l1", "zrb" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 4, - "threatintel.anomalithreatstream.detail2": "imported by user 423", - "threatintel.anomalithreatstream.id": 1470897088, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:rwo6s", - "threatintel.anomalithreatstream.md5": "5facf1f", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P10368659748/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 599, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "591", - "663", - "848" - ], - "threatintel.anomalithreatstream.update_id": 1937893007, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 0, - "threatintel.indicator.first_seen": "2020-10-09T18:34:32.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:32.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:34:32.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:32.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 9, + "anomali.threatstream.detail2": "imported by user 983", + "anomali.threatstream.id": "1205553827", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:-pbnrmv", + "anomali.threatstream.md5": "708b2c", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P41514908414/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "3751", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "299" + ], + "anomali.threatstream.update_id": "3858315866", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2772,34 +2986,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 9, - "threatintel.anomalithreatstream.detail2": "imported by user 983", - "threatintel.anomalithreatstream.id": 1205553827, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:-pbnrmv", - "threatintel.anomalithreatstream.md5": "708b2c", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P41514908414/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 3751, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "299" - ], - "threatintel.anomalithreatstream.update_id": 3858315866, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2020-10-09T18:34:32.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:32.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:34:32.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:32.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": -1, + "anomali.threatstream.detail2": "imported by user 314", + "anomali.threatstream.id": "1744295971", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:uqw", + "anomali.threatstream.md5": "0df", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P36955243007/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "2305", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "556" + ], + "anomali.threatstream.update_id": "2655715062", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2812,33 +3029,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": -1, - "threatintel.anomalithreatstream.detail2": "imported by user 314", - "threatintel.anomalithreatstream.id": 1744295971, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:uqw", - "threatintel.anomalithreatstream.md5": "0df", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P36955243007/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 2305, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "556" - ], - "threatintel.anomalithreatstream.update_id": 2655715062, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.first_seen": "2020-10-09T18:34:39.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:39.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:34:39.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:39.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 45, + "anomali.threatstream.detail2": "imported by user 986", + "anomali.threatstream.id": "1782793990", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:mkctzuaaf", + "anomali.threatstream.md5": "770", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P41751433270/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "3513", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "445" + ], + "anomali.threatstream.update_id": "2172945223", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2850,36 +3071,38 @@ "log.offset": 34489, "service.type": "threatintel", "tags": [ + "forwarded", "ps2", "qr2wno4", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 45, - "threatintel.anomalithreatstream.detail2": "imported by user 986", - "threatintel.anomalithreatstream.id": 1782793990, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:mkctzuaaf", - "threatintel.anomalithreatstream.md5": "770", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P41751433270/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 3513, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "445" - ], - "threatintel.anomalithreatstream.update_id": 2172945223, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:34:40.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:40.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:34:40.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:40.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 98, + "anomali.threatstream.detail2": "imported by user 615", + "anomali.threatstream.id": "1130190904", + "anomali.threatstream.itype": "scan_ip", + "anomali.threatstream.maltype": "malware:3zu2d2", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P13755730530/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "1192", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "88" + ], + "anomali.threatstream.update_id": "1575621349", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2892,35 +3115,39 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 98, - "threatintel.anomalithreatstream.detail2": "imported by user 615", - "threatintel.anomalithreatstream.id": 1130190904, - "threatintel.anomalithreatstream.itype": "scan_ip", - "threatintel.anomalithreatstream.maltype": "malware:3zu2d2", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P13755730530/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 1192, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "88" - ], - "threatintel.anomalithreatstream.update_id": 1575621349, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 10, - "threatintel.indicator.first_seen": "2020-10-09T18:34:41.000Z", - "threatintel.indicator.geo.country_iso_code": "VN", - "threatintel.indicator.ip": "192.0.2.88", - "threatintel.indicator.last_seen": "2020-10-09T18:34:41.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:34:41.000Z", + "threat.indicator.geo.country_iso_code": "VN", + "threat.indicator.ip": "192.0.2.88", + "threat.indicator.last_seen": "2020-10-09T18:34:41.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 17, + "anomali.threatstream.detail2": "imported by user 202", + "anomali.threatstream.id": "2499059829", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:86-jrf6o", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P43937262060/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "852", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "308", + "949" + ], + "anomali.threatstream.update_id": "2450069481", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2933,42 +3160,45 @@ "service.type": "threatintel", "tags": [ "ao6", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 17, - "threatintel.anomalithreatstream.detail2": "imported by user 202", - "threatintel.anomalithreatstream.id": 2499059829, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:86-jrf6o", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P43937262060/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 852, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "308", - "949" - ], - "threatintel.anomalithreatstream.update_id": 2450069481, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:34:43.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.111", - "threatintel.indicator.last_seen": "2020-10-09T18:34:43.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:34:43.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.111", + "threat.indicator.last_seen": "2020-10-09T18:34:43.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "91p0p.example.com", - "threatintel.indicator.url.full": "https://91p0p.example.com/easx3j6iy/xvnchuoa?dvkljl=h21", - "threatintel.indicator.url.original": "https://91p0p.example.com/easx3j6iy/xvnchuoa?dvkljl=h21", - "threatintel.indicator.url.path": "/easx3j6iy/xvnchuoa", - "threatintel.indicator.url.query": "dvkljl=h21", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "91p0p.example.com", + "threat.indicator.url.full": "https://91p0p.example.com/easx3j6iy/xvnchuoa?dvkljl=h21", + "threat.indicator.url.original": "https://91p0p.example.com/easx3j6iy/xvnchuoa?dvkljl=h21", + "threat.indicator.url.path": "/easx3j6iy/xvnchuoa", + "threat.indicator.url.query": "dvkljl=h21", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 67, + "anomali.threatstream.detail2": "imported by user 421", + "anomali.threatstream.id": "2799251412", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:91o2", + "anomali.threatstream.md5": "f9edba87a", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P31632809876/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "3756", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "776" + ], + "anomali.threatstream.update_id": "3951093865", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -2981,34 +3211,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 67, - "threatintel.anomalithreatstream.detail2": "imported by user 421", - "threatintel.anomalithreatstream.id": 2799251412, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:91o2", - "threatintel.anomalithreatstream.md5": "f9edba87a", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P31632809876/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 3756, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "776" - ], - "threatintel.anomalithreatstream.update_id": 3951093865, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2020-10-09T18:34:48.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:48.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:34:48.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:48.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 22, + "anomali.threatstream.detail2": "imported by user 807", + "anomali.threatstream.id": "3711409360", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:yakt8pe9r", + "anomali.threatstream.md5": "c3b497", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P37263483140/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "3903", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "35" + ], + "anomali.threatstream.update_id": "3046847198", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3021,34 +3254,38 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 22, - "threatintel.anomalithreatstream.detail2": "imported by user 807", - "threatintel.anomalithreatstream.id": 3711409360, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:yakt8pe9r", - "threatintel.anomalithreatstream.md5": "c3b497", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P37263483140/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 3903, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "35" - ], - "threatintel.anomalithreatstream.update_id": 3046847198, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:34:53.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:53.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:34:53.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:53.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 20, + "anomali.threatstream.detail2": "imported by user 298", + "anomali.threatstream.id": "3346530445", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:jfje", + "anomali.threatstream.md5": "ec57713c", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P10248765051/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "1239", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "196", + "775" + ], + "anomali.threatstream.update_id": "2946803375", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3061,35 +3298,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 20, - "threatintel.anomalithreatstream.detail2": "imported by user 298", - "threatintel.anomalithreatstream.id": 3346530445, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:jfje", - "threatintel.anomalithreatstream.md5": "ec57713c", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P10248765051/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 1239, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "196", - "775" - ], - "threatintel.anomalithreatstream.update_id": 2946803375, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:34:53.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:53.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:34:53.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:53.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": -1, + "anomali.threatstream.detail2": "imported by user 345", + "anomali.threatstream.id": "2804727563", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:c7e", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P11093591971/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "2617", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "131", + "793" + ], + "anomali.threatstream.update_id": "1687817836", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3102,41 +3341,45 @@ "service.type": "threatintel", "tags": [ "-g6", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": -1, - "threatintel.anomalithreatstream.detail2": "imported by user 345", - "threatintel.anomalithreatstream.id": 2804727563, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:c7e", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P11093591971/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 2617, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "131", - "793" - ], - "threatintel.anomalithreatstream.update_id": 1687817836, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.first_seen": "2020-10-09T18:34:54.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.133", - "threatintel.indicator.last_seen": "2020-10-09T18:34:54.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "None", + "threat.indicator.first_seen": "2020-10-09T18:34:54.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.133", + "threat.indicator.last_seen": "2020-10-09T18:34:54.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "lzr6.example.org", - "threatintel.indicator.url.full": "https://lzr6.example.org/a7og/4vpv?e7k5=wun", - "threatintel.indicator.url.original": "https://lzr6.example.org/a7og/4vpv?e7k5=wun", - "threatintel.indicator.url.path": "/a7og/4vpv", - "threatintel.indicator.url.query": "e7k5=wun", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "lzr6.example.org", + "threat.indicator.url.full": "https://lzr6.example.org/a7og/4vpv?e7k5=wun", + "threat.indicator.url.original": "https://lzr6.example.org/a7og/4vpv?e7k5=wun", + "threat.indicator.url.path": "/a7og/4vpv", + "threat.indicator.url.query": "e7k5=wun", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 84, + "anomali.threatstream.detail2": "imported by user 747", + "anomali.threatstream.id": "2229747614", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:0d7cxf", + "anomali.threatstream.md5": "bde", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P12084157836/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "1620", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "30" + ], + "anomali.threatstream.update_id": "2339220849", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3149,34 +3392,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 84, - "threatintel.anomalithreatstream.detail2": "imported by user 747", - "threatintel.anomalithreatstream.id": 2229747614, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:0d7cxf", - "threatintel.anomalithreatstream.md5": "bde", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P12084157836/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 1620, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "30" - ], - "threatintel.anomalithreatstream.update_id": 2339220849, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 8, - "threatintel.indicator.first_seen": "2020-10-09T18:34:55.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:34:55.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:34:55.000Z", + "threat.indicator.last_seen": "2020-10-09T18:34:55.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 54, + "anomali.threatstream.detail2": "imported by user 832", + "anomali.threatstream.id": "2821279948", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:-farvj0e", + "anomali.threatstream.md5": "aa674f5f", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P43981956471/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "2038", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "908" + ], + "anomali.threatstream.update_id": "2083515068", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3189,34 +3435,39 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 54, - "threatintel.anomalithreatstream.detail2": "imported by user 832", - "threatintel.anomalithreatstream.id": 2821279948, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:-farvj0e", - "threatintel.anomalithreatstream.md5": "aa674f5f", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P43981956471/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 2038, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "908" - ], - "threatintel.anomalithreatstream.update_id": 2083515068, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:35:01.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:35:01.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:35:01.000Z", + "threat.indicator.last_seen": "2020-10-09T18:35:01.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 63, + "anomali.threatstream.detail2": "imported by user 217", + "anomali.threatstream.id": "3118884222", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:23xfw4nyi", + "anomali.threatstream.md5": "48721c98", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P20451120036/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "1492", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "207", + "501", + "993" + ], + "anomali.threatstream.update_id": "3429396478", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3229,36 +3480,36 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 63, - "threatintel.anomalithreatstream.detail2": "imported by user 217", - "threatintel.anomalithreatstream.id": 3118884222, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:23xfw4nyi", - "threatintel.anomalithreatstream.md5": "48721c98", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P20451120036/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 1492, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "207", - "501", - "993" - ], - "threatintel.anomalithreatstream.update_id": 3429396478, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:35:01.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:35:01.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:35:01.000Z", + "threat.indicator.last_seen": "2020-10-09T18:35:01.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 72, + "anomali.threatstream.detail2": "imported by user 402", + "anomali.threatstream.id": "3912225830", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:dto", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P16185398807/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "1594", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "439" + ], + "anomali.threatstream.update_id": "3320773285", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3270,42 +3521,46 @@ "log.offset": 39578, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream", "y7d71" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 72, - "threatintel.anomalithreatstream.detail2": "imported by user 402", - "threatintel.anomalithreatstream.id": 3912225830, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:dto", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P16185398807/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 1594, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "439" - ], - "threatintel.anomalithreatstream.update_id": 3320773285, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2020-10-09T18:35:04.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.177", - "threatintel.indicator.last_seen": "2020-10-09T18:35:04.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:35:04.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.177", + "threat.indicator.last_seen": "2020-10-09T18:35:04.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "932.example.com", - "threatintel.indicator.url.full": "http://932.example.com/1xmdjyom/tf3inx1?s6zgr=ajgw", - "threatintel.indicator.url.original": "http://932.example.com/1xmdjyom/tf3inx1?s6zgr=ajgw", - "threatintel.indicator.url.path": "/1xmdjyom/tf3inx1", - "threatintel.indicator.url.query": "s6zgr=ajgw", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "932.example.com", + "threat.indicator.url.full": "http://932.example.com/1xmdjyom/tf3inx1?s6zgr=ajgw", + "threat.indicator.url.original": "http://932.example.com/1xmdjyom/tf3inx1?s6zgr=ajgw", + "threat.indicator.url.path": "/1xmdjyom/tf3inx1", + "threat.indicator.url.query": "s6zgr=ajgw", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 34, + "anomali.threatstream.detail2": "imported by user 626", + "anomali.threatstream.id": "2591984894", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:7nq6far", + "anomali.threatstream.md5": "114bd63e0", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P19612019110/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "1579", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "669" + ], + "anomali.threatstream.update_id": "2275758319", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3317,36 +3572,40 @@ "log.offset": 40161, "service.type": "threatintel", "tags": [ + "forwarded", "hlq", "nknea", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 34, - "threatintel.anomalithreatstream.detail2": "imported by user 626", - "threatintel.anomalithreatstream.id": 2591984894, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:7nq6far", - "threatintel.anomalithreatstream.md5": "114bd63e0", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P19612019110/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 1579, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "669" - ], - "threatintel.anomalithreatstream.update_id": 2275758319, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 3, - "threatintel.indicator.first_seen": "2020-10-09T18:35:06.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:35:06.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:35:06.000Z", + "threat.indicator.last_seen": "2020-10-09T18:35:06.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 53, + "anomali.threatstream.detail2": "imported by user 756", + "anomali.threatstream.id": "2589012476", + "anomali.threatstream.itype": "mal_md5", + "anomali.threatstream.maltype": "malware:c1z0qya", + "anomali.threatstream.md5": "636cd4267", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P47658489795/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "3665", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "835", + "850" + ], + "anomali.threatstream.update_id": "2399518196", + "anomali.threatstream.value_type": "md5", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3359,35 +3618,37 @@ "service.type": "threatintel", "tags": [ "", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 53, - "threatintel.anomalithreatstream.detail2": "imported by user 756", - "threatintel.anomalithreatstream.id": 2589012476, - "threatintel.anomalithreatstream.itype": "mal_md5", - "threatintel.anomalithreatstream.maltype": "malware:c1z0qya", - "threatintel.anomalithreatstream.md5": "636cd4267", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P47658489795/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 3665, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "835", - "850" - ], - "threatintel.anomalithreatstream.update_id": 2399518196, - "threatintel.anomalithreatstream.value_type": "md5", - "threatintel.indicator.confidence": 5, - "threatintel.indicator.first_seen": "2020-10-09T18:35:22.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:35:22.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:35:22.000Z", + "threat.indicator.last_seen": "2020-10-09T18:35:22.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "file" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "file" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 57, + "anomali.threatstream.detail2": "imported by user 893", + "anomali.threatstream.id": "2677187012", + "anomali.threatstream.itype": "mal_url", + "anomali.threatstream.maltype": "malware:qtp", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P28161033466/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "3395", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "234", + "909" + ], + "anomali.threatstream.update_id": "3342338979", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3403,44 +3664,48 @@ "5z6", "IP=192.0.2.45", "first_seen=2020-11-24T05:32:17", + "forwarded", "mask=2001:db8:6d86:4a6:af9b:4385:14d6:b714", "popularity=high", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 57, - "threatintel.anomalithreatstream.detail2": "imported by user 893", - "threatintel.anomalithreatstream.id": 2677187012, - "threatintel.anomalithreatstream.itype": "mal_url", - "threatintel.anomalithreatstream.maltype": "malware:qtp", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P28161033466/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 3395, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "234", - "909" - ], - "threatintel.anomalithreatstream.update_id": 3342338979, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:44:01.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.71", - "threatintel.indicator.last_seen": "2020-10-09T18:44:01.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:44:01.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.71", + "threat.indicator.last_seen": "2020-10-09T18:44:01.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "0te9x75e.example.net", - "threatintel.indicator.url.full": "https://0te9x75e.example.net/y2cbl5ov5/u-s9?vhppw120=bt0ze0du3", - "threatintel.indicator.url.original": "https://0te9x75e.example.net/y2cbl5ov5/u-s9?vhppw120=bt0ze0du3", - "threatintel.indicator.url.path": "/y2cbl5ov5/u-s9", - "threatintel.indicator.url.query": "vhppw120=bt0ze0du3", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "0te9x75e.example.net", + "threat.indicator.url.full": "https://0te9x75e.example.net/y2cbl5ov5/u-s9?vhppw120=bt0ze0du3", + "threat.indicator.url.original": "https://0te9x75e.example.net/y2cbl5ov5/u-s9?vhppw120=bt0ze0du3", + "threat.indicator.url.path": "/y2cbl5ov5/u-s9", + "threat.indicator.url.query": "vhppw120=bt0ze0du3", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 31, + "anomali.threatstream.detail2": "imported by user 450", + "anomali.threatstream.id": "3137219963", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:nosy8", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P33588463803/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "2108", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "755", + "843", + "943" + ], + "anomali.threatstream.update_id": "1484831936", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3453,43 +3718,45 @@ "service.type": "threatintel", "tags": [ "06epx", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 31, - "threatintel.anomalithreatstream.detail2": "imported by user 450", - "threatintel.anomalithreatstream.id": 3137219963, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:nosy8", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P33588463803/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 2108, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "755", - "843", - "943" - ], - "threatintel.anomalithreatstream.update_id": 1484831936, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 3, - "threatintel.indicator.first_seen": "2020-10-09T18:44:04.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.180", - "threatintel.indicator.last_seen": "2020-10-09T18:44:04.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:44:04.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.180", + "threat.indicator.last_seen": "2020-10-09T18:44:04.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "b7qdtnl8f.example.org", - "threatintel.indicator.url.full": "http://b7qdtnl8f.example.org/z2a-tx3ip/7cv?9a67ct3mb=ijse", - "threatintel.indicator.url.original": "http://b7qdtnl8f.example.org/z2a-tx3ip/7cv?9a67ct3mb=ijse", - "threatintel.indicator.url.path": "/z2a-tx3ip/7cv", - "threatintel.indicator.url.query": "9a67ct3mb=ijse", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "b7qdtnl8f.example.org", + "threat.indicator.url.full": "http://b7qdtnl8f.example.org/z2a-tx3ip/7cv?9a67ct3mb=ijse", + "threat.indicator.url.original": "http://b7qdtnl8f.example.org/z2a-tx3ip/7cv?9a67ct3mb=ijse", + "threat.indicator.url.path": "/z2a-tx3ip/7cv", + "threat.indicator.url.query": "9a67ct3mb=ijse", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 19, + "anomali.threatstream.detail2": "imported by user 479", + "anomali.threatstream.id": "2506436592", + "anomali.threatstream.itype": "mal_domain", + "anomali.threatstream.maltype": "malware:4okr", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P42606732542/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "393", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "324", + "63" + ], + "anomali.threatstream.update_id": "1826833096", + "anomali.threatstream.value_type": "domain", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3501,37 +3768,40 @@ "log.offset": 42447, "service.type": "threatintel", "tags": [ + "forwarded", "jjz8e", "n5okkr7mg", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 19, - "threatintel.anomalithreatstream.detail2": "imported by user 479", - "threatintel.anomalithreatstream.id": 2506436592, - "threatintel.anomalithreatstream.itype": "mal_domain", - "threatintel.anomalithreatstream.maltype": "malware:4okr", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P42606732542/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 393, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "324", - "63" - ], - "threatintel.anomalithreatstream.update_id": 1826833096, - "threatintel.anomalithreatstream.value_type": "domain", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:44:19.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:44:19.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:44:19.000Z", + "threat.indicator.last_seen": "2020-10-09T18:44:19.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "4gtq1n.example.net" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "4gtq1n.example.net" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 83, + "anomali.threatstream.detail2": "imported by user 969", + "anomali.threatstream.id": "1214135687", + "anomali.threatstream.itype": "mal_ip", + "anomali.threatstream.maltype": "malware:h68c70o", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P25206292349/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "425", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "324", + "474" + ], + "anomali.threatstream.update_id": "2101635974", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3545,40 +3815,43 @@ "tags": [ "IP=203.0.113.163", "first_seen=2020-02-14T13:46:51", + "forwarded", "gnz6", "mask=203.0.113.12", "popularity=high", "threatintel-anomalithreatstream", "u96h" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 83, - "threatintel.anomalithreatstream.detail2": "imported by user 969", - "threatintel.anomalithreatstream.id": 1214135687, - "threatintel.anomalithreatstream.itype": "mal_ip", - "threatintel.anomalithreatstream.maltype": "malware:h68c70o", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P25206292349/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 425, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "324", - "474" - ], - "threatintel.anomalithreatstream.update_id": 2101635974, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 8, - "threatintel.indicator.first_seen": "2020-10-09T18:44:27.000Z", - "threatintel.indicator.geo.country_iso_code": "RU", - "threatintel.indicator.ip": "192.0.2.17", - "threatintel.indicator.last_seen": "2020-10-09T18:44:27.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:44:27.000Z", + "threat.indicator.geo.country_iso_code": "RU", + "threat.indicator.ip": "192.0.2.17", + "threat.indicator.last_seen": "2020-10-09T18:44:27.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 15, + "anomali.threatstream.detail2": "imported by user 501", + "anomali.threatstream.id": "1632578144", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:y9xovpr2", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P21633460934/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "1114", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "615", + "818" + ], + "anomali.threatstream.update_id": "1949050295", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3590,43 +3863,47 @@ "log.offset": 43582, "service.type": "threatintel", "tags": [ + "forwarded", "t37z5d2", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 15, - "threatintel.anomalithreatstream.detail2": "imported by user 501", - "threatintel.anomalithreatstream.id": 1632578144, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:y9xovpr2", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P21633460934/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 1114, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "615", - "818" - ], - "threatintel.anomalithreatstream.update_id": 1949050295, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:44:35.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "192.0.2.183", - "threatintel.indicator.last_seen": "2020-10-09T18:44:35.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:44:35.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "192.0.2.183", + "threat.indicator.last_seen": "2020-10-09T18:44:35.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "tfva.example.org", - "threatintel.indicator.url.full": "https://tfva.example.org/iih3qkj/b04g7?dwosh0qmt=wi9ao", - "threatintel.indicator.url.original": "https://tfva.example.org/iih3qkj/b04g7?dwosh0qmt=wi9ao", - "threatintel.indicator.url.path": "/iih3qkj/b04g7", - "threatintel.indicator.url.query": "dwosh0qmt=wi9ao", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "tfva.example.org", + "threat.indicator.url.full": "https://tfva.example.org/iih3qkj/b04g7?dwosh0qmt=wi9ao", + "threat.indicator.url.original": "https://tfva.example.org/iih3qkj/b04g7?dwosh0qmt=wi9ao", + "threat.indicator.url.path": "/iih3qkj/b04g7", + "threat.indicator.url.query": "dwosh0qmt=wi9ao", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 85, + "anomali.threatstream.detail2": "imported by user 149", + "anomali.threatstream.id": "3098969355", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:wxbuhcov9", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P30134520108/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "398", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "597", + "913", + "946" + ], + "anomali.threatstream.update_id": "2645963867", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3638,44 +3915,47 @@ "log.offset": 44184, "service.type": "threatintel", "tags": [ + "forwarded", "rprsi-", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 85, - "threatintel.anomalithreatstream.detail2": "imported by user 149", - "threatintel.anomalithreatstream.id": 3098969355, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:wxbuhcov9", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P30134520108/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 398, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "597", - "913", - "946" - ], - "threatintel.anomalithreatstream.update_id": 2645963867, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 9, - "threatintel.indicator.first_seen": "2020-10-09T18:44:36.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "203.0.113.149", - "threatintel.indicator.last_seen": "2020-10-09T18:44:36.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:44:36.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "203.0.113.149", + "threat.indicator.last_seen": "2020-10-09T18:44:36.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "erg2.example.com", - "threatintel.indicator.url.full": "https://erg2.example.com/4ys/vywa93c?7oru=evpi", - "threatintel.indicator.url.original": "https://erg2.example.com/4ys/vywa93c?7oru=evpi", - "threatintel.indicator.url.path": "/4ys/vywa93c", - "threatintel.indicator.url.query": "7oru=evpi", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "erg2.example.com", + "threat.indicator.url.full": "https://erg2.example.com/4ys/vywa93c?7oru=evpi", + "threat.indicator.url.original": "https://erg2.example.com/4ys/vywa93c?7oru=evpi", + "threat.indicator.url.path": "/4ys/vywa93c", + "threat.indicator.url.query": "7oru=evpi", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 64, + "anomali.threatstream.detail2": "imported by user 59", + "anomali.threatstream.id": "2035701780", + "anomali.threatstream.itype": "mal_url", + "anomali.threatstream.maltype": "malware:xn2a", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P10508749376/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "2760", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "600", + "673", + "990" + ], + "anomali.threatstream.update_id": "2806149730", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3690,46 +3970,49 @@ "-jj", "IP=203.0.113.22", "first_seen=2020-12-24T20:20:31", + "forwarded", "gogpcno", "mask=2001:db8:bdc6:400b:c095:41c7:1d54:8ff6", "popularity=low", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 64, - "threatintel.anomalithreatstream.detail2": "imported by user 59", - "threatintel.anomalithreatstream.id": 2035701780, - "threatintel.anomalithreatstream.itype": "mal_url", - "threatintel.anomalithreatstream.maltype": "malware:xn2a", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P10508749376/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 2760, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "600", - "673", - "990" - ], - "threatintel.anomalithreatstream.update_id": 2806149730, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 6, - "threatintel.indicator.first_seen": "2020-10-09T18:44:37.000Z", - "threatintel.indicator.geo.country_iso_code": "IN", - "threatintel.indicator.ip": "203.0.113.27", - "threatintel.indicator.last_seen": "2020-10-09T18:44:37.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:44:37.000Z", + "threat.indicator.geo.country_iso_code": "IN", + "threat.indicator.ip": "203.0.113.27", + "threat.indicator.last_seen": "2020-10-09T18:44:37.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "0elz6c.example.com", - "threatintel.indicator.url.full": "https://0elz6c.example.com/3nhx/cadsn6?kfcj94=gnl", - "threatintel.indicator.url.original": "https://0elz6c.example.com/3nhx/cadsn6?kfcj94=gnl", - "threatintel.indicator.url.path": "/3nhx/cadsn6", - "threatintel.indicator.url.query": "kfcj94=gnl", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "0elz6c.example.com", + "threat.indicator.url.full": "https://0elz6c.example.com/3nhx/cadsn6?kfcj94=gnl", + "threat.indicator.url.original": "https://0elz6c.example.com/3nhx/cadsn6?kfcj94=gnl", + "threat.indicator.url.path": "/3nhx/cadsn6", + "threat.indicator.url.query": "kfcj94=gnl", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 44, + "anomali.threatstream.detail2": "imported by user 134", + "anomali.threatstream.id": "2120958409", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:cu6f11gp1", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P46535027346/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "1973", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "125", + "279", + "552" + ], + "anomali.threatstream.update_id": "3490786662", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3741,44 +4024,46 @@ "log.offset": 45480, "service.type": "threatintel", "tags": [ + "forwarded", "qztcai", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 44, - "threatintel.anomalithreatstream.detail2": "imported by user 134", - "threatintel.anomalithreatstream.id": 2120958409, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:cu6f11gp1", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P46535027346/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 1973, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "125", - "279", - "552" - ], - "threatintel.anomalithreatstream.update_id": 3490786662, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 4, - "threatintel.indicator.first_seen": "2020-10-09T18:44:45.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "2001:db8:129e:7520:8797:95ca:a4d1:3011", - "threatintel.indicator.last_seen": "2020-10-09T18:44:45.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:44:45.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "2001:db8:129e:7520:8797:95ca:a4d1:3011", + "threat.indicator.last_seen": "2020-10-09T18:44:45.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "6i0-utr.example.com", - "threatintel.indicator.url.full": "https://6i0-utr.example.com/hsv/50qcugwt?xcl=ofr", - "threatintel.indicator.url.original": "https://6i0-utr.example.com/hsv/50qcugwt?xcl=ofr", - "threatintel.indicator.url.path": "/hsv/50qcugwt", - "threatintel.indicator.url.query": "xcl=ofr", - "threatintel.indicator.url.scheme": "https" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "6i0-utr.example.com", + "threat.indicator.url.full": "https://6i0-utr.example.com/hsv/50qcugwt?xcl=ofr", + "threat.indicator.url.original": "https://6i0-utr.example.com/hsv/50qcugwt?xcl=ofr", + "threat.indicator.url.path": "/hsv/50qcugwt", + "threat.indicator.url.query": "xcl=ofr", + "threat.indicator.url.scheme": "https" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 94, + "anomali.threatstream.detail2": "imported by user 914", + "anomali.threatstream.id": "1139990065", + "anomali.threatstream.itype": "mal_ip", + "anomali.threatstream.maltype": "malware:9pyy91p7", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P20277063326/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "2363", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "346", + "610" + ], + "anomali.threatstream.update_id": "2750333841", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3793,39 +4078,41 @@ "IP=203.0.113.155", "ail6s", "first_seen=2020-11-23T17:11:50", + "forwarded", "mask=203.0.113.23", "popularity=medium", "q0n", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 94, - "threatintel.anomalithreatstream.detail2": "imported by user 914", - "threatintel.anomalithreatstream.id": 1139990065, - "threatintel.anomalithreatstream.itype": "mal_ip", - "threatintel.anomalithreatstream.maltype": "malware:9pyy91p7", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P20277063326/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 2363, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "346", - "610" - ], - "threatintel.anomalithreatstream.update_id": 2750333841, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 9, - "threatintel.indicator.first_seen": "2020-10-09T18:44:47.000Z", - "threatintel.indicator.geo.country_iso_code": "CN", - "threatintel.indicator.ip": "203.0.113.128", - "threatintel.indicator.last_seen": "2020-10-09T18:44:47.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:44:47.000Z", + "threat.indicator.geo.country_iso_code": "CN", + "threat.indicator.ip": "203.0.113.128", + "threat.indicator.last_seen": "2020-10-09T18:44:47.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 69, + "anomali.threatstream.detail2": "imported by user 886", + "anomali.threatstream.id": "2453026318", + "anomali.threatstream.itype": "mal_domain", + "anomali.threatstream.maltype": "malware:c0-a", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P26988858868/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "1281", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "391" + ], + "anomali.threatstream.update_id": "3315952704", + "anomali.threatstream.value_type": "domain", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3839,39 +4126,44 @@ "tags": [ "0a3p", "first_seen=2020-03-11T09:04:13", + "forwarded", "mask=2001:db8:7aae:f1e6:e8b3:5702:40ea:29f0", "popularity=high", "smh", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 69, - "threatintel.anomalithreatstream.detail2": "imported by user 886", - "threatintel.anomalithreatstream.id": 2453026318, - "threatintel.anomalithreatstream.itype": "mal_domain", - "threatintel.anomalithreatstream.maltype": "malware:c0-a", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P26988858868/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 1281, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "391" - ], - "threatintel.anomalithreatstream.update_id": 3315952704, - "threatintel.anomalithreatstream.value_type": "domain", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2020-10-09T18:44:50.000Z", - "threatintel.indicator.geo.country_iso_code": "HK", - "threatintel.indicator.ip": "203.0.113.16", - "threatintel.indicator.last_seen": "2020-10-09T18:44:50.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Med", + "threat.indicator.first_seen": "2020-10-09T18:44:50.000Z", + "threat.indicator.geo.country_iso_code": "HK", + "threat.indicator.ip": "203.0.113.16", + "threat.indicator.last_seen": "2020-10-09T18:44:50.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "ztpyt.example.org" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "ztpyt.example.org" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 88, + "anomali.threatstream.detail2": "imported by user 268", + "anomali.threatstream.id": "3554643386", + "anomali.threatstream.itype": "mal_url", + "anomali.threatstream.maltype": "malware:ai7s5vg01", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P48225335605/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "744", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "258", + "75", + "806" + ], + "anomali.threatstream.update_id": "3898530792", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3884,45 +4176,46 @@ "service.type": "threatintel", "tags": [ "first_seen=2020-07-17T00:42:30", + "forwarded", "mask=192.0.2.22", "mdedohd", "popularity=high", "sv5lmqoo", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 88, - "threatintel.anomalithreatstream.detail2": "imported by user 268", - "threatintel.anomalithreatstream.id": 3554643386, - "threatintel.anomalithreatstream.itype": "mal_url", - "threatintel.anomalithreatstream.maltype": "malware:ai7s5vg01", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P48225335605/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 744, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "258", - "75", - "806" - ], - "threatintel.anomalithreatstream.update_id": 3898530792, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 9, - "threatintel.indicator.first_seen": "2020-10-09T18:44:50.000Z", - "threatintel.indicator.last_seen": "2020-10-09T18:44:50.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:44:50.000Z", + "threat.indicator.last_seen": "2020-10-09T18:44:50.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "e5el.example.net", - "threatintel.indicator.url.full": "http://e5el.example.net/rncer/fky?8tc53bbz=1pd-6w5", - "threatintel.indicator.url.original": "http://e5el.example.net/rncer/fky?8tc53bbz=1pd-6w5", - "threatintel.indicator.url.path": "/rncer/fky", - "threatintel.indicator.url.query": "8tc53bbz=1pd-6w5", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "e5el.example.net", + "threat.indicator.url.full": "http://e5el.example.net/rncer/fky?8tc53bbz=1pd-6w5", + "threat.indicator.url.original": "http://e5el.example.net/rncer/fky?8tc53bbz=1pd-6w5", + "threat.indicator.url.path": "/rncer/fky", + "threat.indicator.url.query": "8tc53bbz=1pd-6w5", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 73, + "anomali.threatstream.detail2": "imported by user 737", + "anomali.threatstream.id": "2781657405", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:6faja4zy-", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P13788530147/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "518", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "259" + ], + "anomali.threatstream.update_id": "1423149268", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3934,42 +4227,47 @@ "log.offset": 47992, "service.type": "threatintel", "tags": [ + "forwarded", "l019r8", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 73, - "threatintel.anomalithreatstream.detail2": "imported by user 737", - "threatintel.anomalithreatstream.id": 2781657405, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:6faja4zy-", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P13788530147/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 518, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "259" - ], - "threatintel.anomalithreatstream.update_id": 1423149268, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2020-10-09T18:44:54.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "192.0.2.226", - "threatintel.indicator.last_seen": "2020-10-09T18:44:54.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2020-10-09T18:44:54.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "192.0.2.226", + "threat.indicator.last_seen": "2020-10-09T18:44:54.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "eryz36i.example.net", - "threatintel.indicator.url.full": "http://eryz36i.example.net/9a86hdj/zti5r9fx?ahz=l7dsg01qo", - "threatintel.indicator.url.original": "http://eryz36i.example.net/9a86hdj/zti5r9fx?ahz=l7dsg01qo", - "threatintel.indicator.url.path": "/9a86hdj/zti5r9fx", - "threatintel.indicator.url.query": "ahz=l7dsg01qo", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "eryz36i.example.net", + "threat.indicator.url.full": "http://eryz36i.example.net/9a86hdj/zti5r9fx?ahz=l7dsg01qo", + "threat.indicator.url.original": "http://eryz36i.example.net/9a86hdj/zti5r9fx?ahz=l7dsg01qo", + "threat.indicator.url.path": "/9a86hdj/zti5r9fx", + "threat.indicator.url.query": "ahz=l7dsg01qo", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 22, + "anomali.threatstream.detail2": "imported by user 703", + "anomali.threatstream.id": "1875325904", + "anomali.threatstream.itype": "phish_url", + "anomali.threatstream.maltype": "malware:rrcnb", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P12535858975/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "417", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "114", + "792", + "802" + ], + "anomali.threatstream.update_id": "2621256767", + "anomali.threatstream.value_type": "url", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -3982,43 +4280,45 @@ "service.type": "threatintel", "tags": [ "4yqbj3b", + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 22, - "threatintel.anomalithreatstream.detail2": "imported by user 703", - "threatintel.anomalithreatstream.id": 1875325904, - "threatintel.anomalithreatstream.itype": "phish_url", - "threatintel.anomalithreatstream.maltype": "malware:rrcnb", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P12535858975/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 417, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "114", - "792", - "802" - ], - "threatintel.anomalithreatstream.update_id": 2621256767, - "threatintel.anomalithreatstream.value_type": "url", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:44:58.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.ip": "192.0.2.25", - "threatintel.indicator.last_seen": "2020-10-09T18:44:58.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:44:58.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.ip": "192.0.2.25", + "threat.indicator.last_seen": "2020-10-09T18:44:58.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "i-pb.example.com", - "threatintel.indicator.url.full": "http://i-pb.example.com/pjmy3/w0tgzb?noe1pr9=eiwcfihd", - "threatintel.indicator.url.original": "http://i-pb.example.com/pjmy3/w0tgzb?noe1pr9=eiwcfihd", - "threatintel.indicator.url.path": "/pjmy3/w0tgzb", - "threatintel.indicator.url.query": "noe1pr9=eiwcfihd", - "threatintel.indicator.url.scheme": "http" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "i-pb.example.com", + "threat.indicator.url.full": "http://i-pb.example.com/pjmy3/w0tgzb?noe1pr9=eiwcfihd", + "threat.indicator.url.original": "http://i-pb.example.com/pjmy3/w0tgzb?noe1pr9=eiwcfihd", + "threat.indicator.url.path": "/pjmy3/w0tgzb", + "threat.indicator.url.query": "noe1pr9=eiwcfihd", + "threat.indicator.url.scheme": "http" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 19, + "anomali.threatstream.detail2": "imported by user 846", + "anomali.threatstream.id": "2684776210", + "anomali.threatstream.itype": "mal_ip", + "anomali.threatstream.maltype": "malware:zfd", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P45743905551/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "965", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "641", + "697" + ], + "anomali.threatstream.update_id": "1171583779", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -4032,40 +4332,44 @@ "tags": [ "IP=2001:db8:61be:1efa:290:c941:bef8:3803", "first_seen=2020-12-01T02:16:04", + "forwarded", "j6vwgb6", "mask=2001:db8:fc83:375e:9c60:3d50:1dc1:9f89", "popularity=medium", "qqo5fg", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 19, - "threatintel.anomalithreatstream.detail2": "imported by user 846", - "threatintel.anomalithreatstream.id": 2684776210, - "threatintel.anomalithreatstream.itype": "mal_ip", - "threatintel.anomalithreatstream.maltype": "malware:zfd", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P45743905551/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 965, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "641", - "697" - ], - "threatintel.anomalithreatstream.update_id": 1171583779, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 2, - "threatintel.indicator.first_seen": "2020-10-09T18:45:05.000Z", - "threatintel.indicator.geo.country_iso_code": "IN", - "threatintel.indicator.ip": "2001:db8:79d3:9083:95f2:a6fd:e475:4956", - "threatintel.indicator.last_seen": "2020-10-09T18:45:05.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2020-10-09T18:45:05.000Z", + "threat.indicator.geo.country_iso_code": "IN", + "threat.indicator.ip": "2001:db8:79d3:9083:95f2:a6fd:e475:4956", + "threat.indicator.last_seen": "2020-10-09T18:45:05.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv6-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv6-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 14, + "anomali.threatstream.detail2": "imported by user 812", + "anomali.threatstream.id": "1705726884", + "anomali.threatstream.import_session_id": "2813", + "anomali.threatstream.itype": "mal_ip", + "anomali.threatstream.maltype": "malware:ib0ezg", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P12586136986/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "632", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "459", + "936" + ], + "anomali.threatstream.update_id": "3651210157", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -4077,41 +4381,42 @@ "log.offset": 49879, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 14, - "threatintel.anomalithreatstream.detail2": "imported by user 812", - "threatintel.anomalithreatstream.id": 1705726884, - "threatintel.anomalithreatstream.import_session_id": 2813, - "threatintel.anomalithreatstream.itype": "mal_ip", - "threatintel.anomalithreatstream.maltype": "malware:ib0ezg", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P12586136986/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 632, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "459", - "936" - ], - "threatintel.anomalithreatstream.update_id": 3651210157, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.as.number": 3356, - "threatintel.indicator.as.organization.name": "Level 3 Communications", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2021-04-07T13:10:07.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.geo.location.lat": 5.6, - "threatintel.indicator.geo.location.lon": 112.8, - "threatintel.indicator.ip": "192.0.2.12", - "threatintel.indicator.last_seen": "2021-04-19T08:57:46.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.as.number": 3356, + "threat.indicator.as.organization.name": "Level 3 Communications", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2021-04-07T13:10:07.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.geo.location.lat": 5.6, + "threat.indicator.geo.location.lon": 112.8, + "threat.indicator.ip": "192.0.2.12", + "threat.indicator.last_seen": "2021-04-19T08:57:46.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 81, + "anomali.threatstream.detail2": "imported by user 411", + "anomali.threatstream.id": "1502608684", + "anomali.threatstream.itype": "apt_ip", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P46655498126/", + "anomali.threatstream.severity": "very-high", + "anomali.threatstream.source_feed_id": "2891", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "474", + "601" + ], + "anomali.threatstream.update_id": "1170853028", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -4123,34 +4428,36 @@ "log.offset": 50468, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 81, - "threatintel.anomalithreatstream.detail2": "imported by user 411", - "threatintel.anomalithreatstream.id": 1502608684, - "threatintel.anomalithreatstream.itype": "apt_ip", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P46655498126/", - "threatintel.anomalithreatstream.severity": "very-high", - "threatintel.anomalithreatstream.source_feed_id": 2891, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "474", - "601" - ], - "threatintel.anomalithreatstream.update_id": 1170853028, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 8, - "threatintel.indicator.first_seen": "2021-04-29T16:02:17.000Z", - "threatintel.indicator.ip": "203.0.113.5", - "threatintel.indicator.last_seen": "2021-04-29T16:02:17.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2021-04-29T16:02:17.000Z", + "threat.indicator.ip": "203.0.113.5", + "threat.indicator.last_seen": "2021-04-29T16:02:17.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 14, + "anomali.threatstream.detail2": "imported by user 601", + "anomali.threatstream.id": "1171635730", + "anomali.threatstream.itype": "ssh_ip", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P24647878518/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "822", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "749" + ], + "anomali.threatstream.update_id": "1026394470", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -4162,33 +4469,37 @@ "log.offset": 50919, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 14, - "threatintel.anomalithreatstream.detail2": "imported by user 601", - "threatintel.anomalithreatstream.id": 1171635730, - "threatintel.anomalithreatstream.itype": "ssh_ip", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P24647878518/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 822, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "749" - ], - "threatintel.anomalithreatstream.update_id": 1026394470, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2021-04-29T16:02:23.000Z", - "threatintel.indicator.ip": "192.0.2.68", - "threatintel.indicator.last_seen": "2021-04-29T16:02:23.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2021-04-29T16:02:23.000Z", + "threat.indicator.ip": "192.0.2.68", + "threat.indicator.last_seen": "2021-04-29T16:02:23.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 70, + "anomali.threatstream.detail2": "imported by user 964", + "anomali.threatstream.id": "2251817936", + "anomali.threatstream.itype": "i2p_ip", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P47421535249/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "3194", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "235", + "630" + ], + "anomali.threatstream.update_id": "3118045359", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -4200,34 +4511,37 @@ "log.offset": 51361, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 70, - "threatintel.anomalithreatstream.detail2": "imported by user 964", - "threatintel.anomalithreatstream.id": 2251817936, - "threatintel.anomalithreatstream.itype": "i2p_ip", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P47421535249/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 3194, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "235", - "630" - ], - "threatintel.anomalithreatstream.update_id": 3118045359, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 7, - "threatintel.indicator.first_seen": "2021-04-29T16:02:24.000Z", - "threatintel.indicator.ip": "203.0.113.54", - "threatintel.indicator.last_seen": "2021-04-29T16:02:24.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2021-04-29T16:02:24.000Z", + "threat.indicator.ip": "203.0.113.54", + "threat.indicator.last_seen": "2021-04-29T16:02:24.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 77, + "anomali.threatstream.detail2": "imported by user 137", + "anomali.threatstream.id": "1966380326", + "anomali.threatstream.itype": "parked_ip", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P19479436344/", + "anomali.threatstream.severity": "low", + "anomali.threatstream.source_feed_id": "229", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "303", + "461" + ], + "anomali.threatstream.update_id": "1757326916", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -4239,34 +4553,38 @@ "log.offset": 51809, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 77, - "threatintel.anomalithreatstream.detail2": "imported by user 137", - "threatintel.anomalithreatstream.id": 1966380326, - "threatintel.anomalithreatstream.itype": "parked_ip", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P19479436344/", - "threatintel.anomalithreatstream.severity": "low", - "threatintel.anomalithreatstream.source_feed_id": 229, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "303", - "461" - ], - "threatintel.anomalithreatstream.update_id": 1757326916, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 8, - "threatintel.indicator.first_seen": "2021-04-29T16:02:25.000Z", - "threatintel.indicator.ip": "203.0.113.195", - "threatintel.indicator.last_seen": "2021-04-29T16:02:25.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "High", + "threat.indicator.first_seen": "2021-04-29T16:02:25.000Z", + "threat.indicator.ip": "203.0.113.195", + "threat.indicator.last_seen": "2021-04-29T16:02:25.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "private", + "anomali.threatstream.confidence": 14, + "anomali.threatstream.detail2": "imported by user 997", + "anomali.threatstream.id": "3377960871", + "anomali.threatstream.itype": "tor_ip", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P25503355951/", + "anomali.threatstream.severity": "medium", + "anomali.threatstream.source_feed_id": "1710", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "13", + "657", + "879" + ], + "anomali.threatstream.update_id": "1469037378", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -4278,35 +4596,38 @@ "log.offset": 52257, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream" ], - "threatintel.anomalithreatstream.classification": "private", - "threatintel.anomalithreatstream.confidence": 14, - "threatintel.anomalithreatstream.detail2": "imported by user 997", - "threatintel.anomalithreatstream.id": 3377960871, - "threatintel.anomalithreatstream.itype": "tor_ip", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P25503355951/", - "threatintel.anomalithreatstream.severity": "medium", - "threatintel.anomalithreatstream.source_feed_id": 1710, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "13", - "657", - "879" - ], - "threatintel.anomalithreatstream.update_id": 1469037378, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2021-04-29T16:02:25.000Z", - "threatintel.indicator.ip": "192.0.2.239", - "threatintel.indicator.last_seen": "2021-04-29T16:02:25.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2021-04-29T16:02:25.000Z", + "threat.indicator.ip": "192.0.2.239", + "threat.indicator.last_seen": "2021-04-29T16:02:25.000Z", + "threat.indicator.marking.tlp": [ "Amber" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" }, { + "anomali.threatstream.classification": "public", + "anomali.threatstream.confidence": 12, + "anomali.threatstream.detail2": "imported by user 445", + "anomali.threatstream.id": "1049633552", + "anomali.threatstream.itype": "c2_ip", + "anomali.threatstream.maltype": "malware:tos5xne", + "anomali.threatstream.resource_uri": "/api/v1/intelligence/P17175297976/", + "anomali.threatstream.severity": "high", + "anomali.threatstream.source_feed_id": "274", + "anomali.threatstream.state": "active", + "anomali.threatstream.trusted_circle_ids": [ + "683", + "719" + ], + "anomali.threatstream.update_id": "1541655552", + "anomali.threatstream.value_type": "ip", "event.category": "threat", "event.dataset": "threatintel.anomalithreatstream", "event.kind": "enrichment", @@ -4318,33 +4639,20 @@ "log.offset": 52708, "service.type": "threatintel", "tags": [ + "forwarded", "threatintel-anomalithreatstream", "vjb9lmpcf" ], - "threatintel.anomalithreatstream.classification": "public", - "threatintel.anomalithreatstream.confidence": 12, - "threatintel.anomalithreatstream.detail2": "imported by user 445", - "threatintel.anomalithreatstream.id": 1049633552, - "threatintel.anomalithreatstream.itype": "c2_ip", - "threatintel.anomalithreatstream.maltype": "malware:tos5xne", - "threatintel.anomalithreatstream.resource_uri": "/api/v1/intelligence/P17175297976/", - "threatintel.anomalithreatstream.severity": "high", - "threatintel.anomalithreatstream.source_feed_id": 274, - "threatintel.anomalithreatstream.state": "active", - "threatintel.anomalithreatstream.trusted_circle_ids": [ - "683", - "719" - ], - "threatintel.anomalithreatstream.update_id": 1541655552, - "threatintel.anomalithreatstream.value_type": "ip", - "threatintel.indicator.confidence": 1, - "threatintel.indicator.first_seen": "2021-04-29T16:02:26.000Z", - "threatintel.indicator.ip": "192.0.2.169", - "threatintel.indicator.last_seen": "2021-04-29T16:02:26.000Z", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Anomali ThreatStream", + "threat.indicator.confidence": "Low", + "threat.indicator.first_seen": "2021-04-29T16:02:26.000Z", + "threat.indicator.ip": "192.0.2.169", + "threat.indicator.last_seen": "2021-04-29T16:02:26.000Z", + "threat.indicator.marking.tlp": [ "White" ], - "threatintel.indicator.provider": "Default Organization", - "threatintel.indicator.type": "ipv4-addr" + "threat.indicator.provider": "Default Organization", + "threat.indicator.type": "ipv4-addr" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/fields.go b/x-pack/filebeat/module/threatintel/fields.go index 4f915c83f55..d0fa140db90 100644 --- a/x-pack/filebeat/module/threatintel/fields.go +++ b/x-pack/filebeat/module/threatintel/fields.go @@ -19,5 +19,5 @@ func init() { // AssetThreatintel returns asset data. // This is the base64 encoded zlib format compressed contents of module/threatintel. func AssetThreatintel() string { - return "eJzsXetz2ziS/z5/RZfvwzhbsmI7cXbiqrkrj+3MuM5xMn7MbO3lSoHIloQ1CDAAKFl7df/7FR58iAQp2aa8c1vrL4n46P6h0Wg0Go3mHtzj8hj0TCLRlGtk3wFoqhnWL0pkSBQewxg1+Q4gRhVJmmoq+DH8+3cAALf2BbBvMDpFHiF8oAzH5upHEWcMh98BTCiyWB3bV/aAk6TBy/zpZYrHMJUiS/2VAEfz98GSg4kUCegZVkmV3JOCu/mrIqiioDymEdFCDidUKj1SiLx4KIcUE42Viy2onDzQPg2Ex6BpgrCYIV+VjxKZjBAsP5CYCqkxBkWnM035FPSMqgqsDsSMvChgw+5ZePNXVAMvE3y6Gd6rLBmjBDGxYFWNOyyIAjFWKOcYQyR4nEUepNVTEmk6p3rZhdIgagC8x+VCyHhDmS5TNAhLWEQZwUlUyI3sxks4XZpmfLJQyZghUA43txd/gcPh/nCF2vlDipF5a05YhmrlHsCfgGRacJGITO2ppdKYNJ+Qmk5IpBs3Yiox0kIum3dEQijfM7Jp3MOEULZH4lg2bk0oaz5P0/nb8OM0nb8L30lI1HIj0/jQuJpKEaFqykaJiV4Q2cSUSda8plDukSgSGW+KakF5LBZqT+KUKi2Xe/fYlNrD3tH++70IjbxNz2OHmlX053nadmZvje1YQEvA6J7RdMHzIeB0rjSVnaM0IpyjHClN9HNG6qmRo4Fy8tvr87NrmCOPhTQoiQaVRabDJhljS4hROw1PCKMRFZmyigRCwt31ZRfWVIo5jVE+T4IXMXLTY16Ehok1MDNctYM5ty5EkeATGpvHe8VUkgVJrEUjStEpLzs2BweZMretLam8pSLCUD3OslwJDTcpRgZGPIArwXEAl2IxgI8Y0ywZwC90Omu8tr93sN+4eBInVBJG9RJuDBTYPdh796rx2NnVRX7/aO/9UfOB388/5w9cJKlQihrjuQenKDWh/FVH1ziHYCuqopyUIu90uFkpJpoAVRCJxPSI8Va6NMc8rlBvF59nUrpOgYm+C6TECcrna/d1TsYMcGCU39tJWgCJY2peIAwonwiZEGvGyFhk+hGeBk0b+FYubSZBkrsNKxM54XDx2QCVqBTsUinRiFfTuRW1m1Op4K86DZeQzZ7e3LauBwmGA3DnLT0RpJ3oh76lvellq1Qtu+cKNiHS6NJQs6YKPM6Jk2RiRsylcVrhsxRaRIKBmhFpdNXz6baoQCQeN03YjOqmR/KzXHXk3dUT03+Nq9cYd4pARzOMG82vLqwgsCSqUiNaJDSqMW6T4hpJQtMuOfIVDbBOgQcOBJiICAPkcyoFT5BrQB6nghqHQgJHvRDyHnCOXA+D+G3btgbfUs9dhK23pbYg6bcpub+4tZY09ZM0bcljVNPZtKBAaga0Lo2GLO44/ZZhbiUJMw00o1cLJ49iZQVuZTW0y+XG5cLMntxc1T0WgMwyYUugpeSRRLNCYIJbbhdco+RYUwIAfCBJyvAYDo4O3r0PikTIKeH073auHAbWbF3qQqdcSByRsZgbHvuHb2sPJBnTdBTqkSoEjQ/1RVPJueUmFzJRxzAhTNURryjxp0rzLLtWEf0sxJQhXF6edvowbgn3LC00jtRQaVkLZzxb2mtG76ng2gw8G6RZSGqXAg6G5avqogH4LNKMWbV20yyRkiyDBKzD6nU/F9IQPggJZknRWNlD/l7+rEMAu9fnP49u/joA8+/5Xz6fXJ2Nbv76auD8NzUTGYthjBUsVNdXEQCCo6fvIeC3zHiMyvqzjrF50XL5eHd5e2F5Wh45WcZg3EQ9J5LakAtDPtUzR55nCUrvIA/M8nRmxGVon/3+6frMhsfMr1/Nr5WmNOiPEdJC5haiEWiMEU0IK+NATp13cTiFrzsHO19ftWr19/+1c3r8RWryRWI80jr9Mqb8S7IkaTrEB9z57++DKpqShlj7U80PGWOWwwAoj1gWm/6Y0TkODHkrLusDtbSpIbRf/vPy45ebTx9ufz+5Pv/ykUZSKDHRX353cRe4uv1ymkmJXP+GUlHBv1wkZOqCzXD+gFFWi6S4v08WrvqyoNw02YjryxmOs+m0NoXkQguB7k9qV5XQguVkh6BG3tr3nWCbMaj+oF7ng9p056pUmiZ1iuJZ1jSiejnqe+Jaac4p1cvuueOj4FoiYWGAgmvKkevtoqzqR8GyFfGVkHoGJ9ZwkRbYGddyOaJKjCIRb1G8jhFc3HwCw6gV8+lJJ9Dt6oAH2akGp4STOCxN6x42rYxXdxQj6wt3IbgUfEp1FrvtFka0/dFu+P8HdpjgO8ew9+c3w3cHb394sz+AHUb0zjG8PRoe7R+9P/gB/jds/820LPj2+/7a8tmk6/d+Pe1CutXO9yg7+/7XDMcYddi5CWU4THFIk3RG1GyDCEMnyNbFyc4JGPpFFDpJhdQKKAcCn89tdHwIJxw8DtjbMysw9xjUkIG5GxFu/JJMudXNhPIpylSapduYciLtomSOHMhEowSJkUhSypyPIiQIPUNpu3eP4RxXjaSWhKsiWKdgRuYIIorMfB0PYDGj0QwW1u2LZoRPERIh0bxWBPtsK1zQZLV3LpFI7p4nGmZap+r49evFYjGcUIm4xGEkktdjJqavXVhpz3hXREaz14f7B29f7x+81pJE95RP9xLCFkTinpPTnuFp3MuZTthw57uAPuxH737YfxO9xfeHhwfmP3FEjt6/e0NI/OZdHE/WaMqzpsRGL7YRaSNUJaZZgxisGV2wfjECfv/YtPV7lauf4TUAOgEyJ5QZR7u5JslxKRUj1hvTPzLHxop0U2RJfLR1WEl89ChMakYOti+rGTl4LKrDo3cvgevw6N1jkb35oT4pbAXZmx/ePhbZ0cHhSyA7Ojhci+yJgcbnxjJyoJZJGJGifw8jWhPp6+D2vQItNGGWdpjrI/2QzRk3nY+cJT5o5KrNt3wu34J6mHlCExz1G2WuMP948fG81sXN6XI1H+MJ4Tibr9If/jNLL/e/MsnKmNCOcT6QEaVpNIzETn8d2s+AQmYznzShPN+tYFjiKbd+haRTym1I6luGSgfbMZFkmmBjVbPNZnwW0rmdhfC9V2p+ff23r5Wu0CJtkf8kY/UMn+dsmkwsQbi7vrSbet7XIVwbb3opMmlca4iIwoGBuayEOZUWEpu2nHL4mkk2NHS/GicZrYttA4uuE6myfjhXWroUHiHBxw7N20Yadq+lQbq+jQ8rWwWu0/uTzR1PRGxTREqNsn2mQKFNJSyhBqGZvyuh0W03UV5sjCSCUy0k5dOBU9g8se/u+hISsrRB5KJjrAwlkno43oqa2HQjYGKqHC1DgioQE40c/pa5zMYiQc/toBM9ayK9XemgBL0OFG8X1IkCqlcSEgdgVlUMtU1t4qJlvy8lSgW6YatDzrPMx5y3CG34HhVXXstaz2psKwP8tVvLtQzyWhYFdLkHbn167LcOHm+RWjG+ffsmjO5bho3Mym2bf8vTq2e8khjo7viNk1BbGvSM/L/96Ge6YD/kXL/+x1czGPAhYlmMcTnFVJkOjRUldmgU0xMX5l07IhtJmmBIclFtkiVhnzX3iOU7znTx1KDC1MkAH6jSTYtgd2VsykmqS3y2Ke6Nr55KLW4S04lNXNKUaIQx6kUzaQPcvvpC2OlAhXXDbZmhxHjUt+tiWjGj0xlam5azsSbZsRrYBqcpFsNdZWN3q9m9H4TM4yGDysagJeneMSMLdiZCDP1zw0gkO6aDdqoXWiyp2wXxYo5Ro0wox9hMdBFVyJa+r4BRpYHRe3TZjtmY0QhUNpnQejowuGd3Z1qnx69fu0fdk0Mhp6+GcCuXeb5ZmkrxQBOifdLeeAmKJilbgib3TUPhOtdmwpseZmSMTLmdRi402GlrgYxZodxenqnSlEVimN23GDIVzXCLsc+mktxYhu121wba2sDm2vLCtq3ga+2+9xDd/L+Ebxlhzgnxz9jUR7c12UhtBSCM5Y03D1rbhambvGdCafd6xmPvdjbG6xDgglsnQWpKGKsbemggGtgQ7cRnYWN+320pgI2q5pCsS2MRRIRz0fTwVsbKoCKZwrI2GjhGJhbhEdw56lcNRFX0biFElB4mS0/I6bgb+0TpwKB3BjzvpBlRLr8ktdvxczOYxKRkV9FIlY0PhyobH6yYmUFwfJZw3SzgnXEvnAqtnYEzL1yAloQyYxVSlFTELRESkY4szMdb7T5GAE4mPh9Si9SrjG/oLt5enr0aAGFKwD0XC26kVoq6uUiwBnFg+qowaUaZc62pDKNhcxao82+Qn5RvmI6yKvFPOQ3YKaBtBig7bPO5IFMot7oTFljCeZat7n8zYPNwtP/+WREbhZISNurI5uuhrYHFqs34c8zzvD2qVFYepKgc3wGS6ZmQVPs0KLMYN6aTR8um4bGmvVBl45+ydEZ8XtHArAXLmIBbjOT5QSLTEAkmjNnmMWRpitL4jg0W0YxIEmmUjTSvYsvq6OjDTz+9P/3z2flPH/bf/7D//uzg8PT0JLzrbhu+NeEX2QyGjRloLZI9zaWC1IZAzqjSlE8zqmYYOyK7Z1evzPR5KpJEcH/t9OrVAGJMkdvkI8FbogutOUenP97dDODTj+d+prvg0QA+3f1o57XSdg3g9Kp45uaXk0N77AVOlMokWT0K4f5uzGpftqU6qGz8N2wcxttSDklF4p4vmNXLS4rdi/nm9sdT4/AIySkZwOWPN4TDByNAqiJR6YaB6YehFbqaEYnxcMrEmLCiSziGQ5WEaWPGjLm1qQRby8tsdPilmWic32JFXEHiva/dm5OrV0MnQZclOSdyaUxO6LRg/lcMEmsXqp1p07bH1m6YrmHLwrkpz6agGsDZ1Q2EZAGwa0guKIsjImNlPAcerx7BaCaTFl2686dqBLxjmlB0yonO5DPPC310O/cwIQllSytqNxx3q7tagYMhZJwp9Pv+a6erDgD5iXMh4cSQPP2lwOSPwF9UDrJDcO4rzyawwHZLu3Z2Tt4f8g00mGamz+w0dnd9OSNZpfsCKEI982QUK/1Dl52MM8kMuFEsFpwJEvfB/9JnZsHu3fXlKxcIhqXIrEeZMwICkUiXzjZSd8a0E+mcykzZzcKhRJUx3QfUk9/8eVcDV7qU/Q1BGLegHu93KCZMEP1EDGZR5whvioNRft9Lr1F+n+eb/1aQ9yUGWsbyJhuFLzSOaS+qa9Z1F2eVza6NBk/oHOaz+8GbDeMhyLVj2J4Pz1RfIohccjc4qrk47q4vh/A5P+VbOVQHgjPKcQBiMjH/cY4ztwvfTuQuSawv1P4kYyTsWUXhPCKr0VSBn3ZWz7AHII0Zie7NWlUNVSbHrA9wN3fXP12WlL1YW2RpnsDYipALPXI/N0WcksSZ856Ae3pwFsLfBcpXJpF99e3tgmqNEmaEx6yyNHZc3GblzBX2cBVR6p0Ou0IC4YIvE5GpV53gGZEaQ/ZkLARDwjeHfuF8L1SVLWVcgWVAjxF5BbkoAp82ApaXEtjVMrN7lfaI1qvOcUWmvdiCExe1MdImUwVEKRHR1ZM03zKU1FWLyNvUnCu4SAijfU0VjtofY4oIHIDvSF16BsvVOhgdTFNiBgrvi68nt2mT54TReDSRIgkAiOvLqk7uv8+QrzK0+/euUtNEZNzmYNiSDlyZEeJOetM4hCvPitgWKht9DDApTcoYWW/zs9/pksiqJ2QLRCHdD9x7FgQXWKurxKAaai72V8yCiKpi58Wa5kUe8ChOX4W6LVyX5xn2rHJ7I322pdh6kZkhlGcBuCJYa1hH7nRpH8zPH7Qk9uCvGTLFo3PMmbSqUlAmPa2Wb1dGkSEysEvEqgqNEXZyvbHxkIFdZP9C1Gzv5peTw6N3OyGIwoZ+Rr4uhHHQext7tpZP4fF7ToH1kZulnE+qtESSbGX+u6mTrs9/Ic1iRKlit7MPwTT9HMIrfUsVpJLOicu1sgkpJN8umqD3dovIkb/DlvWIV81fPs6JDvwbq88X8TH/VKdEQoWicmmoWT2zaa2SJEhUJstaDlGUSRItYde2fd8Ms4P9/VcrdaOq/fm9ERjG1G1XEU7YUtNIgcZoxgUT06UhUQi42xePURPKDgMta5QC6GzYmaXjzIhRxKCRqMj9IvEe7Xhp99Hg7WEnzhfyz0KcLdKRQqXsIb1egFRAuLM4nrxbrESms+06pWoEBV9Rg27QfdnhixUbvHbQ7ZBU+x33nYH7ZS1z/oOm+f8yyRo5ATtjkT8SHVbIRIflVfse7NDD1F9LCCserdMz9wr+5kf5ShIf5f/1JFMi7zH2j6Qzqmb5u3Wy7mb1QU9CRYT762a5XWmC8i/USalMpa6SXuVhLaR52Fo+80Mi1yN7OA6lZdXZ9wlhLb2fbyI8pvvL0l4Sp0TauAkpVnQuzD8AAqe/ncPFmU2dIdwdQiRak+gebHkao7eD4CJxs1FYP+X1RHU2voG1T5tzluh2zUaZpH1AuDbelLHcd9cXTSjeIK/ZEcA5SqqXfcA5lVTTyNX7C3WPD5zZmdgXhExTRuvWaa1lYGIxgMRXI5zR6WwAc5TLPfPf7sZa6ffR1Btfzre9+6E6RZ2YmbVy2KIV28gIp7+JocSncSqtUtT3bUNQdH2p+lQpGUIeRLiK34qUbKHeTv9Jy0xpjEcRlRHDEY17cbfLGdTTB0ffn01IilDfpuM8S81iv6duvLPE4OJsXXC+F2bXl4+0aXZQ9razeWarEVXKk21uFWg6KJb+9uyWX8cl8VFz2eQnnTH5OyHNQrJPWzDle0o/WaJ/xC3iVYShBe3LbBD/ISLILpkgBKpaHjUArnkWv/uQotuIDiemPP5Ia1kLvaDsVrpe2s2+rdql7SDxdDfGYQZmEMTmZQ5yUj8jR9koWrnuTPXaE9W56uaH2aaODRhXHLSrElq3SDmki9tto7m4bQVSiQu5LaiAAje6unt2LCsY+kCrT8NZEAUqGydUu41Ez5AFB3okYhwZ69KLoylitKbKrCCqJYPzqas+tstDz6pZIfaJ1v7i5vM/am/oRGtJx1nNK1gpDRn15H2slGE8FUmScePely5To4ZpBcQ2MGzA2a0zfM5+EMLjRoDvZZf6bm3ckY2s+cOncJDn0ydCaYj8Kig8s0xELwpQVszOo+10ZXm9EmVvFZQNZ6pZP3vQxY6VO/RrrENBP8Q8y/oLxN3d1dSiES9fKeIZmtUftz1XfEFFTFxVzTpn234ffAva53wIj5qfnniKjv4iFpAQviwJ+zPr3B/PtGWkXEnPtSKyX1nRJEl7kVNB7cnCiqlyjeppG+GsQs85yZURYwx7cLBIkQqVRwFHTEShfLhHD5sb1PbzOG5vYJpJjEFwN73YHSqbnWu4uZrBVK3tPvNwT3klPqPc52lZUCsdR5XnFjjcXrMyo/606kTDwizN7aeLgsoUsmyVOjyS8unIzvs9TVGruwGWMsYOloIi6qLWTl0xVWTMjFGQViXDCv+UfqxQtJvkjlGcF6JudG0Ina0nEqvRS5huoBoSW4bfcW1xMYb9IRE1NyM0i3YIx4DpMxNH1AtgPwXQtnpqBdwTcNmq8j1aqIBRIqyyCSwxEbr5rZNVl7lHXWp3myn3tRGDdqvIzlv9cEwNZ59q1oLUn6R+PtY+NbAFq1XMPrD2rZUteG0iV66gasmjvHrGBnpauHc9Kms5rAvqjx3TJaw+s3b0yncqNoG2cojdB4BpOn87cCUOCY/tedzuJkRE47T+gbznpLl7es9oys6VL4904j9mGExHqvSCaNkceaoql5grtfwzLcyKMyKMLXNFzqusXJzddEPc1tTULd1uTPaRHl1C//EU2639IFyzFHr8onEVUJEmXvDBeFD/jKXdTUTpT1KrNZq4pbXkir0vG2Bsq00WmD3FeEUiadS9e3KM0pJSkJAYi4/LFDipVsgm3Wi2tVCx9Cr6mH/eyl2v6WTxFbkSV7eCIsO+TjXUh0vlEEMi5tWaU5t38cussAqkyFeWWT1MsD7ndBvT/yfvP4eHFi1H1kYIO8T7LG+gEHJTOYrNvtpKcv1Ya34CpK+k9YJH7QB9kbJuC5vsuHKjM3LgN673lIyCk7xNpX7Qw+16ggojwWMil09X2SbQbfmGjwX7DC+x2ahte4vPatxmfmOgp/r2H0OteJ4n2QS9LY9y0x7YDOXL+Jj9Yt6K1xmC2Jf/GdDol/BDQ016ikcasDJb9kxDyNvnzSa+P5avGmjNhoreu/faqeWP9mODQ/Mf6M9uxU14YQ83qPrdvm4r5hfxedtU6rHeb7MVf3QvuIjW6mrhv+ek8Xy6/cv/gxPe/zpWC/86VvvPfqy2PCUTCRljPMmCNcSeNs6vPVH4YKluPuYru9+2hl5NCu15q2uyOs8tNXfEoPBvyw/l15NL133sizbTStelnW6QeFrAXM0zzP/K0nA0PT54fzjcHx4OD97stKJsbFz2jZPbyrW/WeuWJ4P62oed+DcB3xg4fYMPHYtchXmRnrgyfTtBDbWJ66f1U3ndENfAq5brqo+hi0qePBi2TuSi87RPgTUdScKn4Yq3LTfXYL22nxkUE7j4rNaeOqp+cTPv/f3XB+9aPqtJ1X1fI/+aqns/nh87yqPyhF2rJo6XgaKSG6mhBVZhAbv7e28bX6gOorkkY6yn9EM/g6OBylYlGcInbvv6SnAcwB3PVEbYAG6KQ7AD+EhY/t/fUC7L3+1Nwrk7nu/OoDcLaJa194jWyAOf+Nm4Td+rglvzpGYdl4pE4FsZ7ZUDHiddS9309vv3Hd1txsBN6EMq0E9Hl+dJLKjrjGH5GR33dZ4Jiezx9Yn/nBsvXpHm6TU2/vXR23brbluXJQlpfL5lk+atLSW7oQxcdzgYa1pjWn30tiorn6bJloXUhs32gqu9P2ozNVWZNOo21AXS8QAXMlHHrohYu9AN7lZxB44kwWNVSa5oUdPZdN7Wt568TOdV/pp7l5d0LFf1qX1N6c6MxqNgncLHBSgvyyJRvkKqpit+V2nAsS+ePrBiKXZwxIeUSlR9cDw3pDZiFhEWZayvllb45oQ7MBSJyD0K2VWh6WTbX51Oz9OX6FxQPfPfdmvV8UbQYtRbWOlT/q25cuFZp11s7cZzlMp+5LqX2ENJzq3ZiERglN+Xq25RL/He2GUOIQl7EutW3grzgo1AyrNAPqAHZCwyDYTnkP4vAAD//ytUcvM=" + return "eJzsXNtz2zaXf89fccYvSWYUNXGTztYPO+PmsvGM23R9yfZNAwFHIlYgwAKgFPWv/wYASVEUSEk25Ob7pn6yeDnnh4NzB8BXsMD1BdhMI7FcWhTPACy3ArsXNQokBi9gipY8A2BoqOaF5UpewH8/AwC48y+Af0PwOUqK8IkLnLqrvypWChw/A5hxFMxc+FdegSQ5XsDZmf8JYNcFXsBcq7KorrQfb78S4I25ZJwSq/R4xgWOM2KysRUma56vaS5wvVKata5HhlD/3WUIjt5zAzwvlLbgaI6Az4AsCRdk6sZyDCaTkR//620yVIEcONKHopohsrG70gti8E1GTDZVRLMJZ3uHURMg09IgzcY5ESuidzm3J3rP4D95PYCZ0nDpqL7/DL8GqrXiXVWqWv91NWcDywlx4hBsceibkUFY4FXcvwvzEo1BBtM13N9cZ6Q04+bZCArD55LYUidBUctiRnIu+HqQcamFAzdhaiWFIiwF/2tFibsDL+5vrl/CKkONsFYlUCKhZgQEqCrWoGZgM278PAwiXXJdGqssEWONphQ2BdTLr8DQIvVwtUd9KIgCNUUZQzETitgHYuASKsKH4hBcLpLMGpcLsApshvC1IQ8anc8b95pzqcX3Yso8ifY6z3r1IeglOvs4yH40zlC7MJdyKirPASit3mvGE2OJLU0qEdBSa5QWAtVaHPc312P4XRnDpwJhSUSJBojGC1BScIkjULOZ+weIZFDKhVSrYYsKcSUV6kANqNIaTaEk43IelJobqCKPH8QQpKkgdCG4sWZsSj0VKcDd3t/8cr2hXIm1R5buCWRehFLZSfh5KOKC5MGjJwJe0YMPMfxDoILnQJ1qbu9W3FrUkBHJBNYaWXMBmxHrkqD6CtuZdHihNBCp5DpXpXk5CF4Q3Zb5BvpUKYFEHg79KmSAaFwgtJlHiluwHOgpomwhD244U8Y6BS60WnKGGl5YXSIoDTMiDL4ctCsyT+ILLr02emmTuQFijKKcOJArbjMP888SNUfWHtNuuJAqJ4KPBc9VqngRSH4fcWKT50cYdjLtR7F0tA5iWhBnLTIV34rcoUNeEsHZZKZVHgHAiMXDuf9fhnKbIayISxi1sTBTpWTOIrgBqqRxZoIssI/hyhXjMx617CSoBDE2xmTjV6YokgXpQM0V5KTlNhpEMd2P3HsUBB+3dlRi5C0Uv5G8EOiKUnfXF0bcAFM54XIU/PNKlYLBFP0Tnlhs2low0ji11u2D9Nk3QpLIzBGqHpn67GQfa6qkjRcaRzP/+M1qAha/WWcyzaNLrJn0qlJUJomq5rstK3JERr5UbKvQFOGs1hvMCRcjX2x/JiZ7dfv58vzdT2cxiGr6/0jtJCd6weXcZenJbO/27uoPaNL+ilOkTqoCX8hMjdVI8pMEwNsu6W4AjKmWIMbwGQ/1egrJ7GY7RLYmlxsoNF8SG7IYrXIgUJRTwSnMsMp5mwZWdUesxx0unaz5oiY6qt7Yfr7SoeapQYkoOeOsp5AzmdJHFPZOS3IkptSNgySUlprQNbzwY3/t7OzN69cvXV7F5zI0jNrz+dwJDBmn3kqJJGJtOTVgkWZSCTVfOxKNgIczcoaWcHEeGZlzCYcP7IOnE/yIU8Sol2jJ/Sqv8trpGkqDGt6eD+J8ogQtxtkjnRg0his5SQOkBSI0kCvyoWShbrJ9tdL2gkpuqcEw6FSO+GrLCe81ujNS2Elwymej8Mu75voHL+r/Si3ORh1yZ1NVP0LPW2To+eaqfw/O+HlRXcuJaB7t0nP3Gv7ux+aVnL2r/61IFkQvkFWPFBk3Wf1ul2y42X6wImEokdV1V3S3hmCqF7qkTGkKTrny/db6Yau0e9h7PvdDo7QTqwldoPasBuc+J6Jn9ldcMEqOm/6Z0nlo3WqcE+27J6Sp63w/eT0CAu+/foSrDyMI9XRw89YSunBXQqQbRUvFw6wwZ+9SqLNLDrx/OpyzRqNKTXFSap4Cwo1Lp5znvr+52oVSOeQ9SwO4RM3tOgWc95pbTongdh2dnqp95iOxd06mLArBu95pr2cQajWCHBkv8xFkfJ6NYIl6/cr9OzxYL/0UQ731lIamH9oh6tJFVmP3Y5s44aQLDBt8FufaK0XgMywm261VHyolR6gCwc1eKRGfhgwhs7o0FtmEck0FTjhLkm9vImhFHwL9oKQ8bxp+h9p5WbhqP9E03nticPVhX4s+CbOb6yN9mjfKZEucH4gloZIfKpsh5hV4MWpq/1KLppDL2bv+9aUq+EzJX4ToRIVTvcL0iyf6Pa4ZbyOMVbZPs2L8XfSTjfc+MVDt/SURcF3tiM1pqzqqVqZNB3GgJZScd24MjhPgtzKfonYjbSiHireS9u7ctv3TaZBUdA/G4Qw0CmJXtHHhbkj9D0rUnO6A69ejA0a2UV2D6FfP54ENuJQcrCazWbcdsIF0dXdqNFd3vUBaDaKwIBVR4J2pHo6SDKXlM46m7rgGy/GNaVNOc27DsmLFUEQNnSqGE+ddkiSciqF3Va6S4K36og5hXdtuFI+bIpW3v7r9/e9aJLq0VvNp2ckOWv1JPaeJspAvek4k/yuI973K81K6NH+TOuFya1fJFohTYDiAc6g3JgKXKOIQjrOAapY9veDj3vkO26jahPQGuAnLr8pYoFU1FI8sM5VEARjj7g4RTdudb5XZW+32XkH5tqbJ0qxIN0tXnp33Dg39GPOyTNeQu7/vqMVO47wVkONFznHrdI6pT8/VzCmB3OHsx1814aL+uTbhCVVldBnmOB39rFaQE7neEPa7PoBLKkqGzIUNAobLudgvIstzNJbkRRI5NdQeLCzGTRhUouWEDy16IUluWYxz7FFj0apQpu4GToSisQ1yR5vNLVrL5dyENYJ5qZGBkiG8+KUqxw0cN/C9XW72Tp97ONEuk2BS9a4tD2pr4ripuDkXJNWQl5mk06pLCytXojuKcWWKebamxsmI5nI+8XE/UYjaXhXwlJEFWAaa7ovZG7oYN2QqnFPQXiXjCv+QeWxR9KvlgRELSoW7UxtDh98sSmYmT+G6gVvI+TyzFdeeFGOcDonqpBmxKDogHAcm5ZacLTh+f84DAJ1qprbAPQCXUJTEGlcP9VARp0REazFYY64s7jRBt1PmhLrUnzZzCauM0yzut5q9eg53L86UataD1CtcCqwpNbAHq1fMFFhTa2UPXr+jq1ZQs5a0wnWInjbpXUJl3Zh1Q/1Ym97ASrl9p90QPgwafGrt7qkawbxYvh25qP/Gr4aakmbDQ6DE4lzpJGtjftN7Re8RQzn7De1K6QVcUsuX3K6j+5Jas6B6FkkeqsobzCar99aR0ipXcVIixLpWZN9vJS6A3g5DPFVoGpbuMCb/SMKUMFh5mNY0CPeUQscXjduAmk3jDR9kI+c9NRqU1WYbv6qIGqRvAJs9mniiWnLL328G4Hyr3zSQPcR5UZXniTZFvg+kDOSEYY1kg5Nbg2I2jOZUhYqn19LHik91vaOTpkDKZ5y2cA0rKApMdcahay6tIw25WtZR87gpfpoKq0GKcqvMShBgq82npwj/X6r8OW5afGNZByEcEO+jsoFGyLvK0Sz2dSrJ/bbmV5NTId3avd7wGAHDAsPhsQq9H5LgC4Qzv3TtkpRqAfuV0TQa5P2e6m92fNpM0CBVkhG9frjK7gI9VW54LNhHZIm7gzp1tviowR2WN0ZmKnX+GBvF4zLJXdCnyigPnYHDUD5NjpkW80myzhjEVPlnRKOfIg+NDekhGWnEy5w4M40h74+bu/i+r1w1MpoDFT159jqo5UfnsVHT/Bvz2ZOkCU+c4UZVfzjX7cX8JDlvn0odm/3ujuJ7z4Kbbq399qyL8WHbeL7c/fFvcNT7n/O18M/52v/087Wb0zJUaYZsVnY2Ij/Gzm8qovDJUz3c5lur39J2D8wM7Vvds6vzo6cWjho0+a0BUn8SrfNCfBdsr0tqg+vbdnrAxtMG5vY+w/qvOcFxxouLNz+fj1+Pz8dvfjzrRbmzcJkap2Mwhq/eu9WbQcO8DeM/BPyO4aQGHzseuQ3zqrhkTKMxZ1EN9RvX33dP5w1D3AOv/f2urg1dtb/D6NgGkavBUz8N1mKiiZx3JRqg9tzcg/XGveLiwtXvZu/po5ZYn9ez//qHNz89j6LV3CxSWf4NN4vKno+1cro5aderidO1janpAWrogbVYwIvXr96+3NXICJprMsXuln5IYxw7qPznScbwRfq5/k1JHMG9LE1JxAhum8OwI/iViPrfr6jXm9/9Q8JlOKYfzqJ3T0pA62N8xFqU+IgxPTcNt90Tm11chird73x2vyBwnHQ9dTfbP/88MN3OBm6tq75PM9Gb8yQe1E0p0ICaGtSuRCYuNs4I9cfYZxA+IyibV7R7eo+P/+Hd237v7kdX5jnR/abVPzw+l0rjhEzVEi/gzevzt4+ZjgBjz2jcqN+9bcuq2qYp1o3UxrvjBchLYfmkz9W0ZbLz/YauQAYekErn5iJ8Uqxf6A53r7gjR5LgWFXSW1q0m2yGbOvPRFlmyCr/t84ur/lUb+tTf00Zzo6ySfSrhcc1KK83X4uqPplq+VbetXHgmIpn1VjxFAc44reCazQpOH50pA5iRomgpUg10hbfmvAAhmYjckIhh6/RDLJN99XOimf1wc4VtxkPXZteHd9pWkyStZW+aD7nkohW4dml3SztsiVqQzTHNAdMN+RCzUY0guBysam6Q78tBqU5khFBEs8k9lXeBuvPNwLZnAWqGnpApqq0QGQN6V8BAAD///eBqM4=" } diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/_meta/fields.yml b/x-pack/filebeat/module/threatintel/malwarebazaar/_meta/fields.yml index 16a50f3a0ff..ea68e4c23cb 100644 --- a/x-pack/filebeat/module/threatintel/malwarebazaar/_meta/fields.yml +++ b/x-pack/filebeat/module/threatintel/malwarebazaar/_meta/fields.yml @@ -1,4 +1,4 @@ -- name: malwarebazaar +- name: abusech.malwarebazaar type: group description: > Fields for Malware Bazaar Threat Intel diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml b/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml index a8cbef0b52b..6c90f1d86dc 100644 --- a/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml +++ b/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml @@ -5,19 +5,14 @@ interval: {{ .interval }} request.method: POST {{ if .ssl }} - request.ssl: {{ .ssl | tojson }} {{ end }} {{ if .proxy_url }} request.proxy_url: {{ .proxy_url }} {{ end }} request.url: {{ .url }} -#request.encode_as: application/x-www-form-encoded - +request.encode_as: application/x-www-form-urlencoded request.transforms: -- set: - target: header.Content-Type - value: application/x-www-form-urlencoded - set: target: url.params.query value: get_recent @@ -39,17 +34,12 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} +tags: +{{if .preserve_original_event}} + - preserve_original_event +{{end}} +{{range $val := .tags}} + - {{$val}} +{{end}} -processors: - - decode_json_fields: - fields: [message] - target: json - - fingerprint: - fields: ["json.md5_hash"] - target_field: "@metadata._id" - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/malwarebazaar/ingest/pipeline.yml index c2c4b51810d..0a5aca9dbb3 100644 --- a/x-pack/filebeat/module/threatintel/malwarebazaar/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/malwarebazaar/ingest/pipeline.yml @@ -1,4 +1,5 @@ -description: Pipeline for parsing Malware Bazaar Threat Intel +--- +description: Pipeline for parsing Abuse.ch URL Threat Intel processors: #################### # Event ECS fields # @@ -6,6 +7,9 @@ processors: - set: field: event.ingested value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: "1.12" - set: field: event.kind value: enrichment @@ -20,148 +24,182 @@ processors: # General ECS fields # ###################### - rename: - field: json - target_field: threatintel.malwarebazaar - ignore_missing: true + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: abusech.malwarebazaar + - fingerprint: + fields: + - abusech.malwarebazaar.md5_hash + - abusech.malwarebazaar.sha256_hash + target_field: "_id" ##################### # Threat ECS Fields # ##################### + - set: + field: threat.feed.name + value: "[Filebeat] AbuseCH MalwareBazaar" + - set: + field: threat.feed.dashboard_id + value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f" - date: - field: threatintel.malwarebazaar.first_seen - target_field: threatintel.indicator.first_seen + field: abusech.malwarebazaar.first_seen + target_field: threat.indicator.first_seen formats: - "yyyy-MM-dd HH:mm:ss z" - "yyyy-MM-dd HH:mm:ss Z" - "yyyy-MM-dd HH:mm:ss" - if: "ctx?.threatintel?.malwarebazaar.first_seen != null" + if: "ctx.abusech?.malwarebazaar?.first_seen != null" - date: - field: threatintel.malwarebazaar.last_seen - target_field: threatintel.indicator.last_seen + field: abusech.malwarebazaar.last_seen + target_field: threat.indicator.last_seen formats: - "yyyy-MM-dd HH:mm:ss z" - "yyyy-MM-dd HH:mm:ss Z" - "yyyy-MM-dd HH:mm:ss" - if: "ctx?.threatintel?.malwarebazaar.last_seen != null" + if: "ctx.abusech?.malwarebazaar?.last_seen != null" - set: - field: threatintel.indicator.type + field: threat.indicator.type value: file - rename: - field: threatintel.malwarebazaar.file_name - target_field: threatintel.indicator.file.name + field: abusech.malwarebazaar.file_name + target_field: threat.indicator.file.name ignore_missing: true - rename: - field: threatintel.malwarebazaar.file_type_mime - target_field: threatintel.indicator.file.mime_type + field: abusech.malwarebazaar.file_type_mime + target_field: threat.indicator.file.mime_type ignore_missing: true - rename: - field: threatintel.malwarebazaar.reporter - target_field: threatintel.indicator.provider + field: abusech.malwarebazaar.reporter + target_field: threat.indicator.provider ignore_missing: true - rename: - field: threatintel.malwarebazaar.origin_country - target_field: threatintel.indicator.geo.country_iso_code + field: abusech.malwarebazaar.origin_country + target_field: threat.indicator.geo.country_iso_code ignore_missing: true - rename: - field: threatintel.malwarebazaar.signature - target_field: threatintel.indicator.signature + field: abusech.malwarebazaar.signature + target_field: threat.software.alias ignore_missing: true - foreach: - field: threatintel.malwarebazaar.code_sign + field: abusech.malwarebazaar.code_sign ignore_missing: true processor: rename: - field: subject_cn - target_field: threatintel.indicator.file.x509.subject.common_name + field: _ingest._value.subject_cn + target_field: threat.indicator.file.x509.subject.common_name + - foreach: + field: abusech.malwarebazaar.code_sign + ignore_missing: true + processor: rename: - field: issuer_cn - target_field: threatintel.indicator.file.x509.issuer.common_name + field: _ingest._value.issuer_cn + target_field: threat.indicator.file.x509.issuer.common_name + - foreach: + field: abusech.malwarebazaar.code_sign + ignore_missing: true + processor: rename: - field: algorithm - target_field: threatintel.indicator.file.x509.public_key_algorithm + field: _ingest._value.algorithm + target_field: threat.indicator.file.x509.public_key_algorithm + - foreach: + field: abusech.malwarebazaar.code_sign + ignore_missing: true + processor: rename: - field: valid_from - target_field: threatintel.indicator.file.x509.not_before + field: _ingest._value.valid_from + target_field: threat.indicator.file.x509.not_before + - foreach: + field: abusech.malwarebazaar.code_sign + ignore_missing: true + processor: rename: - field: valid_to - target_field: threatintel.indicator.file.x509.not_after + field: _ingest._value.valid_to + target_field: threat.indicator.file.x509.not_after + - foreach: + field: abusech.malwarebazaar.code_sign + ignore_missing: true + processor: rename: - field: serial_number - target_field: threatintel.indicator.file.x509.serial_number + field: _ingest._value.serial_number + target_field: threat.indicator.file.x509.serial_number - rename: - field: threatintel.malwarebazaar.file_size - target_field: threatintel.indicator.file.size + field: abusech.malwarebazaar.file_size + target_field: threat.indicator.file.size ignore_missing: true - rename: - field: threatintel.malwarebazaar.file_type - target_field: threatintel.indicator.file.extension + field: abusech.malwarebazaar.file_type + target_field: threat.indicator.file.extension ignore_missing: true - rename: - field: threatintel.malwarebazaar.md5_hash - target_field: threatintel.indicator.file.hash.md5 + field: abusech.malwarebazaar.md5_hash + target_field: threat.indicator.file.hash.md5 ignore_missing: true - rename: - field: threatintel.malwarebazaar.sha256_hash - target_field: threatintel.indicator.file.hash.sha256 + field: abusech.malwarebazaar.sha256_hash + target_field: threat.indicator.file.hash.sha256 ignore_missing: true - rename: - field: threatintel.malwarebazaar.sha1_hash - target_field: threatintel.indicator.file.hash.sha1 + field: abusech.malwarebazaar.sha1_hash + target_field: threat.indicator.file.hash.sha1 ignore_missing: true - rename: - field: threatintel.malwarebazaar.sha3_384_hash - target_field: threatintel.indicator.file.hash.sha384 + field: abusech.malwarebazaar.sha3_384_hash + target_field: threat.indicator.file.hash.sha384 ignore_missing: true - rename: - field: threatintel.malwarebazaar.imphash - target_field: threatintel.indicator.file.pe.imphash + field: abusech.malwarebazaar.imphash + target_field: threat.indicator.file.pe.imphash ignore_missing: true - rename: - field: threatintel.malwarebazaar.ssdeep - target_field: threatintel.indicator.file.hash.ssdeep + field: abusech.malwarebazaar.ssdeep + target_field: threat.indicator.file.hash.ssdeep ignore_missing: true - rename: - field: threatintel.malwarebazaar.tlsh - target_field: threatintel.indicator.file.hash.tlsh + field: abusech.malwarebazaar.tlsh + target_field: threat.indicator.file.hash.tlsh ignore_missing: true - rename: - field: threatintel.malwarebazaar.telfhash - target_field: threatintel.indicator.file.elf.telfhash + field: abusech.malwarebazaar.telfhash + target_field: threat.indicator.file.elf.telfhash ignore_missing: true - append: field: related.hash - value: "{{ threatintel.indicator.file.hash.md5 }}" - if: ctx?.threatintel?.indicator?.file?.hash?.md5 != null + value: "{{ threat.indicator.file.hash.md5 }}" + if: ctx?.threat?.indicator?.file?.hash?.md5 != null - append: field: related.hash - value: "{{ threatintel.indicator.file.hash.sha256 }}" - if: ctx?.threatintel?.indicator?.file?.hash?.sha256 != null + value: "{{ threat.indicator.file.hash.sha256 }}" + if: ctx?.threat?.indicator?.file?.hash?.sha256 != null - append: field: related.hash - value: "{{ threatintel.indicator.file.hash.ssdeep }}" - if: ctx?.threatintel?.indicator?.file?.hash?.ssdeep != null + value: "{{ threat.indicator.file.hash.ssdeep }}" + if: ctx?.threat?.indicator?.file?.hash?.ssdeep != null - append: field: related.hash - value: "{{ threatintel.indicator.file.pe.imphash }}" - if: ctx?.threatintel?.indicator?.file?.pe?.imphash != null + value: "{{ threat.indicator.file.pe.imphash }}" + if: ctx?.threat?.indicator?.file?.pe?.imphash != null - append: field: related.hash - value: "{{ threatintel.indicator.file.elf.telfhash }}" - if: ctx?.threatintel?.indicator?.file?.elf?.telfhash != null + value: "{{ threat.indicator.file.elf.telfhash }}" + if: ctx?.threat?.indicator?.file?.elf?.telfhash != null - append: field: related.hash - value: "{{ threatintel.indicator.file.hash.tlsh }}" - if: ctx?.threatintel?.indicator?.file?.hash?.tlsh != null + value: "{{ threat.indicator.file.hash.tlsh }}" + if: ctx?.threat?.indicator?.file?.hash?.tlsh != null - convert: - field: threatintel.indicator.file.size + field: threat.indicator.file.size type: long ignore_missing: true - convert: - field: threatintel.malwarebazaar.intelligence.downloads + field: abusech.malwarebazaar.intelligence.downloads type: long ignore_missing: true - convert: - field: threatintel.malwarebazaar.intelligence.uploads + field: abusech.malwarebazaar.intelligence.uploads type: long ignore_missing: true @@ -169,12 +207,12 @@ processors: # Cleanup processors # ###################### - set: - field: threatintel.indicator.type + field: threat.indicator.type value: unknown - if: ctx?.threatintel?.indicator?.type == null + if: ctx?.threat?.indicator?.type == null - script: lang: painless - if: ctx?.threatintel != null + if: ctx?.abusech != null source: | void handleMap(Map map) { for (def x : map.values()) { @@ -196,10 +234,15 @@ processors: } } handleMap(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true - remove: field: - - threatintel.malwarebazaar.first_seen - - threatintel.malwarebazaar.last_seen + - abusech.malwarebazaar.first_seen + - abusech.malwarebazaar.last_seen - message ignore_missing: true on_failure: diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/manifest.yml b/x-pack/filebeat/module/threatintel/malwarebazaar/manifest.yml index e9294ca9e2e..b90ea0d9562 100644 --- a/x-pack/filebeat/module/threatintel/malwarebazaar/manifest.yml +++ b/x-pack/filebeat/module/threatintel/malwarebazaar/manifest.yml @@ -11,6 +11,8 @@ var: - name: tags default: [threatintel-malwarebazaar, forwarded] - name: proxy_url + - name: preserve_original_event + default: false ingest_pipeline: - ingest/pipeline.yml diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/test/malwarebazaar.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/malwarebazaar/test/malwarebazaar.ndjson.log-expected.json index 1d84eda36cb..40b3f4289ec 100644 --- a/x-pack/filebeat/module/threatintel/malwarebazaar/test/malwarebazaar.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/malwarebazaar/test/malwarebazaar.ndjson.log-expected.json @@ -1,5 +1,12 @@ [ { + "abusech.malwarebazaar.anonymous": 0, + "abusech.malwarebazaar.code_sign": [], + "abusech.malwarebazaar.intelligence.downloads": 15, + "abusech.malwarebazaar.intelligence.uploads": 1, + "abusech.malwarebazaar.tags": [ + "exe" + ], "event.category": "threat", "event.dataset": "threatintel.malwarebazaar", "event.kind": "enrichment", @@ -20,30 +27,29 @@ "forwarded", "threatintel-malwarebazaar" ], - "threatintel.indicator.file.extension": "exe", - "threatintel.indicator.file.hash.md5": "0af07660056a692b7cb82fa329221ddd", - "threatintel.indicator.file.hash.sha1": "a71fd0504821092e003f350080a6bcc5fa6a972e", - "threatintel.indicator.file.hash.sha256": "5bce7d528c1363104a93fbb5a7fa9bdd991ce929cc09cc7fb29052a68d4fd24b", - "threatintel.indicator.file.hash.sha384": "3b454eb6421d17d093f19292b64d30bf918cb91e9322d0e2d2512857997f574ea2ca5b005133c16f6c33c7cee9c1bd0e", - "threatintel.indicator.file.hash.ssdeep": "3072:DsPPK3p+8r5igrL1Tq50cVBDmDJhE9yV4veedHrP6FXK7:D+PL8bronBDmDJ69JeedHriFG", - "threatintel.indicator.file.hash.tlsh": "F9848B24AF932F9BC6CCC1FE50C2D165C9A9F85DD2B1251A73B6CB89FE00544ED2C686", - "threatintel.indicator.file.mime_type": "application/x-dosexec", - "threatintel.indicator.file.name": "SALM0BRU.exe", - "threatintel.indicator.file.pe.imphash": "f34d5f2d4577ed6d9ceec516c1f5a744", - "threatintel.indicator.file.size": 399872, - "threatintel.indicator.first_seen": "2021-04-06T20:34:58.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.provider": "James_inthe_box", - "threatintel.indicator.type": "file", - "threatintel.malwarebazaar.anonymous": 0, - "threatintel.malwarebazaar.code_sign": [], - "threatintel.malwarebazaar.intelligence.downloads": 15, - "threatintel.malwarebazaar.intelligence.uploads": 1, - "threatintel.malwarebazaar.tags": [ - "exe" - ] + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar", + "threat.indicator.file.extension": "exe", + "threat.indicator.file.hash.md5": "0af07660056a692b7cb82fa329221ddd", + "threat.indicator.file.hash.sha1": "a71fd0504821092e003f350080a6bcc5fa6a972e", + "threat.indicator.file.hash.sha256": "5bce7d528c1363104a93fbb5a7fa9bdd991ce929cc09cc7fb29052a68d4fd24b", + "threat.indicator.file.hash.sha384": "3b454eb6421d17d093f19292b64d30bf918cb91e9322d0e2d2512857997f574ea2ca5b005133c16f6c33c7cee9c1bd0e", + "threat.indicator.file.hash.ssdeep": "3072:DsPPK3p+8r5igrL1Tq50cVBDmDJhE9yV4veedHrP6FXK7:D+PL8bronBDmDJ69JeedHriFG", + "threat.indicator.file.hash.tlsh": "F9848B24AF932F9BC6CCC1FE50C2D165C9A9F85DD2B1251A73B6CB89FE00544ED2C686", + "threat.indicator.file.mime_type": "application/x-dosexec", + "threat.indicator.file.name": "SALM0BRU.exe", + "threat.indicator.file.pe.imphash": "f34d5f2d4577ed6d9ceec516c1f5a744", + "threat.indicator.file.size": 399872, + "threat.indicator.first_seen": "2021-04-06T20:34:58.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.provider": "James_inthe_box", + "threat.indicator.type": "file" }, { + "abusech.malwarebazaar.anonymous": 0, + "abusech.malwarebazaar.code_sign": [], + "abusech.malwarebazaar.intelligence.downloads": 11, + "abusech.malwarebazaar.intelligence.uploads": 1, "event.category": "threat", "event.dataset": "threatintel.malwarebazaar", "event.kind": "enrichment", @@ -63,26 +69,31 @@ "forwarded", "threatintel-malwarebazaar" ], - "threatintel.indicator.file.extension": "zip", - "threatintel.indicator.file.hash.md5": "296aad7075596d21516b30bfbc17fcac", - "threatintel.indicator.file.hash.sha1": "c454be4eb0892d61a4ad6bac16f97724e73cd795", - "threatintel.indicator.file.hash.sha256": "83d0429a2c5f1b611ebc30391eeeb75bebb51212ee1af51dbcf2624b48f9d27f", - "threatintel.indicator.file.hash.sha384": "0a1536add280715320040d5ac5340d3b205d90045ff5c90993b8e909edb9b3e9338b3ffbb3febcaf82584d00d516e8c7", - "threatintel.indicator.file.hash.ssdeep": "12288:j++y4mulTPaYJSaHwvJblQpLGwYeHU9vPpNGd+Zr:j3HPaMtQxblje01pNHZr", - "threatintel.indicator.file.hash.tlsh": "74A4233B9A6D5CA02B224AA69F37537D13A8406300944EAEFD375CA431583056B9F6FF", - "threatintel.indicator.file.mime_type": "application/zip", - "threatintel.indicator.file.name": "PO_NO.ENQUIRY-210604.zip", - "threatintel.indicator.file.size": 476768, - "threatintel.indicator.first_seen": "2021-04-06T20:32:25.000Z", - "threatintel.indicator.geo.country_iso_code": "US", - "threatintel.indicator.provider": "GovCERT_CH", - "threatintel.indicator.type": "file", - "threatintel.malwarebazaar.anonymous": 0, - "threatintel.malwarebazaar.code_sign": [], - "threatintel.malwarebazaar.intelligence.downloads": 11, - "threatintel.malwarebazaar.intelligence.uploads": 1 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar", + "threat.indicator.file.extension": "zip", + "threat.indicator.file.hash.md5": "296aad7075596d21516b30bfbc17fcac", + "threat.indicator.file.hash.sha1": "c454be4eb0892d61a4ad6bac16f97724e73cd795", + "threat.indicator.file.hash.sha256": "83d0429a2c5f1b611ebc30391eeeb75bebb51212ee1af51dbcf2624b48f9d27f", + "threat.indicator.file.hash.sha384": "0a1536add280715320040d5ac5340d3b205d90045ff5c90993b8e909edb9b3e9338b3ffbb3febcaf82584d00d516e8c7", + "threat.indicator.file.hash.ssdeep": "12288:j++y4mulTPaYJSaHwvJblQpLGwYeHU9vPpNGd+Zr:j3HPaMtQxblje01pNHZr", + "threat.indicator.file.hash.tlsh": "74A4233B9A6D5CA02B224AA69F37537D13A8406300944EAEFD375CA431583056B9F6FF", + "threat.indicator.file.mime_type": "application/zip", + "threat.indicator.file.name": "PO_NO.ENQUIRY-210604.zip", + "threat.indicator.file.size": 476768, + "threat.indicator.first_seen": "2021-04-06T20:32:25.000Z", + "threat.indicator.geo.country_iso_code": "US", + "threat.indicator.provider": "GovCERT_CH", + "threat.indicator.type": "file" }, { + "abusech.malwarebazaar.anonymous": 0, + "abusech.malwarebazaar.code_sign": [], + "abusech.malwarebazaar.intelligence.downloads": 30, + "abusech.malwarebazaar.intelligence.uploads": 1, + "abusech.malwarebazaar.tags": [ + "Hancitor" + ], "event.category": "threat", "event.dataset": "threatintel.malwarebazaar", "event.kind": "enrichment", @@ -103,31 +114,34 @@ "forwarded", "threatintel-malwarebazaar" ], - "threatintel.indicator.file.extension": "dll", - "threatintel.indicator.file.hash.md5": "a4838dd31c672122441bebcbf7e9d277", - "threatintel.indicator.file.hash.sha1": "bf103996196df8255881127dee103c22fc12bef3", - "threatintel.indicator.file.hash.sha256": "f4910ea08d14eeb634084de47cf590d4dc5e554552f111da20d22ae71d7b425b", - "threatintel.indicator.file.hash.sha384": "ee7586cb085fde3c14c9c1bea4635ccb30b1af2020f64e87a9983e61b05026ec9b35255670a3d9ecaab436c4ba302dcc", - "threatintel.indicator.file.hash.ssdeep": "12288:L2X/txpFDEVkUNglTovKfoLy+hqK/cEUMMlGOG:RzglgLm/9lGOG", - "threatintel.indicator.file.hash.tlsh": "0C947D11BA96C473E572163008399F6A17BE7A900B704BDBE3CC097E4E755C24B36BA7", - "threatintel.indicator.file.mime_type": "application/x-dosexec", - "threatintel.indicator.file.name": "DropDll.dat", - "threatintel.indicator.file.pe.imphash": "0b5a952a025c2783c3126cdb9bef2844", - "threatintel.indicator.file.size": 435926, - "threatintel.indicator.first_seen": "2021-04-06T20:12:29.000Z", - "threatintel.indicator.geo.country_iso_code": "DE", - "threatintel.indicator.provider": "DmitriyMelikov", - "threatintel.indicator.signature": "Hancitor", - "threatintel.indicator.type": "file", - "threatintel.malwarebazaar.anonymous": 0, - "threatintel.malwarebazaar.code_sign": [], - "threatintel.malwarebazaar.intelligence.downloads": 30, - "threatintel.malwarebazaar.intelligence.uploads": 1, - "threatintel.malwarebazaar.tags": [ - "Hancitor" - ] + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar", + "threat.indicator.file.extension": "dll", + "threat.indicator.file.hash.md5": "a4838dd31c672122441bebcbf7e9d277", + "threat.indicator.file.hash.sha1": "bf103996196df8255881127dee103c22fc12bef3", + "threat.indicator.file.hash.sha256": "f4910ea08d14eeb634084de47cf590d4dc5e554552f111da20d22ae71d7b425b", + "threat.indicator.file.hash.sha384": "ee7586cb085fde3c14c9c1bea4635ccb30b1af2020f64e87a9983e61b05026ec9b35255670a3d9ecaab436c4ba302dcc", + "threat.indicator.file.hash.ssdeep": "12288:L2X/txpFDEVkUNglTovKfoLy+hqK/cEUMMlGOG:RzglgLm/9lGOG", + "threat.indicator.file.hash.tlsh": "0C947D11BA96C473E572163008399F6A17BE7A900B704BDBE3CC097E4E755C24B36BA7", + "threat.indicator.file.mime_type": "application/x-dosexec", + "threat.indicator.file.name": "DropDll.dat", + "threat.indicator.file.pe.imphash": "0b5a952a025c2783c3126cdb9bef2844", + "threat.indicator.file.size": 435926, + "threat.indicator.first_seen": "2021-04-06T20:12:29.000Z", + "threat.indicator.geo.country_iso_code": "DE", + "threat.indicator.provider": "DmitriyMelikov", + "threat.indicator.type": "file", + "threat.software.alias": "Hancitor" }, { + "abusech.malwarebazaar.anonymous": 0, + "abusech.malwarebazaar.code_sign": [], + "abusech.malwarebazaar.intelligence.downloads": 27, + "abusech.malwarebazaar.intelligence.uploads": 1, + "abusech.malwarebazaar.tags": [ + "backdoor", + "python" + ], "event.category": "threat", "event.dataset": "threatintel.malwarebazaar", "event.kind": "enrichment", @@ -147,30 +161,31 @@ "forwarded", "threatintel-malwarebazaar" ], - "threatintel.indicator.file.extension": "unknown", - "threatintel.indicator.file.hash.md5": "8d7c8b55ac49d241fb7f75a27a5ef8d5", - "threatintel.indicator.file.hash.sha1": "a68ca1b41cb93fe2879bb3baeb8e19990758f099", - "threatintel.indicator.file.hash.sha256": "e45ffc61a85c2f5c0cbe9376ff215cad324bf14f925bf52ec0d2949f7d235a00", - "threatintel.indicator.file.hash.sha384": "788f61cf45bbc8cad5775de18d0d5f42c4e028af0aaa34c570645efc96af8ebc3d7fe330aaf22ef34d35360bbd4a708c", - "threatintel.indicator.file.hash.ssdeep": "192:z7X/yHo/yz/yBKiSOINLyhQMYd+LiTfq6LTf3ZoTta3Grj6rg2:z7CIKnNNLwufPfAPq7", - "threatintel.indicator.file.hash.tlsh": "AE3222515C6A881A03B3C66F7992B844FB588303C7116607F6FC86782F79568CAF1BBD", - "threatintel.indicator.file.mime_type": "text/x-script.python", - "threatintel.indicator.file.name": "vabsheche.py", - "threatintel.indicator.file.size": 11717, - "threatintel.indicator.first_seen": "2021-04-06T20:07:59.000Z", - "threatintel.indicator.geo.country_iso_code": "FR", - "threatintel.indicator.provider": "ArkbirdDevil", - "threatintel.indicator.type": "file", - "threatintel.malwarebazaar.anonymous": 0, - "threatintel.malwarebazaar.code_sign": [], - "threatintel.malwarebazaar.intelligence.downloads": 27, - "threatintel.malwarebazaar.intelligence.uploads": 1, - "threatintel.malwarebazaar.tags": [ - "backdoor", - "python" - ] + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar", + "threat.indicator.file.extension": "unknown", + "threat.indicator.file.hash.md5": "8d7c8b55ac49d241fb7f75a27a5ef8d5", + "threat.indicator.file.hash.sha1": "a68ca1b41cb93fe2879bb3baeb8e19990758f099", + "threat.indicator.file.hash.sha256": "e45ffc61a85c2f5c0cbe9376ff215cad324bf14f925bf52ec0d2949f7d235a00", + "threat.indicator.file.hash.sha384": "788f61cf45bbc8cad5775de18d0d5f42c4e028af0aaa34c570645efc96af8ebc3d7fe330aaf22ef34d35360bbd4a708c", + "threat.indicator.file.hash.ssdeep": "192:z7X/yHo/yz/yBKiSOINLyhQMYd+LiTfq6LTf3ZoTta3Grj6rg2:z7CIKnNNLwufPfAPq7", + "threat.indicator.file.hash.tlsh": "AE3222515C6A881A03B3C66F7992B844FB588303C7116607F6FC86782F79568CAF1BBD", + "threat.indicator.file.mime_type": "text/x-script.python", + "threat.indicator.file.name": "vabsheche.py", + "threat.indicator.file.size": 11717, + "threat.indicator.first_seen": "2021-04-06T20:07:59.000Z", + "threat.indicator.geo.country_iso_code": "FR", + "threat.indicator.provider": "ArkbirdDevil", + "threat.indicator.type": "file" }, { + "abusech.malwarebazaar.anonymous": 0, + "abusech.malwarebazaar.code_sign": [], + "abusech.malwarebazaar.intelligence.downloads": 21, + "abusech.malwarebazaar.intelligence.uploads": 1, + "abusech.malwarebazaar.tags": [ + "maldoc" + ], "event.category": "threat", "event.dataset": "threatintel.malwarebazaar", "event.kind": "enrichment", @@ -190,29 +205,32 @@ "forwarded", "threatintel-malwarebazaar" ], - "threatintel.indicator.file.extension": "docx", - "threatintel.indicator.file.hash.md5": "fe185f106730583156f39233f77f8019", - "threatintel.indicator.file.hash.sha1": "e8378aede9f26f09b7d503d79a05d67612be15f6", - "threatintel.indicator.file.hash.sha256": "42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4", - "threatintel.indicator.file.hash.sha384": "752e5d56a166227d06f8cbd40cd3f693f543f9c3f798c673c1430957bb7e149a12d9158138fa449479105f472e70f68f", - "threatintel.indicator.file.hash.ssdeep": "196608:KQaeKLOiBEp+uc+iuYmbMdHmN1Rwyd2jecXeaH1pHE+2:oeIOTp+p+iNJC1ChjhXZ1pHz2", - "threatintel.indicator.file.hash.tlsh": "13863341B085EE2EE2CA41BA0DA9C2BD43B63D131E054F677269B72D3EB76E0E7D4144", - "threatintel.indicator.file.mime_type": "application/msword", - "threatintel.indicator.file.name": "42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4.bin", - "threatintel.indicator.file.size": 7929856, - "threatintel.indicator.first_seen": "2021-04-06T20:00:48.000Z", - "threatintel.indicator.geo.country_iso_code": "FR", - "threatintel.indicator.provider": "ArkbirdDevil", - "threatintel.indicator.type": "file", - "threatintel.malwarebazaar.anonymous": 0, - "threatintel.malwarebazaar.code_sign": [], - "threatintel.malwarebazaar.intelligence.downloads": 21, - "threatintel.malwarebazaar.intelligence.uploads": 1, - "threatintel.malwarebazaar.tags": [ - "maldoc" - ] + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar", + "threat.indicator.file.extension": "docx", + "threat.indicator.file.hash.md5": "fe185f106730583156f39233f77f8019", + "threat.indicator.file.hash.sha1": "e8378aede9f26f09b7d503d79a05d67612be15f6", + "threat.indicator.file.hash.sha256": "42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4", + "threat.indicator.file.hash.sha384": "752e5d56a166227d06f8cbd40cd3f693f543f9c3f798c673c1430957bb7e149a12d9158138fa449479105f472e70f68f", + "threat.indicator.file.hash.ssdeep": "196608:KQaeKLOiBEp+uc+iuYmbMdHmN1Rwyd2jecXeaH1pHE+2:oeIOTp+p+iNJC1ChjhXZ1pHz2", + "threat.indicator.file.hash.tlsh": "13863341B085EE2EE2CA41BA0DA9C2BD43B63D131E054F677269B72D3EB76E0E7D4144", + "threat.indicator.file.mime_type": "application/msword", + "threat.indicator.file.name": "42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4.bin", + "threat.indicator.file.size": 7929856, + "threat.indicator.first_seen": "2021-04-06T20:00:48.000Z", + "threat.indicator.geo.country_iso_code": "FR", + "threat.indicator.provider": "ArkbirdDevil", + "threat.indicator.type": "file" }, { + "abusech.malwarebazaar.anonymous": 0, + "abusech.malwarebazaar.code_sign": [], + "abusech.malwarebazaar.intelligence.downloads": 30, + "abusech.malwarebazaar.intelligence.uploads": 1, + "abusech.malwarebazaar.tags": [ + "apt", + "tonto" + ], "event.category": "threat", "event.dataset": "threatintel.malwarebazaar", "event.kind": "enrichment", @@ -233,31 +251,29 @@ "forwarded", "threatintel-malwarebazaar" ], - "threatintel.indicator.file.extension": "dll", - "threatintel.indicator.file.hash.md5": "70da6872b6b2da9ddc94d14b02302917", - "threatintel.indicator.file.hash.sha1": "b2da45913353bfc66d189455f9ad80ef26968143", - "threatintel.indicator.file.hash.sha256": "2d705f0b76f24a18e08163db2f187140ee9f03e43697a9ea0d840c829692d43c", - "threatintel.indicator.file.hash.sha384": "c82132559381b7b3b184b4ce8c7a58c301a46001621f346b637139f5987dee968ae2ef009a17b2388852b2db15a45b58", - "threatintel.indicator.file.hash.ssdeep": "1536:2NVi7z0r0lJRn6I8+YDgr1fnWG5Ff0+adgBYlCtMiQMX1c0E4JsWjcdonPv870E1:YM7zh8+Cofnp5eRm6riQ6OZoPv870E", - "threatintel.indicator.file.hash.tlsh": "A2D38C067790C071DAAF013908799E624B7F7D70DDB49D8B77841A8E69342D0AF3AB27", - "threatintel.indicator.file.mime_type": "application/x-dosexec", - "threatintel.indicator.file.name": "winlog.wll", - "threatintel.indicator.file.pe.imphash": "6476b7c4dd55eafbdf922a7ba1e2d5f9", - "threatintel.indicator.file.size": 131584, - "threatintel.indicator.first_seen": "2021-04-06T19:58:50.000Z", - "threatintel.indicator.geo.country_iso_code": "FR", - "threatintel.indicator.provider": "ArkbirdDevil", - "threatintel.indicator.type": "file", - "threatintel.malwarebazaar.anonymous": 0, - "threatintel.malwarebazaar.code_sign": [], - "threatintel.malwarebazaar.intelligence.downloads": 30, - "threatintel.malwarebazaar.intelligence.uploads": 1, - "threatintel.malwarebazaar.tags": [ - "apt", - "tonto" - ] + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar", + "threat.indicator.file.extension": "dll", + "threat.indicator.file.hash.md5": "70da6872b6b2da9ddc94d14b02302917", + "threat.indicator.file.hash.sha1": "b2da45913353bfc66d189455f9ad80ef26968143", + "threat.indicator.file.hash.sha256": "2d705f0b76f24a18e08163db2f187140ee9f03e43697a9ea0d840c829692d43c", + "threat.indicator.file.hash.sha384": "c82132559381b7b3b184b4ce8c7a58c301a46001621f346b637139f5987dee968ae2ef009a17b2388852b2db15a45b58", + "threat.indicator.file.hash.ssdeep": "1536:2NVi7z0r0lJRn6I8+YDgr1fnWG5Ff0+adgBYlCtMiQMX1c0E4JsWjcdonPv870E1:YM7zh8+Cofnp5eRm6riQ6OZoPv870E", + "threat.indicator.file.hash.tlsh": "A2D38C067790C071DAAF013908799E624B7F7D70DDB49D8B77841A8E69342D0AF3AB27", + "threat.indicator.file.mime_type": "application/x-dosexec", + "threat.indicator.file.name": "winlog.wll", + "threat.indicator.file.pe.imphash": "6476b7c4dd55eafbdf922a7ba1e2d5f9", + "threat.indicator.file.size": 131584, + "threat.indicator.first_seen": "2021-04-06T19:58:50.000Z", + "threat.indicator.geo.country_iso_code": "FR", + "threat.indicator.provider": "ArkbirdDevil", + "threat.indicator.type": "file" }, { + "abusech.malwarebazaar.anonymous": 0, + "abusech.malwarebazaar.code_sign": [], + "abusech.malwarebazaar.intelligence.downloads": 32, + "abusech.malwarebazaar.intelligence.uploads": 1, "event.category": "threat", "event.dataset": "threatintel.malwarebazaar", "event.kind": "enrichment", @@ -277,26 +293,33 @@ "forwarded", "threatintel-malwarebazaar" ], - "threatintel.indicator.file.extension": "docx", - "threatintel.indicator.file.hash.md5": "de80e1d7d9f5b1c64ec9f8d4f5063989", - "threatintel.indicator.file.hash.sha1": "3d613d5678e43faeea1c636185a0b4c3ec80e742", - "threatintel.indicator.file.hash.sha256": "30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606", - "threatintel.indicator.file.hash.sha384": "a3ec981ed158fe08cc2cd97303807cfbed147e59ccfd92fcaa9395c5718b4d9b892d6e9fa6337f5976dc1bd042562fe4", - "threatintel.indicator.file.hash.ssdeep": "24576:WKEiZxl3A4yJJG2dPQQCthXzglgLm/9lGO:WKEGByvGOQQC/XElga/9lGO", - "threatintel.indicator.file.hash.tlsh": "8635D001BA82C573D5621A35083ADBAA177E7D604F704ADBB3C83B2E5D355C14B32BA7", - "threatintel.indicator.file.mime_type": "application/msword", - "threatintel.indicator.file.name": "30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606.bin.sample", - "threatintel.indicator.file.size": 1088000, - "threatintel.indicator.first_seen": "2021-04-06T19:58:44.000Z", - "threatintel.indicator.geo.country_iso_code": "DE", - "threatintel.indicator.provider": "DmitriyMelikov", - "threatintel.indicator.type": "file", - "threatintel.malwarebazaar.anonymous": 0, - "threatintel.malwarebazaar.code_sign": [], - "threatintel.malwarebazaar.intelligence.downloads": 32, - "threatintel.malwarebazaar.intelligence.uploads": 1 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar", + "threat.indicator.file.extension": "docx", + "threat.indicator.file.hash.md5": "de80e1d7d9f5b1c64ec9f8d4f5063989", + "threat.indicator.file.hash.sha1": "3d613d5678e43faeea1c636185a0b4c3ec80e742", + "threat.indicator.file.hash.sha256": "30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606", + "threat.indicator.file.hash.sha384": "a3ec981ed158fe08cc2cd97303807cfbed147e59ccfd92fcaa9395c5718b4d9b892d6e9fa6337f5976dc1bd042562fe4", + "threat.indicator.file.hash.ssdeep": "24576:WKEiZxl3A4yJJG2dPQQCthXzglgLm/9lGO:WKEGByvGOQQC/XElga/9lGO", + "threat.indicator.file.hash.tlsh": "8635D001BA82C573D5621A35083ADBAA177E7D604F704ADBB3C83B2E5D355C14B32BA7", + "threat.indicator.file.mime_type": "application/msword", + "threat.indicator.file.name": "30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606.bin.sample", + "threat.indicator.file.size": 1088000, + "threat.indicator.first_seen": "2021-04-06T19:58:44.000Z", + "threat.indicator.geo.country_iso_code": "DE", + "threat.indicator.provider": "DmitriyMelikov", + "threat.indicator.type": "file" }, { + "abusech.malwarebazaar.anonymous": 0, + "abusech.malwarebazaar.code_sign": [], + "abusech.malwarebazaar.intelligence.downloads": 38, + "abusech.malwarebazaar.intelligence.mail.Generic": "low", + "abusech.malwarebazaar.intelligence.uploads": 1, + "abusech.malwarebazaar.tags": [ + "SnakeKeylogger", + "exe" + ], "event.category": "threat", "event.dataset": "threatintel.malwarebazaar", "event.kind": "enrichment", @@ -317,33 +340,35 @@ "forwarded", "threatintel-malwarebazaar" ], - "threatintel.indicator.file.extension": "exe", - "threatintel.indicator.file.hash.md5": "2759c73c986c6a757bf9d25621c5595a", - "threatintel.indicator.file.hash.sha1": "00b52e8ca1785d5086703ad8cff1d28fc3354934", - "threatintel.indicator.file.hash.sha256": "84f983067868de50e5b1553782c056c1f5b5118bb2084473ca4b6908f221cd3b", - "threatintel.indicator.file.hash.sha384": "138dc28a74d15c1f9797ce732e99097c8c6db4549cb17cb7b20c1c6738a170328e45aea2d4c3b593912f14a97f521c1d", - "threatintel.indicator.file.hash.ssdeep": "12288:8t11ulRZRLZNh4YeX6f6XmwNShqE73YXy7moh:S11gZpZNmBX06WmAcy7m0", - "threatintel.indicator.file.hash.tlsh": "23F4AE212684C9C0D93E67B4D43584F003BABD16D631F69F6E887C693EB32D2D63B646", - "threatintel.indicator.file.mime_type": "application/x-dosexec", - "threatintel.indicator.file.name": "Purchase Order.8000.scan.pdf...exe", - "threatintel.indicator.file.pe.imphash": "f34d5f2d4577ed6d9ceec516c1f5a744", - "threatintel.indicator.file.size": 752128, - "threatintel.indicator.first_seen": "2021-04-06T19:52:32.000Z", - "threatintel.indicator.geo.country_iso_code": "FR", - "threatintel.indicator.provider": "James_inthe_box", - "threatintel.indicator.signature": "SnakeKeylogger", - "threatintel.indicator.type": "file", - "threatintel.malwarebazaar.anonymous": 0, - "threatintel.malwarebazaar.code_sign": [], - "threatintel.malwarebazaar.intelligence.downloads": 38, - "threatintel.malwarebazaar.intelligence.mail.Generic": "low", - "threatintel.malwarebazaar.intelligence.uploads": 1, - "threatintel.malwarebazaar.tags": [ - "SnakeKeylogger", - "exe" - ] + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar", + "threat.indicator.file.extension": "exe", + "threat.indicator.file.hash.md5": "2759c73c986c6a757bf9d25621c5595a", + "threat.indicator.file.hash.sha1": "00b52e8ca1785d5086703ad8cff1d28fc3354934", + "threat.indicator.file.hash.sha256": "84f983067868de50e5b1553782c056c1f5b5118bb2084473ca4b6908f221cd3b", + "threat.indicator.file.hash.sha384": "138dc28a74d15c1f9797ce732e99097c8c6db4549cb17cb7b20c1c6738a170328e45aea2d4c3b593912f14a97f521c1d", + "threat.indicator.file.hash.ssdeep": "12288:8t11ulRZRLZNh4YeX6f6XmwNShqE73YXy7moh:S11gZpZNmBX06WmAcy7m0", + "threat.indicator.file.hash.tlsh": "23F4AE212684C9C0D93E67B4D43584F003BABD16D631F69F6E887C693EB32D2D63B646", + "threat.indicator.file.mime_type": "application/x-dosexec", + "threat.indicator.file.name": "Purchase Order.8000.scan.pdf...exe", + "threat.indicator.file.pe.imphash": "f34d5f2d4577ed6d9ceec516c1f5a744", + "threat.indicator.file.size": 752128, + "threat.indicator.first_seen": "2021-04-06T19:52:32.000Z", + "threat.indicator.geo.country_iso_code": "FR", + "threat.indicator.provider": "James_inthe_box", + "threat.indicator.type": "file", + "threat.software.alias": "SnakeKeylogger" }, { + "abusech.malwarebazaar.anonymous": 0, + "abusech.malwarebazaar.code_sign": [], + "abusech.malwarebazaar.intelligence.downloads": 40, + "abusech.malwarebazaar.intelligence.mail.Generic": "low", + "abusech.malwarebazaar.intelligence.uploads": 1, + "abusech.malwarebazaar.tags": [ + "AgentTesla", + "exe" + ], "event.category": "threat", "event.dataset": "threatintel.malwarebazaar", "event.kind": "enrichment", @@ -364,30 +389,23 @@ "forwarded", "threatintel-malwarebazaar" ], - "threatintel.indicator.file.extension": "exe", - "threatintel.indicator.file.hash.md5": "596b3dbf07a287dcf76860b5e54762c3", - "threatintel.indicator.file.hash.sha1": "a34fd5e57d75d17bc2d84055ca4752e5ee2e92f5", - "threatintel.indicator.file.hash.sha256": "0661d87116f44cbd5b5c6bec7fb06c4e5cd5b6ecbc5455d959e65f1ee46c54c8", - "threatintel.indicator.file.hash.sha384": "ed5d03454121d81adf65a01ba90af81b1a7cea052709c22bb9170508069d17242861f85e5546b2cc3efb07c10926368c", - "threatintel.indicator.file.hash.ssdeep": "12288:qRedcNeqimzAEmN03VgdZfBOMx+RVBM7pdWje9ppB5nAZGNY2:ZaNeqikqN0udZfBFUYp55nFN", - "threatintel.indicator.file.hash.tlsh": "A505CF712694C9A4FABD53B80434403007F5FE42E232FA9A6FD17C993E72782DA3B655", - "threatintel.indicator.file.mime_type": "application/x-dosexec", - "threatintel.indicator.file.name": "New Order PO#121012020_____PDF_______.exe", - "threatintel.indicator.file.pe.imphash": "f34d5f2d4577ed6d9ceec516c1f5a744", - "threatintel.indicator.file.size": 836096, - "threatintel.indicator.first_seen": "2021-04-06T19:47:13.000Z", - "threatintel.indicator.geo.country_iso_code": "FR", - "threatintel.indicator.provider": "James_inthe_box", - "threatintel.indicator.signature": "AgentTesla", - "threatintel.indicator.type": "file", - "threatintel.malwarebazaar.anonymous": 0, - "threatintel.malwarebazaar.code_sign": [], - "threatintel.malwarebazaar.intelligence.downloads": 40, - "threatintel.malwarebazaar.intelligence.mail.Generic": "low", - "threatintel.malwarebazaar.intelligence.uploads": 1, - "threatintel.malwarebazaar.tags": [ - "AgentTesla", - "exe" - ] + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] AbuseCH MalwareBazaar", + "threat.indicator.file.extension": "exe", + "threat.indicator.file.hash.md5": "596b3dbf07a287dcf76860b5e54762c3", + "threat.indicator.file.hash.sha1": "a34fd5e57d75d17bc2d84055ca4752e5ee2e92f5", + "threat.indicator.file.hash.sha256": "0661d87116f44cbd5b5c6bec7fb06c4e5cd5b6ecbc5455d959e65f1ee46c54c8", + "threat.indicator.file.hash.sha384": "ed5d03454121d81adf65a01ba90af81b1a7cea052709c22bb9170508069d17242861f85e5546b2cc3efb07c10926368c", + "threat.indicator.file.hash.ssdeep": "12288:qRedcNeqimzAEmN03VgdZfBOMx+RVBM7pdWje9ppB5nAZGNY2:ZaNeqikqN0udZfBFUYp55nFN", + "threat.indicator.file.hash.tlsh": "A505CF712694C9A4FABD53B80434403007F5FE42E232FA9A6FD17C993E72782DA3B655", + "threat.indicator.file.mime_type": "application/x-dosexec", + "threat.indicator.file.name": "New Order PO#121012020_____PDF_______.exe", + "threat.indicator.file.pe.imphash": "f34d5f2d4577ed6d9ceec516c1f5a744", + "threat.indicator.file.size": 836096, + "threat.indicator.first_seen": "2021-04-06T19:47:13.000Z", + "threat.indicator.geo.country_iso_code": "FR", + "threat.indicator.provider": "James_inthe_box", + "threat.indicator.type": "file", + "threat.software.alias": "AgentTesla" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/misp/config/config.yml b/x-pack/filebeat/module/threatintel/misp/config/config.yml index 922f794af20..53ce56b16a2 100644 --- a/x-pack/filebeat/module/threatintel/misp/config/config.yml +++ b/x-pack/filebeat/module/threatintel/misp/config/config.yml @@ -12,18 +12,24 @@ request.proxy_url: {{ .proxy_url }} {{ end }} request.url: {{ .url }} request.body: - limit: 100 - page: 1 - returnFormat: json -{{if .filters}} - {{ range $key, $value := .filters}}{{$key}}: {{$value | tojson}}{{end}} -{{end}} +{{ if .filters }} + {{ .filters | tojson}} +{{ end }} request.transforms: {{ if .api_token }} - set: target: header.Authorization value: {{ .api_token }} -{{end}} +{{ end }} +- set: + target: body.page + value: 1 +- set: + target: body.limit + value: 10 +- set: + target: body.returnFormat + value: json - set: target: body.timestamp value: '[[.cursor.timestamp]]' @@ -63,28 +69,12 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} +tags: +{{if .preserve_original_event}} + - preserve_original_event +{{end}} +{{range $val := .tags}} + - {{$val}} +{{end}} -processors: - - decode_json_fields: - fields: [message] - target: json - - fingerprint: - fields: - - json.Event.Attribute.uuid - - json.Event.Object.Attribute.uuid - ignore_missing: true - target_field: "@metadata._id" - encoding: base64 - - script: - lang: javascript - id: my_filter - source: > - function process(event) { - event.Put("@metadata.op_type", "index"); - } - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml index e64379422db..f4f54c903b9 100644 --- a/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml @@ -1,3 +1,4 @@ +--- description: Pipeline for parsing MISP Threat Intel processors: #################### @@ -6,6 +7,9 @@ processors: - set: field: event.ingested value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: "1.12" - set: field: event.kind value: enrichment @@ -19,236 +23,253 @@ processors: ###################### # General ECS fields # ###################### + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - fingerprint: + fields: + - json.Event.Attribute.uuid + - json.Event.Object.Attribute.uuid + target_field: "_id" + ignore_missing: true - rename: field: json.Event - target_field: threatintel.misp + target_field: misp ignore_missing: true - set: - field: threatintel.indicator.provider + field: threat.indicator.provider value: misp - if: ctx?.threatintel?.misp?.Orgc?.local != 'false' + if: ctx.misp?.Orgc?.local != 'false' - set: - field: threatintel.indicator.provider + field: threat.indicator.provider value: "{{misp.Orgc.name}}" - if: ctx?.threatintel?.misp?.Orgc?.local == 'false' + if: ctx.misp?.Orgc?.local == 'false' ignore_empty_value: true # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event - remove: field: - - threatintel.misp.ShadowAttribute - - threatintel.misp.RelatedEvent - - threatintel.misp.Galaxy - - threatintel.misp.Attribute.Galaxy - - threatintel.misp.Attribute.ShadowAttribute - - threatintel.misp.EventReport - - threatintel.misp.Object.Attribute.Galaxy - - threatintel.misp.Object.Attribute.ShadowAttribute - - message + - misp.ShadowAttribute + - misp.RelatedEvent + - misp.Galaxy + - misp.Attribute.Galaxy + - misp.Attribute.ShadowAttribute + - misp.EventReport + - misp.Object.Attribute.Galaxy + - misp.Object.Attribute.ShadowAttribute ignore_missing: true - remove: field: - - threatintel.misp.Attribute + - misp.Attribute ignore_missing: true - if: ctx?.threatintel?.misp?.Attribute.size() == 0 + if: ctx.misp?.Attribute.size() == 0 - remove: field: - - threatintel.misp.Object + - misp.Object ignore_missing: true - if: ctx?.threatintel?.misp?.Object.size() == 0 + if: ctx.misp?.Object.size() == 0 - date: - field: threatintel.misp.timestamp + field: misp.timestamp formats: - UNIX ignore_failure: true - rename: - field: threatintel.misp.Attribute - target_field: threatintel.misp.attribute + field: misp.Attribute + target_field: misp.attribute ignore_missing: true - rename: - field: threatintel.misp.Object - target_field: threatintel.misp.object + field: misp.Object + target_field: misp.object ignore_missing: true - rename: - field: threatintel.misp.object.Attribute - target_field: threatintel.misp.object.attribute + field: misp.object.Attribute + target_field: misp.object.attribute ignore_missing: true - rename: - field: threatintel.misp.Orgc - target_field: threatintel.misp.orgc + field: misp.Orgc + target_field: misp.orgc ignore_missing: true - rename: - field: threatintel.misp.Org - target_field: threatintel.misp.org + field: misp.Org + target_field: misp.org ignore_missing: true - rename: - field: threatintel.misp.Tag - target_field: threatintel.misp.tag + field: misp.Tag + target_field: misp.tag ignore_missing: true # # Dance around issue of not being able to split the document into two. # # Make the Object.Attribute field primary if it exists, but keep the # # outer Attribute as context. - rename: - field: threatintel.misp.attribute - target_field: threatintel.misp.context.attribute + field: misp.attribute + target_field: misp.context.attribute ignore_missing: true - if: ctx?.threatintel?.misp?.object != null + if: ctx.misp?.object != null - rename: - field: threatintel.misp.object.attribute - target_field: threatintel.misp.attribute + field: misp.object.attribute + target_field: misp.attribute ignore_missing: true - if: ctx?.threatintel?.misp?.object != null + if: ctx.misp?.object != null ##################### # Threat ECS Fields # ##################### + - set: + field: threat.feed.name + value: "[Filebeat] MISP" + - set: + field: threat.feed.dashboard_id + value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f" - rename: - field: threatintel.misp.attribute.first_seen - target_field: threatintel.indicator.first_seen + field: misp.attribute.first_seen + target_field: threat.indicator.first_seen ignore_missing: true - rename: - field: threatintel.misp.attribute.last_seen - target_field: threatintel.indicator.last_seen + field: misp.attribute.last_seen + target_field: threat.indicator.last_seen ignore_missing: true - convert: - field: threatintel.misp.analysis + field: misp.analysis type: long - target_field: threatintel.indicator.scanner_stats + target_field: threat.indicator.scanner_stats ignore_missing: true - convert: - field: threatintel.misp.threat_level_id + field: misp.threat_level_id type: long ignore_missing: true ## File/Hash indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: file - if: "ctx?.threatintel?.misp?.attribute?.type != null && (['md5', 'impfuzzy', 'imphash', 'pehash', 'sha1', 'sha224', 'sha256', 'sha3-224', 'sha3-256', 'sha3-384', 'sha3-512', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'tlsh', 'vhash'].contains(ctx.threatintel?.misp?.attribute?.type) || ctx.threatintel?.misp?.attribute?.type.startsWith('filename'))" + if: "ctx.misp?.attribute?.type != null && (['md5', 'impfuzzy', 'imphash', 'pehash', 'sha1', 'sha224', 'sha256', 'sha3-224', 'sha3-256', 'sha3-384', 'sha3-512', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'tlsh', 'vhash'].contains(ctx.misp?.attribute?.type) || ctx.misp?.attribute?.type.startsWith('filename'))" - rename: - field: threatintel.misp.attribute.value - target_field: "threatintel.indicator.file.hash.{{threatintel.misp.attribute.type}}" + field: misp.attribute.value + target_field: "threat.indicator.file.hash.{{misp.attribute.type}}" ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'file' && ctx?.threatintel?.misp?.attribute?.type != null && !ctx?.threatintel?.misp?.attribute?.type.startsWith('filename')" + if: "ctx.threat?.indicator?.type == 'file' && ctx.misp?.attribute?.type != null && !ctx.misp?.attribute?.type.startsWith('filename')" - rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.file.name + field: misp.attribute.value + target_field: threat.indicator.file.name ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'file' && ctx?.threatintel?.misp?.attribute?.type == 'filename'" + if: "ctx.threat?.indicator?.type == 'file' && ctx.misp?.attribute?.type == 'filename'" - grok: - field: threatintel.misp.attribute.type + field: misp.attribute.type patterns: - "%{WORD}\\|%{WORD:_tmp.hashtype}" ignore_missing: true - if: ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') + if: ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|') - grok: - field: threatintel.misp.attribute.value + field: misp.attribute.value patterns: - - "%{DATA:threatintel.indicator.file.name}\\|%{GREEDYDATA:_tmp.hashvalue}" + - "%{DATA:threat.indicator.file.name}\\|%{GREEDYDATA:_tmp.hashvalue}" ignore_missing: true - if: ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') + if: ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|') - set: - field: threatintel.indicator.file.hash.{{_tmp.hashtype}} + field: threat.indicator.file.hash.{{_tmp.hashtype}} value: "{{_tmp.hashvalue}}" - if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') && ctx?._tmp?.hashvalue != null && ctx?._tmp?.hashtype != null" + if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|') && ctx?._tmp?.hashvalue != null && ctx?._tmp?.hashtype != null" ## URL/URI indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: url - if: "ctx?.threatintel?.misp?.attribute?.type != null && ['url', 'link', 'uri'].contains(ctx?.threatintel?.misp?.attribute?.type)" + if: "ctx.misp?.attribute?.type != null && ['url', 'link', 'uri'].contains(ctx.misp?.attribute?.type)" - uri_parts: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.url + field: misp.attribute.value + target_field: threat.indicator.url keep_original: true remove_if_successful: true - if: ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.misp?.attribute?.type != 'uri' - + if: ctx.threat?.indicator?.type == 'url' && ctx.misp?.attribute?.type != 'uri' - set: - field: threatintel.indicator.url.full - value: "{{{threatintel.indicator.url.original}}}" + field: threat.indicator.url.full + value: "{{{threat.indicator.url.original}}}" ignore_empty_value: true - if: "ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.misp?.attribute?.type != 'uri'" + if: "ctx.threat?.indicator?.type == 'url' && ctx.misp?.attribute?.type != 'uri'" ## Regkey indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: windows-registry-key - if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type.startsWith('regkey')" + if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('regkey')" - rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.registry.key + field: misp.attribute.value + target_field: threat.indicator.registry.key ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'windows-registry-key' && ctx?.threatintel?.misp?.attribute?.type == 'regkey'" + if: "ctx.threat?.indicator?.type == 'windows-registry-key' && ctx.misp?.attribute?.type == 'regkey'" - grok: - field: threatintel.misp.attribute.value + field: misp.attribute.value patterns: - - "%{DATA:threatintel.indicator.registry.key}\\|%{DATA:threatintel.indicator.registry.value}" + - "%{DATA:threat.indicator.registry.key}\\|%{DATA:threat.indicator.registry.value}" ignore_missing: true - if: "ctx?.threatintel?.misp?.attribute?.type == 'regkey|value'" + if: "ctx.misp?.attribute?.type == 'regkey|value'" ## AS indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: autonomous-system - if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx?.threatintel?.misp?.attribute?.type == 'AS'" + if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type == 'AS'" - convert: - field: threatintel.misp.attribute.value + field: misp.attribute.value type: long - target_field: threatintel.indicator.as.number + target_field: threat.indicator.as.number ignore_missing: true - if: ctx?.threatintel?.indicator?.type == 'autonomous-system' + if: ctx.threat?.indicator?.type == 'autonomous-system' ## Domain/IP/Port indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: domain-name - if: "ctx?.threatintel?.misp?.attribute?.type != null && (ctx?.threatintel?.misp?.attribute?.type == 'hostname' || ctx?.threatintel?.misp?.attribute?.type.startsWith('domain'))" + if: "ctx.misp?.attribute?.type != null && (ctx.misp?.attribute?.type == 'hostname' || ctx.misp?.attribute?.type.startsWith('domain'))" - set: - field: threatintel.indicator.type + field: threat.indicator.type value: ipv4-addr - if: "ctx?.threatintel?.misp?.attribute?.type != null && ['ip-src', 'ip-src|port', 'ip-dst', 'ip-dst|port'].contains(ctx?.threatintel?.misp?.attribute?.type)" + if: "ctx.misp?.attribute?.type != null && ['ip-src', 'ip-src|port', 'ip-dst', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)" - rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.url.domain + field: misp.attribute.value + target_field: threat.indicator.url.domain ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'domain-name' && ctx?.threatintel?.misp?.attribute?.type != 'domain|ip' && ctx.threatintel?.indicator?.url?.domain == null" + if: "ctx.threat?.indicator?.type == 'domain-name' && ctx.misp?.attribute?.type != 'domain|ip' && ctx.threat?.indicator?.url?.domain == null" - rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.ip + field: misp.attribute.value + target_field: threat.indicator.ip ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'ipv4-addr' && ctx?.threatintel?.misp?.attribute?.type != 'domain|ip' && !['ip-src|port', 'ip-dst|port'].contains(ctx?.threatintel?.misp?.attribute?.type)" + if: "ctx.threat?.indicator?.type == 'ipv4-addr' && ctx.misp?.attribute?.type != 'domain|ip' && !['ip-src|port', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)" - grok: - field: threatintel.misp.attribute.value + field: misp.attribute.value patterns: - - "%{DATA:threatintel.indicator.url.domain}\\|%{IP:threatintel.indicator.ip}" + - "%{DATA:threat.indicator.url.domain}\\|%{IP:threat.indicator.ip}" ignore_missing: true - if: ctx.threatintel?.misp?.attribute?.type == 'domain|ip' && ctx.threatintel?.indicator?.url?.domain == null + if: ctx.misp?.attribute?.type == 'domain|ip' && ctx.threat?.indicator?.url?.domain == null - grok: - field: threatintel.misp.attribute.value + field: misp.attribute.value patterns: - - "%{IP:threatintel.indicator.ip}\\|%{NUMBER:threatintel.indicator.port}" + - "%{IP:threat.indicator.ip}\\|%{NUMBER:threat.indicator.port}" ignore_missing: true - if: "['ip-src|port', 'ip-dst|port'].contains(ctx.threatintel?.misp?.attribute?.type)" + if: "['ip-src|port', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)" ## Email indicator operations # Currently this ignores email-message, except setting the type it will leave the rest of the fields under misp. - set: - field: threatintel.indicator.type + field: threat.indicator.type value: email-addr - if: "ctx?.threatintel?.misp?.attribute?.type != null && ['email-dst', 'email-src'].contains(ctx.threatintel?.misp?.attribute?.type)" + if: "ctx.misp?.attribute?.type != null && ['email-dst', 'email-src'].contains(ctx.misp?.attribute?.type)" - set: - field: threatintel.indicator.type + field: threat.indicator.type value: email-message - if: "ctx?.threatintel?.misp?.attribute?.type != null && ctx.threatintel?.misp?.attribute?.type.startsWith('email') && !['email-dst', 'email-src'].contains(ctx.threatintel?.misp?.attribute?.type)" + if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('email') && !['email-dst', 'email-src'].contains(ctx.misp?.attribute?.type)" - rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.email.address + field: misp.attribute.value + target_field: threat.indicator.email.address ignore_missing: true - if: ctx?.threatintel?.indicator?.type == 'email-addr' + if: ctx.threat?.indicator?.type == 'email-addr' - rename: - field: threatintel.misp.event_creator_email + field: misp.event_creator_email target_field: user.email ignore_missing: true - append: @@ -258,14 +279,14 @@ processors: ## MAC Address indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: mac-addr - if: "ctx?.threatintel?.misp?.attribute?.type != null && ['mac-address', 'mac-eui-64'].contains(ctx.threatintel?.misp?.attribute?.type)" + if: "ctx.misp?.attribute?.type != null && ['mac-address', 'mac-eui-64'].contains(ctx.misp?.attribute?.type)" - rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.mac + field: misp.attribute.value + target_field: threat.indicator.mac ignore_missing: true - if: ctx?.threatintel?.indicator?.type == 'mac-addr' + if: ctx.threat?.indicator?.type == 'mac-addr' ################### # Tags ECS fields # @@ -273,9 +294,9 @@ processors: # Stripping special characters from tags - script: lang: painless - if: ctx?.threatintel?.misp?.tag != null + if: ctx.misp?.tag != null source: | - def tags = ctx.threatintel.misp.tag.stream() + def tags = ctx.misp.tag.stream() .map(t -> t.name.replace('\\', '').replace('"', '')) .collect(Collectors.toList()); def tlpTags = tags.stream() @@ -284,20 +305,45 @@ processors: .collect(Collectors.toList()); ctx.tags = tags; - ctx.threatintel.indicator.marking = [ 'tlp': tlpTags ]; + ctx.threat.indicator.marking = [ 'tlp': tlpTags ]; # Setting indicator type to unknown if it does not match anything - set: - field: threatintel.indicator.type + field: threat.indicator.type value: unknown - if: ctx?.threatintel?.indicator?.type == null + if: ctx.threat?.indicator?.type == null + + ################# + # Convert types # + ################# + - convert: + field: misp.attribute.distribution + type: long + ignore_missing: true + - convert: + field: misp.context.attribute.distribution + type: long + ignore_missing: true + - convert: + field: threat.indicator.port + type: long + ignore_missing: true + - convert: + field: misp.attribute_count + type: long + ignore_missing: true ###################### # Cleanup processors # ###################### + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true - script: lang: painless - if: ctx?.threatintel != null + if: ctx?.misp != null source: | void handleMap(Map map) { for (def x : map.values()) { @@ -322,24 +368,24 @@ processors: # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event - remove: field: - - threatintel.misp.attribute.value + - misp.attribute.value ignore_missing: true - if: ctx?.threatintel?.indicator?.type != 'unknown' + if: ctx.threat?.indicator?.type != 'unknown' - remove: field: # This removes a number of fields that may be wanted in the future when - # threatintel.misp.attribute and threatintel.misp.object.attribute can + # misp.attribute and misp.object.attribute can # be separated. At the root of .object are fields that mirror fields at - # the root of threatintel.misp. - - threatintel.misp.object + # the root of misp. + - misp.object ignore_missing: true - remove: field: - - threatintel.misp.Attribute.timestamp - - threatintel.misp.timestamp - - threatintel.misp.tag - - threatintel.misp.org - - threatintel.misp.analysis + - misp.Attribute.timestamp + - misp.timestamp + - misp.tag + - misp.org + - misp.analysis - _tmp - json ignore_missing: true diff --git a/x-pack/filebeat/module/threatintel/misp/manifest.yml b/x-pack/filebeat/module/threatintel/misp/manifest.yml index 41443c01df8..3a91b68f4fe 100644 --- a/x-pack/filebeat/module/threatintel/misp/manifest.yml +++ b/x-pack/filebeat/module/threatintel/misp/manifest.yml @@ -15,6 +15,8 @@ var: - name: tags default: [threatintel-misp, forwarded] - name: proxy_url + - name: preserve_original_event + default: false ingest_pipeline: - ingest/pipeline.yml diff --git a/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json index 9f4dbc50fc8..04e12fc0323 100644 --- a/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json @@ -9,6 +9,39 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 0, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "- Xchecked via VT: a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "5", + "misp.attribute.id": "351", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1503930272", + "misp.attribute.to_ids": true, + "misp.attribute.type": "md5", + "misp.attribute.uuid": "59a427a0-f6f8-4178-9e7d-dfd702de0b81", + "misp.attribute_count": 7, + "misp.date": "2017-08-25", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "5", + "misp.info": "OSINT - New Arena Crysis Ransomware Variant Released", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "2", + "misp.orgc.local": false, + "misp.orgc.name": "CIRCL", + "misp.orgc.uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", + "misp.orgc_id": "2", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1603226331", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 3, + "misp.uuid": "59a3d08d-5dc8-4153-bc7c-456d950d210f", "service.type": "threatintel", "tags": [ "malware_classification:malware-category=Ransomware", @@ -17,46 +50,15 @@ "tlp:white", "type:OSINT" ], - "threatintel.indicator.file.hash.md5": "f2679bdabe46e10edc6352fff3c829bc", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.md5": "f2679bdabe46e10edc6352fff3c829bc", + "threat.indicator.marking.tlp": [ "white" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "- Xchecked via VT: a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "5", - "threatintel.misp.attribute.id": "351", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1503930272", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "md5", - "threatintel.misp.attribute.uuid": "59a427a0-f6f8-4178-9e7d-dfd702de0b81", - "threatintel.misp.attribute_count": "7", - "threatintel.misp.date": "2017-08-25", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "5", - "threatintel.misp.info": "OSINT - New Arena Crysis Ransomware Variant Released", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "2", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CIRCL", - "threatintel.misp.orgc.uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", - "threatintel.misp.orgc_id": "2", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1603226331", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 3, - "threatintel.misp.uuid": "59a3d08d-5dc8-4153-bc7c-456d950d210f" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "file" }, { "@timestamp": "2017-08-28T14:24:36.000Z", @@ -68,6 +70,39 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 8248, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "1st stage", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "14", + "misp.attribute.id": "10794", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1542652482", + "misp.attribute.to_ids": false, + "misp.attribute.type": "domain|ip", + "misp.attribute.uuid": "5bf30242-8ef4-4c52-a2d7-0b7b0a016219", + "misp.attribute_count": 7, + "misp.date": "2017-08-25", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "5", + "misp.info": "OSINT - New Arena Crysis Ransomware Variant Released", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "2", + "misp.orgc.local": false, + "misp.orgc.name": "CIRCL", + "misp.orgc.uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", + "misp.orgc_id": "2", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1603226331", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 3, + "misp.uuid": "59a3d08d-5dc8-4153-bc7c-456d950d210f", "service.type": "threatintel", "tags": [ "malware_classification:malware-category=Ransomware", @@ -76,47 +111,16 @@ "tlp:white", "type:OSINT" ], - "threatintel.indicator.ip": "178.128.103.74", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.ip": "178.128.103.74", + "threat.indicator.marking.tlp": [ "white" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "your-ip.getmyip.com", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "1st stage", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "14", - "threatintel.misp.attribute.id": "10794", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1542652482", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "domain|ip", - "threatintel.misp.attribute.uuid": "5bf30242-8ef4-4c52-a2d7-0b7b0a016219", - "threatintel.misp.attribute_count": "7", - "threatintel.misp.date": "2017-08-25", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "5", - "threatintel.misp.info": "OSINT - New Arena Crysis Ransomware Variant Released", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "2", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CIRCL", - "threatintel.misp.orgc.uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", - "threatintel.misp.orgc_id": "2", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1603226331", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 3, - "threatintel.misp.uuid": "59a3d08d-5dc8-4153-bc7c-456d950d210f" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "your-ip.getmyip.com" }, { "@timestamp": "2017-04-28T18:23:44.000Z", @@ -128,55 +132,57 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 16434, + "misp.attribute.category": "External analysis", + "misp.attribute.comment": "Carbon sample - Xchecked via VT: a08b8371ead1919500a4759c2f46553620d5a9d9", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "4", + "misp.attribute.id": "342", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1490878550", + "misp.attribute.to_ids": false, + "misp.attribute.type": "link", + "misp.attribute.uuid": "58dd0056-6e74-43d5-b58b-494802de0b81", + "misp.attribute_count": 100, + "misp.date": "2017-03-30", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "4", + "misp.info": "OSINT - Carbon Paper: Peering into Turla\u2019s second stage backdoor", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "2", + "misp.orgc.local": false, + "misp.orgc.name": "CIRCL", + "misp.orgc.uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", + "misp.orgc_id": "2", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1603226330", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 3, + "misp.uuid": "58dcfe62-ed84-4e5e-b293-4991950d210f", "service.type": "threatintel", "tags": [ "misp-galaxy:tool=Turla", "tlp:white" ], - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.marking.tlp": [ "white" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "www.virustotal.com", - "threatintel.indicator.url.full": "https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/", - "threatintel.indicator.url.original": "https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/", - "threatintel.indicator.url.path": "/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/", - "threatintel.indicator.url.scheme": "https", - "threatintel.misp.attribute.category": "External analysis", - "threatintel.misp.attribute.comment": "Carbon sample - Xchecked via VT: a08b8371ead1919500a4759c2f46553620d5a9d9", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "4", - "threatintel.misp.attribute.id": "342", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1490878550", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "link", - "threatintel.misp.attribute.uuid": "58dd0056-6e74-43d5-b58b-494802de0b81", - "threatintel.misp.attribute_count": "100", - "threatintel.misp.date": "2017-03-30", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "4", - "threatintel.misp.info": "OSINT - Carbon Paper: Peering into Turla\u2019s second stage backdoor", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "2", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CIRCL", - "threatintel.misp.orgc.uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", - "threatintel.misp.orgc_id": "2", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1603226330", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 3, - "threatintel.misp.uuid": "58dcfe62-ed84-4e5e-b293-4991950d210f" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "url", + "threat.indicator.url.domain": "www.virustotal.com", + "threat.indicator.url.full": "https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/", + "threat.indicator.url.original": "https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/", + "threat.indicator.url.path": "/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/", + "threat.indicator.url.scheme": "https" }, { "@timestamp": "2014-10-06T07:12:57.000Z", @@ -188,51 +194,53 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 20139, + "misp.attribute.category": "External analysis", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "2", + "misp.attribute.id": "1077", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1412579394", + "misp.attribute.to_ids": true, + "misp.attribute.type": "sha256", + "misp.attribute.uuid": "54324042-49fc-4628-a95e-44da950d210b", + "misp.attribute_count": 29, + "misp.date": "2014-10-03", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "2", + "misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "2", + "misp.orgc.local": false, + "misp.orgc.name": "CthulhuSPRL.be", + "misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", + "misp.orgc_id": "2", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610622316", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b", "service.type": "threatintel", "tags": [ "tlp:green", "type:OSINT" ], - "threatintel.indicator.file.hash.sha256": "0a1103bc90725d4665b932f88e81d39eafa5823b0de3ab146e2d4548b7da79a0", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.sha256": "0a1103bc90725d4665b932f88e81d39eafa5823b0de3ab146e2d4548b7da79a0", + "threat.indicator.marking.tlp": [ "green" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "External analysis", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "2", - "threatintel.misp.attribute.id": "1077", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1412579394", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "sha256", - "threatintel.misp.attribute.uuid": "54324042-49fc-4628-a95e-44da950d210b", - "threatintel.misp.attribute_count": "29", - "threatintel.misp.date": "2014-10-03", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "2", - "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "2", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CthulhuSPRL.be", - "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", - "threatintel.misp.orgc_id": "2", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610622316", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "file" }, { "@timestamp": "2014-10-06T07:12:57.000Z", @@ -244,51 +252,53 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 21711, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "2", + "misp.attribute.id": "1084", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1412579457", + "misp.attribute.to_ids": true, + "misp.attribute.type": "ip-dst", + "misp.attribute.uuid": "54324081-3308-4f1f-8674-4953950d210b", + "misp.attribute_count": 29, + "misp.date": "2014-10-03", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "2", + "misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "2", + "misp.orgc.local": false, + "misp.orgc.name": "CthulhuSPRL.be", + "misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", + "misp.orgc_id": "2", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610622316", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b", "service.type": "threatintel", "tags": [ "tlp:green", "type:OSINT" ], - "threatintel.indicator.ip": "223.25.233.248", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.ip": "223.25.233.248", + "threat.indicator.marking.tlp": [ "green" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "ipv4-addr", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "2", - "threatintel.misp.attribute.id": "1084", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1412579457", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "ip-dst", - "threatintel.misp.attribute.uuid": "54324081-3308-4f1f-8674-4953950d210b", - "threatintel.misp.attribute_count": "29", - "threatintel.misp.date": "2014-10-03", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "2", - "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "2", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CthulhuSPRL.be", - "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", - "threatintel.misp.orgc_id": "2", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610622316", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "ipv4-addr" }, { "@timestamp": "2014-10-06T07:12:57.000Z", @@ -300,51 +310,53 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 23232, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "2", + "misp.attribute.id": "1086", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1412579548", + "misp.attribute.to_ids": true, + "misp.attribute.type": "hostname", + "misp.attribute.uuid": "543240dc-f068-437a-baa9-48f2950d210b", + "misp.attribute_count": 29, + "misp.date": "2014-10-03", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "2", + "misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "2", + "misp.orgc.local": false, + "misp.orgc.name": "CthulhuSPRL.be", + "misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", + "misp.orgc_id": "2", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610622316", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b", "service.type": "threatintel", "tags": [ "tlp:green", "type:OSINT" ], - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.marking.tlp": [ "green" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "xenserver.ddns.net", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "2", - "threatintel.misp.attribute.id": "1086", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1412579548", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "hostname", - "threatintel.misp.attribute.uuid": "543240dc-f068-437a-baa9-48f2950d210b", - "threatintel.misp.attribute_count": "29", - "threatintel.misp.date": "2014-10-03", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "2", - "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "2", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CthulhuSPRL.be", - "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", - "threatintel.misp.orgc_id": "2", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610622316", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "xenserver.ddns.net" }, { "@timestamp": "2014-10-06T07:12:57.000Z", @@ -356,51 +368,53 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 24759, + "misp.attribute.category": "External analysis", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "2", + "misp.attribute.id": "1089", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1412579577", + "misp.attribute.to_ids": false, + "misp.attribute.type": "text", + "misp.attribute.uuid": "543240f9-64e8-41f2-958f-4e21950d210b", + "misp.attribute.value": "Nitro", + "misp.attribute_count": 29, + "misp.date": "2014-10-03", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "2", + "misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "2", + "misp.orgc.local": false, + "misp.orgc.name": "CthulhuSPRL.be", + "misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", + "misp.orgc_id": "2", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610622316", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b", "service.type": "threatintel", "tags": [ "tlp:green", "type:OSINT" ], - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.marking.tlp": [ "green" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "External analysis", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "2", - "threatintel.misp.attribute.id": "1089", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1412579577", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "text", - "threatintel.misp.attribute.uuid": "543240f9-64e8-41f2-958f-4e21950d210b", - "threatintel.misp.attribute.value": "Nitro", - "threatintel.misp.attribute_count": "29", - "threatintel.misp.date": "2014-10-03", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "2", - "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "2", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CthulhuSPRL.be", - "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", - "threatintel.misp.orgc_id": "2", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610622316", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "unknown" }, { "@timestamp": "2014-10-06T07:12:57.000Z", @@ -412,51 +426,53 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 26271, + "misp.attribute.category": "External analysis", + "misp.attribute.comment": "Automatically added (via 7915aabb2e66ff14841e4ef0fbff7486)", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "2", + "misp.attribute.id": "1090", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1455826343", + "misp.attribute.to_ids": true, + "misp.attribute.type": "sha1", + "misp.attribute.uuid": "56c625a7-f31c-460c-9ea1-c652950d210f", + "misp.attribute_count": 29, + "misp.date": "2014-10-03", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "2", + "misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "2", + "misp.orgc.local": false, + "misp.orgc.name": "CthulhuSPRL.be", + "misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", + "misp.orgc_id": "2", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610622316", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b", "service.type": "threatintel", "tags": [ "tlp:green", "type:OSINT" ], - "threatintel.indicator.file.hash.sha1": "0ea76f1586c008932d90c991dfdd5042f3aac8ea", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.sha1": "0ea76f1586c008932d90c991dfdd5042f3aac8ea", + "threat.indicator.marking.tlp": [ "green" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "External analysis", - "threatintel.misp.attribute.comment": "Automatically added (via 7915aabb2e66ff14841e4ef0fbff7486)", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "2", - "threatintel.misp.attribute.id": "1090", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1455826343", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "sha1", - "threatintel.misp.attribute.uuid": "56c625a7-f31c-460c-9ea1-c652950d210f", - "threatintel.misp.attribute_count": "29", - "threatintel.misp.date": "2014-10-03", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "2", - "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "2", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CthulhuSPRL.be", - "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", - "threatintel.misp.orgc_id": "2", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610622316", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "file" }, { "@timestamp": "2014-10-06T07:12:57.000Z", @@ -468,51 +484,53 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 27875, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "22", + "misp.attribute.id": "12394", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1462454963", + "misp.attribute.to_ids": false, + "misp.attribute.type": "domain", + "misp.attribute.uuid": "572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16", + "misp.attribute_count": 29, + "misp.date": "2014-10-03", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "2", + "misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "2", + "misp.orgc.local": false, + "misp.orgc.name": "CthulhuSPRL.be", + "misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", + "misp.orgc_id": "2", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610622316", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b", "service.type": "threatintel", "tags": [ "tlp:green", "type:OSINT" ], - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.marking.tlp": [ "green" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "whatsapp.com", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "22", - "threatintel.misp.attribute.id": "12394", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1462454963", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "domain", - "threatintel.misp.attribute.uuid": "572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16", - "threatintel.misp.attribute_count": "29", - "threatintel.misp.date": "2014-10-03", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "2", - "threatintel.misp.info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "2", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CthulhuSPRL.be", - "threatintel.misp.orgc.uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f", - "threatintel.misp.orgc_id": "2", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610622316", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "54323f2c-e50c-4268-896c-4867950d210b" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "whatsapp.com" }, { "@timestamp": "2018-08-28T13:20:17.000Z", @@ -524,57 +542,59 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 29397, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "Fake adobe URL", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "158", + "misp.attribute.id": "17299", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1515427692", + "misp.attribute.to_ids": false, + "misp.attribute.type": "url", + "misp.attribute.uuid": "5a53976c-e7c8-480d-a68a-2fc50a016219", + "misp.attribute_count": 61, + "misp.date": "2018-01-08", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "158", + "misp.info": "Turla: Mosquito Whitepaper", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "5", + "misp.orgc.local": false, + "misp.orgc.name": "ESET", + "misp.orgc.uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f", + "misp.orgc_id": "5", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610637953", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "5a5395d1-40a0-45fc-b692-334a0a016219", "service.type": "threatintel", "tags": [ "Turla", "misp-galaxy:threat-actor=Turla Group", "tlp:white" ], - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.marking.tlp": [ "white" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "get.adobe.com", - "threatintel.indicator.url.full": "http://get.adobe.com/stats/AbfFcBebD/?q=", - "threatintel.indicator.url.original": "http://get.adobe.com/stats/AbfFcBebD/?q=", - "threatintel.indicator.url.path": "/stats/AbfFcBebD/", - "threatintel.indicator.url.query": "q=", - "threatintel.indicator.url.scheme": "http", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "Fake adobe URL", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "158", - "threatintel.misp.attribute.id": "17299", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1515427692", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "url", - "threatintel.misp.attribute.uuid": "5a53976c-e7c8-480d-a68a-2fc50a016219", - "threatintel.misp.attribute_count": "61", - "threatintel.misp.date": "2018-01-08", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "158", - "threatintel.misp.info": "Turla: Mosquito Whitepaper", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "5", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "ESET", - "threatintel.misp.orgc.uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f", - "threatintel.misp.orgc_id": "5", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610637953", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "5a5395d1-40a0-45fc-b692-334a0a016219" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "url", + "threat.indicator.url.domain": "get.adobe.com", + "threat.indicator.url.full": "http://get.adobe.com/stats/AbfFcBebD/?q=", + "threat.indicator.url.original": "http://get.adobe.com/stats/AbfFcBebD/?q=", + "threat.indicator.url.path": "/stats/AbfFcBebD/", + "threat.indicator.url.query": "q=", + "threat.indicator.url.scheme": "http" }, { "@timestamp": "2018-08-28T13:20:17.000Z", @@ -586,51 +606,53 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 31486, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "Win32 backdoor C&C URI", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "158", + "misp.attribute.id": "17330", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1515429089", + "misp.attribute.to_ids": false, + "misp.attribute.type": "uri", + "misp.attribute.uuid": "5a539ce1-3de0-4e34-8fc4-2fc50a016219", + "misp.attribute_count": 61, + "misp.date": "2018-01-08", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "158", + "misp.info": "Turla: Mosquito Whitepaper", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "5", + "misp.orgc.local": false, + "misp.orgc.name": "ESET", + "misp.orgc.uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f", + "misp.orgc_id": "5", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610637953", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "5a5395d1-40a0-45fc-b692-334a0a016219", "service.type": "threatintel", "tags": [ "Turla", "misp-galaxy:threat-actor=Turla Group", "tlp:white" ], - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.marking.tlp": [ "white" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "url", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "Win32 backdoor C&C URI", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "158", - "threatintel.misp.attribute.id": "17330", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1515429089", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "uri", - "threatintel.misp.attribute.uuid": "5a539ce1-3de0-4e34-8fc4-2fc50a016219", - "threatintel.misp.attribute_count": "61", - "threatintel.misp.date": "2018-01-08", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "158", - "threatintel.misp.info": "Turla: Mosquito Whitepaper", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "5", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "ESET", - "threatintel.misp.orgc.uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f", - "threatintel.misp.orgc_id": "5", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610637953", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "5a5395d1-40a0-45fc-b692-334a0a016219" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "url" }, { "@timestamp": "2018-08-28T13:20:17.000Z", @@ -642,53 +664,55 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 33567, + "misp.attribute.category": "Artifacts dropped", + "misp.attribute.comment": "JavaScript backdoor", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "158", + "misp.attribute.id": "17322", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1515429089", + "misp.attribute.to_ids": false, + "misp.attribute.type": "filename|sha1", + "misp.attribute.uuid": "5a539ce1-e6a0-426a-942c-2fc50a016219", + "misp.attribute_count": 61, + "misp.date": "2018-01-08", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "158", + "misp.info": "Turla: Mosquito Whitepaper", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "5", + "misp.orgc.local": false, + "misp.orgc.name": "ESET", + "misp.orgc.uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f", + "misp.orgc_id": "5", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610637953", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "5a5395d1-40a0-45fc-b692-334a0a016219", "service.type": "threatintel", "tags": [ "Turla", "misp-galaxy:threat-actor=Turla Group", "tlp:white" ], - "threatintel.indicator.file.hash.sha1": "c51d288469df9f25e2fb7ac491918b3e579282ea", - "threatintel.indicator.file.name": "google_update_checker.js", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.sha1": "c51d288469df9f25e2fb7ac491918b3e579282ea", + "threat.indicator.file.name": "google_update_checker.js", + "threat.indicator.marking.tlp": [ "white" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Artifacts dropped", - "threatintel.misp.attribute.comment": "JavaScript backdoor", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "158", - "threatintel.misp.attribute.id": "17322", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1515429089", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "filename|sha1", - "threatintel.misp.attribute.uuid": "5a539ce1-e6a0-426a-942c-2fc50a016219", - "threatintel.misp.attribute_count": "61", - "threatintel.misp.date": "2018-01-08", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "158", - "threatintel.misp.info": "Turla: Mosquito Whitepaper", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "5", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "ESET", - "threatintel.misp.orgc.uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f", - "threatintel.misp.orgc_id": "5", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610637953", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "5a5395d1-40a0-45fc-b692-334a0a016219" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file" }, { "@timestamp": "2018-01-23T16:09:56.000Z", @@ -700,50 +724,52 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 35697, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "22", + "misp.attribute.id": "12268", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1456266422", + "misp.attribute.to_ids": true, + "misp.attribute.type": "email-src", + "misp.attribute.uuid": "56ccdcb6-4d6c-4e48-b955-52849062e56a", + "misp.attribute_count": 133, + "misp.date": "2015-12-08", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "22", + "misp.info": "Packrat: Seven Years of a South American Threat Actor", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "4", + "misp.orgc.local": false, + "misp.orgc.name": "CUDESO", + "misp.orgc.uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16", + "misp.orgc_id": "4", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610637901", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 3, + "misp.uuid": "56ccdcaf-f7e4-40d8-bca1-51299062e56a", "service.type": "threatintel", "tags": [ "tlp:white" ], - "threatintel.indicator.email.address": "claudiobonadio88@gmail.com", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.email.address": "claudiobonadio88@gmail.com", + "threat.indicator.marking.tlp": [ "white" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "email-addr", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "22", - "threatintel.misp.attribute.id": "12268", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1456266422", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "email-src", - "threatintel.misp.attribute.uuid": "56ccdcb6-4d6c-4e48-b955-52849062e56a", - "threatintel.misp.attribute_count": "133", - "threatintel.misp.date": "2015-12-08", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "22", - "threatintel.misp.info": "Packrat: Seven Years of a South American Threat Actor", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "4", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CUDESO", - "threatintel.misp.orgc.uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16", - "threatintel.misp.orgc_id": "4", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610637901", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 3, - "threatintel.misp.uuid": "56ccdcaf-f7e4-40d8-bca1-51299062e56a" + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "email-addr" }, { "@timestamp": "2018-01-23T16:09:56.000Z", @@ -755,50 +781,52 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 37011, + "misp.attribute.category": "Artifacts dropped", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "22", + "misp.attribute.id": "12298", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1456266454", + "misp.attribute.to_ids": true, + "misp.attribute.type": "regkey", + "misp.attribute.uuid": "56ccdcd6-f4b8-4383-9624-52849062e56a", + "misp.attribute_count": 133, + "misp.date": "2015-12-08", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "22", + "misp.info": "Packrat: Seven Years of a South American Threat Actor", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "4", + "misp.orgc.local": false, + "misp.orgc.name": "CUDESO", + "misp.orgc.uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16", + "misp.orgc_id": "4", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610637901", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 3, + "misp.uuid": "56ccdcaf-f7e4-40d8-bca1-51299062e56a", "service.type": "threatintel", "tags": [ "tlp:white" ], - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.marking.tlp": [ "white" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.registry.key": "HKLM\\SOFTWARE\\Microsoft\\Active", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "windows-registry-key", - "threatintel.misp.attribute.category": "Artifacts dropped", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "22", - "threatintel.misp.attribute.id": "12298", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1456266454", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "regkey", - "threatintel.misp.attribute.uuid": "56ccdcd6-f4b8-4383-9624-52849062e56a", - "threatintel.misp.attribute_count": "133", - "threatintel.misp.date": "2015-12-08", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "22", - "threatintel.misp.info": "Packrat: Seven Years of a South American Threat Actor", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "4", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CUDESO", - "threatintel.misp.orgc.uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16", - "threatintel.misp.orgc_id": "4", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610637901", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 3, - "threatintel.misp.uuid": "56ccdcaf-f7e4-40d8-bca1-51299062e56a" + "threat.indicator.provider": "misp", + "threat.indicator.registry.key": "HKLM\\SOFTWARE\\Microsoft\\Active", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "windows-registry-key" }, { "@timestamp": "2020-12-13T14:03:16.000Z", @@ -810,51 +838,53 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 38330, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "On port 2222", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "10", + "misp.attribute.id": "10686", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1607517728", + "misp.attribute.to_ids": true, + "misp.attribute.type": "ip-dst|port", + "misp.attribute.uuid": "5fd0c620-a844-4ace-9710-a37bc0a8ab16", + "misp.attribute_count": 15, + "misp.date": "2020-12-09", + "misp.disable_correlation": false, + "misp.distribution": "3", + "misp.extends_uuid": "", + "misp.id": "10", + "misp.info": "Recent Qakbot (Qbot) activity", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "4", + "misp.orgc.local": false, + "misp.orgc.name": "CUDESO", + "misp.orgc.uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16", + "misp.orgc_id": "4", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "1610637888", + "misp.published": true, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 3, + "misp.uuid": "5fd0c599-ab6c-4ba1-a69a-df9ec0a8ab16", "service.type": "threatintel", "tags": [ "misp-galaxy:banker=Qakbot", "tlp:white" ], - "threatintel.indicator.ip": "62.38.114.12", - "threatintel.indicator.marking.tlp": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.ip": "62.38.114.12", + "threat.indicator.marking.tlp": [ "white" ], - "threatintel.indicator.port": "2222", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 2, - "threatintel.indicator.type": "ipv4-addr", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "On port 2222", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "10", - "threatintel.misp.attribute.id": "10686", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1607517728", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "ip-dst|port", - "threatintel.misp.attribute.uuid": "5fd0c620-a844-4ace-9710-a37bc0a8ab16", - "threatintel.misp.attribute_count": "15", - "threatintel.misp.date": "2020-12-09", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "3", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "10", - "threatintel.misp.info": "Recent Qakbot (Qbot) activity", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "4", - "threatintel.misp.orgc.local": false, - "threatintel.misp.orgc.name": "CUDESO", - "threatintel.misp.orgc.uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16", - "threatintel.misp.orgc_id": "4", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "1610637888", - "threatintel.misp.published": true, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 3, - "threatintel.misp.uuid": "5fd0c599-ab6c-4ba1-a69a-df9ec0a8ab16" + "threat.indicator.port": 2222, + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 2, + "threat.indicator.type": "ipv4-addr" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/misp/test/misp_sample_with_ext_attributes.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/misp/test/misp_sample_with_ext_attributes.ndjson.log-expected.json index 6db06ab777c..ae03f9bce95 100644 --- a/x-pack/filebeat/module/threatintel/misp/test/misp_sample_with_ext_attributes.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/misp/test/misp_sample_with_ext_attributes.ndjson.log-expected.json @@ -9,48 +9,50 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 0, + "misp.attribute.category": "Payload installation", + "misp.attribute.comment": "Contextual comment for the file md5 attribute", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3631", + "misp.attribute.id": "266258", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621588162", + "misp.attribute.to_ids": false, + "misp.attribute.type": "md5", + "misp.attribute.uuid": "34c59b06-d35d-4808-919c-4b452f185c52", + "misp.attribute_count": 1, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3631", + "misp.info": "Test event 1 just atrributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "8ca56ae9-3747-4172-93d2-808da1a4eaf3", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.hash.md5": "70461da8b94c6ca5d2fda3260c5a8c3b", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload installation", - "threatintel.misp.attribute.comment": "Contextual comment for the file md5 attribute", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3631", - "threatintel.misp.attribute.id": "266258", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621588162", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "md5", - "threatintel.misp.attribute.uuid": "34c59b06-d35d-4808-919c-4b452f185c52", - "threatintel.misp.attribute_count": "1", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3631", - "threatintel.misp.info": "Test event 1 just atrributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "8ca56ae9-3747-4172-93d2-808da1a4eaf3", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.md5": "70461da8b94c6ca5d2fda3260c5a8c3b", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -66,48 +68,50 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 1614, + "misp.attribute.category": "Artifacts dropped", + "misp.attribute.comment": "Artefact dropped for test 2", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3632", + "misp.attribute.id": "266259", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621588675", + "misp.attribute.to_ids": true, + "misp.attribute.type": "md5", + "misp.attribute.uuid": "73102a1c-7432-47b7-9644-6f9d46b6887c", + "misp.attribute_count": 4, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3632", + "misp.info": "Test event 2 just more atrributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.hash.md5": "60461da8b94c6ca5d2fda3260c5a8c3b", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Artifacts dropped", - "threatintel.misp.attribute.comment": "Artefact dropped for test 2", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3632", - "threatintel.misp.attribute.id": "266259", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621588675", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "md5", - "threatintel.misp.attribute.uuid": "73102a1c-7432-47b7-9644-6f9d46b6887c", - "threatintel.misp.attribute_count": "4", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3632", - "threatintel.misp.info": "Test event 2 just more atrributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.md5": "60461da8b94c6ca5d2fda3260c5a8c3b", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -123,48 +127,50 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 3241, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "Conext for domain type attribute event 2", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3632", + "misp.attribute.id": "266260", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621588744", + "misp.attribute.to_ids": true, + "misp.attribute.type": "domain", + "misp.attribute.uuid": "a52a1b47-a580-4f33-96ba-939cf9146c9b", + "misp.attribute_count": 4, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3632", + "misp.info": "Test event 2 just more atrributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "baddom.madeup.local", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "Conext for domain type attribute event 2", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3632", - "threatintel.misp.attribute.id": "266260", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621588744", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "domain", - "threatintel.misp.attribute.uuid": "a52a1b47-a580-4f33-96ba-939cf9146c9b", - "threatintel.misp.attribute_count": "4", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3632", - "threatintel.misp.info": "Test event 2 just more atrributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "baddom.madeup.local", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -180,48 +186,50 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 4870, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "Ip-src attribute context for event2", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3632", + "misp.attribute.id": "266261", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621588800", + "misp.attribute.to_ids": false, + "misp.attribute.type": "ip-src", + "misp.attribute.uuid": "3dbf224b-7c84-4c4b-9f95-80f28954bd10", + "misp.attribute_count": 4, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3632", + "misp.info": "Test event 2 just more atrributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.ip": "10.0.0.1", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "ipv4-addr", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "Ip-src attribute context for event2", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3632", - "threatintel.misp.attribute.id": "266261", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621588800", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "ip-src", - "threatintel.misp.attribute.uuid": "3dbf224b-7c84-4c4b-9f95-80f28954bd10", - "threatintel.misp.attribute_count": "4", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3632", - "threatintel.misp.info": "Test event 2 just more atrributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.ip": "10.0.0.1", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "ipv4-addr", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -237,48 +245,50 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 6484, + "misp.attribute.category": "Network activity", + "misp.attribute.comment": "ip-dst context for event id 2", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3632", + "misp.attribute.id": "266262", + "misp.attribute.object_id": "0", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621588836", + "misp.attribute.to_ids": true, + "misp.attribute.type": "ip-dst", + "misp.attribute.uuid": "db4bfd36-7374-4f8c-9031-60e56d4bba30", + "misp.attribute_count": 4, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3632", + "misp.info": "Test event 2 just more atrributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 2, + "misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.ip": "192.168.1.50", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "ipv4-addr", - "threatintel.misp.attribute.category": "Network activity", - "threatintel.misp.attribute.comment": "ip-dst context for event id 2", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3632", - "threatintel.misp.attribute.id": "266262", - "threatintel.misp.attribute.object_id": "0", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621588836", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "ip-dst", - "threatintel.misp.attribute.uuid": "db4bfd36-7374-4f8c-9031-60e56d4bba30", - "threatintel.misp.attribute_count": "4", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3632", - "threatintel.misp.info": "Test event 2 just more atrributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 2, - "threatintel.misp.uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.ip": "192.168.1.50", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "ipv4-addr", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -294,63 +304,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 8095, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3633", + "misp.attribute.id": "266267", + "misp.attribute.object_id": "18207", + "misp.attribute.object_relation": "fullpath", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621589548", + "misp.attribute.to_ids": false, + "misp.attribute.type": "text", + "misp.attribute.uuid": "ff97cc32-815e-4fc9-9d4b-cab9822027a6", + "misp.attribute.value": "\\the\\fullpath\\to the file\\filenameofobject.txt", + "misp.attribute_count": 6, + "misp.context.attribute.category": "Payload delivery", + "misp.context.attribute.comment": "filename contect for test event 3", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3633", + "misp.context.attribute.id": "266263", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1621589229", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "filename", + "misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "misp.context.attribute.value": "thetestfile.txt", + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3633", + "misp.info": "Test event 3 objects and attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3633", - "threatintel.misp.attribute.id": "266267", - "threatintel.misp.attribute.object_id": "18207", - "threatintel.misp.attribute.object_relation": "fullpath", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621589548", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "text", - "threatintel.misp.attribute.uuid": "ff97cc32-815e-4fc9-9d4b-cab9822027a6", - "threatintel.misp.attribute.value": "\\the\\fullpath\\to the file\\filenameofobject.txt", - "threatintel.misp.attribute_count": "6", - "threatintel.misp.context.attribute.category": "Payload delivery", - "threatintel.misp.context.attribute.comment": "filename contect for test event 3", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3633", - "threatintel.misp.context.attribute.id": "266263", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1621589229", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "filename", - "threatintel.misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", - "threatintel.misp.context.attribute.value": "thetestfile.txt", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3633", - "threatintel.misp.info": "Test event 3 objects and attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -366,63 +378,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 10558, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3633", + "misp.attribute.id": "266268", + "misp.attribute.object_id": "18207", + "misp.attribute.object_relation": "size-in-bytes", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621589548", + "misp.attribute.to_ids": false, + "misp.attribute.type": "size-in-bytes", + "misp.attribute.uuid": "e378b4d9-43e1-4c64-bd4e-70fce2b4e581", + "misp.attribute.value": "505050", + "misp.attribute_count": 6, + "misp.context.attribute.category": "Payload delivery", + "misp.context.attribute.comment": "filename contect for test event 3", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3633", + "misp.context.attribute.id": "266263", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1621589229", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "filename", + "misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "misp.context.attribute.value": "thetestfile.txt", + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3633", + "misp.info": "Test event 3 objects and attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3633", - "threatintel.misp.attribute.id": "266268", - "threatintel.misp.attribute.object_id": "18207", - "threatintel.misp.attribute.object_relation": "size-in-bytes", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621589548", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "size-in-bytes", - "threatintel.misp.attribute.uuid": "e378b4d9-43e1-4c64-bd4e-70fce2b4e581", - "threatintel.misp.attribute.value": "505050", - "threatintel.misp.attribute_count": "6", - "threatintel.misp.context.attribute.category": "Payload delivery", - "threatintel.misp.context.attribute.comment": "filename contect for test event 3", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3633", - "threatintel.misp.context.attribute.id": "266263", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1621589229", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "filename", - "threatintel.misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", - "threatintel.misp.context.attribute.value": "thetestfile.txt", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3633", - "threatintel.misp.info": "Test event 3 objects and attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -438,63 +452,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 12990, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3633", + "misp.attribute.id": "266264", + "misp.attribute.object_id": "18207", + "misp.attribute.object_relation": "md5", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621589548", + "misp.attribute.to_ids": true, + "misp.attribute.type": "md5", + "misp.attribute.uuid": "787b3822-0bec-4278-b34a-5d649e7bce05", + "misp.attribute_count": 6, + "misp.context.attribute.category": "Payload delivery", + "misp.context.attribute.comment": "filename contect for test event 3", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3633", + "misp.context.attribute.id": "266263", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1621589229", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "filename", + "misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "misp.context.attribute.value": "thetestfile.txt", + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3633", + "misp.info": "Test event 3 objects and attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.hash.md5": "70461da8b94c6ca5d2fda3260c5a8c3b", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3633", - "threatintel.misp.attribute.id": "266264", - "threatintel.misp.attribute.object_id": "18207", - "threatintel.misp.attribute.object_relation": "md5", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621589548", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "md5", - "threatintel.misp.attribute.uuid": "787b3822-0bec-4278-b34a-5d649e7bce05", - "threatintel.misp.attribute_count": "6", - "threatintel.misp.context.attribute.category": "Payload delivery", - "threatintel.misp.context.attribute.comment": "filename contect for test event 3", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3633", - "threatintel.misp.context.attribute.id": "266263", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1621589229", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "filename", - "threatintel.misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", - "threatintel.misp.context.attribute.value": "thetestfile.txt", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3633", - "threatintel.misp.info": "Test event 3 objects and attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.md5": "70461da8b94c6ca5d2fda3260c5a8c3b", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -510,63 +526,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 15439, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3633", + "misp.attribute.id": "266265", + "misp.attribute.object_id": "18207", + "misp.attribute.object_relation": "sha256", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621589548", + "misp.attribute.to_ids": true, + "misp.attribute.type": "sha256", + "misp.attribute.uuid": "657c5f2b-9d68-4ff7-a9ad-ab9e6a6c953e", + "misp.attribute_count": 6, + "misp.context.attribute.category": "Payload delivery", + "misp.context.attribute.comment": "filename contect for test event 3", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3633", + "misp.context.attribute.id": "266263", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1621589229", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "filename", + "misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "misp.context.attribute.value": "thetestfile.txt", + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3633", + "misp.info": "Test event 3 objects and attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.hash.sha256": "f33c27745f2bd87344be790465ef984a972fd539dc83bd4f61d4242c607ef1ee", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3633", - "threatintel.misp.attribute.id": "266265", - "threatintel.misp.attribute.object_id": "18207", - "threatintel.misp.attribute.object_relation": "sha256", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621589548", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "sha256", - "threatintel.misp.attribute.uuid": "657c5f2b-9d68-4ff7-a9ad-ab9e6a6c953e", - "threatintel.misp.attribute_count": "6", - "threatintel.misp.context.attribute.category": "Payload delivery", - "threatintel.misp.context.attribute.comment": "filename contect for test event 3", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3633", - "threatintel.misp.context.attribute.id": "266263", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1621589229", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "filename", - "threatintel.misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", - "threatintel.misp.context.attribute.value": "thetestfile.txt", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3633", - "threatintel.misp.info": "Test event 3 objects and attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.sha256": "f33c27745f2bd87344be790465ef984a972fd539dc83bd4f61d4242c607ef1ee", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -582,63 +600,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 17926, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3633", + "misp.attribute.id": "266266", + "misp.attribute.object_id": "18207", + "misp.attribute.object_relation": "filename", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621589548", + "misp.attribute.to_ids": true, + "misp.attribute.type": "filename", + "misp.attribute.uuid": "6648d129-9200-431b-9b41-263a84f7c9d2", + "misp.attribute_count": 6, + "misp.context.attribute.category": "Payload delivery", + "misp.context.attribute.comment": "filename contect for test event 3", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3633", + "misp.context.attribute.id": "266263", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1621589229", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "filename", + "misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "misp.context.attribute.value": "thetestfile.txt", + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3633", + "misp.info": "Test event 3 objects and attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.name": "filenameofobject.txt", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3633", - "threatintel.misp.attribute.id": "266266", - "threatintel.misp.attribute.object_id": "18207", - "threatintel.misp.attribute.object_relation": "filename", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621589548", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "filename", - "threatintel.misp.attribute.uuid": "6648d129-9200-431b-9b41-263a84f7c9d2", - "threatintel.misp.attribute_count": "6", - "threatintel.misp.context.attribute.category": "Payload delivery", - "threatintel.misp.context.attribute.comment": "filename contect for test event 3", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3633", - "threatintel.misp.context.attribute.id": "266263", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1621589229", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "filename", - "threatintel.misp.context.attribute.uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", - "threatintel.misp.context.attribute.value": "thetestfile.txt", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3633", - "threatintel.misp.info": "Test event 3 objects and attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.name": "filenameofobject.txt", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -654,49 +674,51 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 20372, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3634", + "misp.attribute.id": "266269", + "misp.attribute.object_id": "18208", + "misp.attribute.object_relation": "text", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621591770", + "misp.attribute.to_ids": false, + "misp.attribute.type": "text", + "misp.attribute.uuid": "25d2f181-26ae-4d6f-b4fd-85b9d1f82e67", + "misp.attribute.value": "Free text in the file object", + "misp.attribute_count": 3, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3634", + "misp.info": "Test event 4 with object", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 3, + "misp.uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3634", - "threatintel.misp.attribute.id": "266269", - "threatintel.misp.attribute.object_id": "18208", - "threatintel.misp.attribute.object_relation": "text", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621591770", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "text", - "threatintel.misp.attribute.uuid": "25d2f181-26ae-4d6f-b4fd-85b9d1f82e67", - "threatintel.misp.attribute.value": "Free text in the file object", - "threatintel.misp.attribute_count": "3", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3634", - "threatintel.misp.info": "Test event 4 with object", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 3, - "threatintel.misp.uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -712,49 +734,51 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 21959, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3634", + "misp.attribute.id": "266270", + "misp.attribute.object_id": "18208", + "misp.attribute.object_relation": "sha256", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621591770", + "misp.attribute.to_ids": true, + "misp.attribute.type": "sha256", + "misp.attribute.uuid": "4e579782-346b-44b3-b72c-1cae8d87cb25", + "misp.attribute_count": 3, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3634", + "misp.info": "Test event 4 with object", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 3, + "misp.uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.hash.sha256": "567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc666", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3634", - "threatintel.misp.attribute.id": "266270", - "threatintel.misp.attribute.object_id": "18208", - "threatintel.misp.attribute.object_relation": "sha256", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621591770", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "sha256", - "threatintel.misp.attribute.uuid": "4e579782-346b-44b3-b72c-1cae8d87cb25", - "threatintel.misp.attribute_count": "3", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3634", - "threatintel.misp.info": "Test event 4 with object", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 3, - "threatintel.misp.uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.sha256": "567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc666", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -770,49 +794,51 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 23597, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3634", + "misp.attribute.id": "266271", + "misp.attribute.object_id": "18208", + "misp.attribute.object_relation": "filename", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621591770", + "misp.attribute.to_ids": true, + "misp.attribute.type": "filename", + "misp.attribute.uuid": "a40343b5-a480-4288-9b0c-7ae074a77140", + "misp.attribute_count": 3, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3634", + "misp.info": "Test event 4 with object", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 3, + "misp.uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.name": "filenameinmispobject.txt", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3634", - "threatintel.misp.attribute.id": "266271", - "threatintel.misp.attribute.object_id": "18208", - "threatintel.misp.attribute.object_relation": "filename", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621591770", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "filename", - "threatintel.misp.attribute.uuid": "a40343b5-a480-4288-9b0c-7ae074a77140", - "threatintel.misp.attribute_count": "3", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3634", - "threatintel.misp.info": "Test event 4 with object", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 3, - "threatintel.misp.uuid": "d98a8418-9f90-4b50-a623-6921ca5b356d", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.name": "filenameinmispobject.txt", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -828,49 +854,51 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 25198, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3635", + "misp.attribute.id": "266272", + "misp.attribute.object_id": "18209", + "misp.attribute.object_relation": "text", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621592379", + "misp.attribute.to_ids": false, + "misp.attribute.type": "text", + "misp.attribute.uuid": "188a6a15-5704-4e4f-acba-22c55ab08fe8", + "misp.attribute.value": "Object 5 free text attribute in object", + "misp.attribute_count": 5, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3635", + "misp.info": "Test event 5 with an object", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3635", - "threatintel.misp.attribute.id": "266272", - "threatintel.misp.attribute.object_id": "18209", - "threatintel.misp.attribute.object_relation": "text", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621592379", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "text", - "threatintel.misp.attribute.uuid": "188a6a15-5704-4e4f-acba-22c55ab08fe8", - "threatintel.misp.attribute.value": "Object 5 free text attribute in object", - "threatintel.misp.attribute_count": "5", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3635", - "threatintel.misp.info": "Test event 5 with an object", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -886,49 +914,51 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 26791, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3635", + "misp.attribute.id": "266275", + "misp.attribute.object_id": "18209", + "misp.attribute.object_relation": "entropy", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621592379", + "misp.attribute.to_ids": false, + "misp.attribute.type": "float", + "misp.attribute.uuid": "2400b103-4a33-4f92-ac04-a558b6c6e252", + "misp.attribute.value": "0.53535445", + "misp.attribute_count": 5, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3635", + "misp.info": "Test event 5 with an object", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3635", - "threatintel.misp.attribute.id": "266275", - "threatintel.misp.attribute.object_id": "18209", - "threatintel.misp.attribute.object_relation": "entropy", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621592379", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "float", - "threatintel.misp.attribute.uuid": "2400b103-4a33-4f92-ac04-a558b6c6e252", - "threatintel.misp.attribute.value": "0.53535445", - "threatintel.misp.attribute_count": "5", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3635", - "threatintel.misp.info": "Test event 5 with an object", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -944,49 +974,51 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 28360, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3635", + "misp.attribute.id": "266276", + "misp.attribute.object_id": "18209", + "misp.attribute.object_relation": "size-in-bytes", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621592379", + "misp.attribute.to_ids": false, + "misp.attribute.type": "size-in-bytes", + "misp.attribute.uuid": "e5ea3ec0-cdf4-4d3e-bd66-a7bf384fd3d7", + "misp.attribute.value": "55555", + "misp.attribute_count": 5, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3635", + "misp.info": "Test event 5 with an object", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3635", - "threatintel.misp.attribute.id": "266276", - "threatintel.misp.attribute.object_id": "18209", - "threatintel.misp.attribute.object_relation": "size-in-bytes", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621592379", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "size-in-bytes", - "threatintel.misp.attribute.uuid": "e5ea3ec0-cdf4-4d3e-bd66-a7bf384fd3d7", - "threatintel.misp.attribute.value": "55555", - "threatintel.misp.attribute_count": "5", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3635", - "threatintel.misp.info": "Test event 5 with an object", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1002,49 +1034,51 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 29938, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3635", + "misp.attribute.id": "266273", + "misp.attribute.object_id": "18209", + "misp.attribute.object_relation": "sha256", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621592379", + "misp.attribute.to_ids": true, + "misp.attribute.type": "sha256", + "misp.attribute.uuid": "803f10bd-9087-4169-8699-277579a92693", + "misp.attribute_count": 5, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3635", + "misp.info": "Test event 5 with an object", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.hash.sha256": "567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc665", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3635", - "threatintel.misp.attribute.id": "266273", - "threatintel.misp.attribute.object_id": "18209", - "threatintel.misp.attribute.object_relation": "sha256", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621592379", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "sha256", - "threatintel.misp.attribute.uuid": "803f10bd-9087-4169-8699-277579a92693", - "threatintel.misp.attribute_count": "5", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3635", - "threatintel.misp.info": "Test event 5 with an object", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.sha256": "567caa7653723f8818ec9eb6f2e27f6d9d8c0aca0c96fc457659340e7bbdc665", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1060,49 +1094,51 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 31572, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3635", + "misp.attribute.id": "266274", + "misp.attribute.object_id": "18209", + "misp.attribute.object_relation": "filename", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1621592379", + "misp.attribute.to_ids": true, + "misp.attribute.type": "filename", + "misp.attribute.uuid": "e5c7a9f0-c0e1-4024-9ab8-de8a1b403e4f", + "misp.attribute_count": 5, + "misp.date": "2021-05-21", + "misp.disable_correlation": false, + "misp.distribution": "1", + "misp.extends_uuid": "", + "misp.id": "3635", + "misp.info": "Test event 5 with an object", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.name": "object5.txt", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3635", - "threatintel.misp.attribute.id": "266274", - "threatintel.misp.attribute.object_id": "18209", - "threatintel.misp.attribute.object_relation": "filename", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1621592379", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "filename", - "threatintel.misp.attribute.uuid": "e5c7a9f0-c0e1-4024-9ab8-de8a1b403e4f", - "threatintel.misp.attribute_count": "5", - "threatintel.misp.date": "2021-05-21", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "1", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3635", - "threatintel.misp.info": "Test event 5 with an object", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "8b8786f1-07f2-4bfc-a3f0-e63c22fcc25e", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.name": "object5.txt", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1118,63 +1154,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 33156, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3636", + "misp.attribute.id": "266278", + "misp.attribute.object_id": "18210", + "misp.attribute.object_relation": "text", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1622200348", + "misp.attribute.to_ids": false, + "misp.attribute.type": "text", + "misp.attribute.uuid": "955e34a5-a630-42c9-868d-6e3dcb575987", + "misp.attribute.value": "Excutable create bad pipe", + "misp.attribute_count": 9, + "misp.context.attribute.category": "Artifacts dropped", + "misp.context.attribute.comment": "", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3636", + "misp.context.attribute.id": "266277", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1622200249", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "windows-service-name", + "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "misp.context.attribute.value": "badmojopipe", + "misp.date": "2021-05-28", + "misp.disable_correlation": false, + "misp.distribution": "0", + "misp.extends_uuid": "", + "misp.id": "3636", + "misp.info": "Test event 6 with multiple objects and multiple attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3636", - "threatintel.misp.attribute.id": "266278", - "threatintel.misp.attribute.object_id": "18210", - "threatintel.misp.attribute.object_relation": "text", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1622200348", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "text", - "threatintel.misp.attribute.uuid": "955e34a5-a630-42c9-868d-6e3dcb575987", - "threatintel.misp.attribute.value": "Excutable create bad pipe", - "threatintel.misp.attribute_count": "9", - "threatintel.misp.context.attribute.category": "Artifacts dropped", - "threatintel.misp.context.attribute.comment": "", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3636", - "threatintel.misp.context.attribute.id": "266277", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1622200249", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "windows-service-name", - "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "threatintel.misp.context.attribute.value": "badmojopipe", - "threatintel.misp.date": "2021-05-28", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "0", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3636", - "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1190,63 +1228,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 35151, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3636", + "misp.attribute.id": "266281", + "misp.attribute.object_id": "18211", + "misp.attribute.object_relation": "size-in-bytes", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1622200780", + "misp.attribute.to_ids": false, + "misp.attribute.type": "size-in-bytes", + "misp.attribute.uuid": "2fa7721b-ad73-4914-b082-8d44233ced98", + "misp.attribute.value": "3892", + "misp.attribute_count": 9, + "misp.context.attribute.category": "Artifacts dropped", + "misp.context.attribute.comment": "", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3636", + "misp.context.attribute.id": "266277", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1622200249", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "windows-service-name", + "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "misp.context.attribute.value": "badmojopipe", + "misp.date": "2021-05-28", + "misp.disable_correlation": false, + "misp.distribution": "0", + "misp.extends_uuid": "", + "misp.id": "3636", + "misp.info": "Test event 6 with multiple objects and multiple attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3636", - "threatintel.misp.attribute.id": "266281", - "threatintel.misp.attribute.object_id": "18211", - "threatintel.misp.attribute.object_relation": "size-in-bytes", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1622200780", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "size-in-bytes", - "threatintel.misp.attribute.uuid": "2fa7721b-ad73-4914-b082-8d44233ced98", - "threatintel.misp.attribute.value": "3892", - "threatintel.misp.attribute_count": "9", - "threatintel.misp.context.attribute.category": "Artifacts dropped", - "threatintel.misp.context.attribute.comment": "", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3636", - "threatintel.misp.context.attribute.id": "266277", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1622200249", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "windows-service-name", - "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "threatintel.misp.context.attribute.value": "badmojopipe", - "threatintel.misp.date": "2021-05-28", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "0", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3636", - "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1262,63 +1302,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 37149, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3636", + "misp.attribute.id": "266283", + "misp.attribute.object_id": "18211", + "misp.attribute.object_relation": "name", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1622200780", + "misp.attribute.to_ids": false, + "misp.attribute.type": "text", + "misp.attribute.uuid": "d35c1ff8-a69c-482b-8fb0-1182988d9468", + "misp.attribute.value": ".data", + "misp.attribute_count": 9, + "misp.context.attribute.category": "Artifacts dropped", + "misp.context.attribute.comment": "", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3636", + "misp.context.attribute.id": "266277", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1622200249", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "windows-service-name", + "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "misp.context.attribute.value": "badmojopipe", + "misp.date": "2021-05-28", + "misp.disable_correlation": false, + "misp.distribution": "0", + "misp.extends_uuid": "", + "misp.id": "3636", + "misp.info": "Test event 6 with multiple objects and multiple attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3636", - "threatintel.misp.attribute.id": "266283", - "threatintel.misp.attribute.object_id": "18211", - "threatintel.misp.attribute.object_relation": "name", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1622200780", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "text", - "threatintel.misp.attribute.uuid": "d35c1ff8-a69c-482b-8fb0-1182988d9468", - "threatintel.misp.attribute.value": ".data", - "threatintel.misp.attribute_count": "9", - "threatintel.misp.context.attribute.category": "Artifacts dropped", - "threatintel.misp.context.attribute.comment": "", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3636", - "threatintel.misp.context.attribute.id": "266277", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1622200249", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "windows-service-name", - "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "threatintel.misp.context.attribute.value": "badmojopipe", - "threatintel.misp.date": "2021-05-28", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "0", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3636", - "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1334,63 +1376,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 39130, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3636", + "misp.attribute.id": "266284", + "misp.attribute.object_id": "18211", + "misp.attribute.object_relation": "text", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1622200780", + "misp.attribute.to_ids": false, + "misp.attribute.type": "text", + "misp.attribute.uuid": "dc11971a-a676-4676-b24c-a45a8791e0b0", + "misp.attribute.value": "Extracted zip archive data", + "misp.attribute_count": 9, + "misp.context.attribute.category": "Artifacts dropped", + "misp.context.attribute.comment": "", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3636", + "misp.context.attribute.id": "266277", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1622200249", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "windows-service-name", + "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "misp.context.attribute.value": "badmojopipe", + "misp.date": "2021-05-28", + "misp.disable_correlation": false, + "misp.distribution": "0", + "misp.extends_uuid": "", + "misp.id": "3636", + "misp.info": "Test event 6 with multiple objects and multiple attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3636", - "threatintel.misp.attribute.id": "266284", - "threatintel.misp.attribute.object_id": "18211", - "threatintel.misp.attribute.object_relation": "text", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1622200780", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "text", - "threatintel.misp.attribute.uuid": "dc11971a-a676-4676-b24c-a45a8791e0b0", - "threatintel.misp.attribute.value": "Extracted zip archive data", - "threatintel.misp.attribute_count": "9", - "threatintel.misp.context.attribute.category": "Artifacts dropped", - "threatintel.misp.context.attribute.comment": "", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3636", - "threatintel.misp.context.attribute.id": "266277", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1622200249", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "windows-service-name", - "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "threatintel.misp.context.attribute.value": "badmojopipe", - "threatintel.misp.date": "2021-05-28", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "0", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3636", - "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1406,63 +1450,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 41132, + "misp.attribute.category": "Other", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3636", + "misp.attribute.id": "266285", + "misp.attribute.object_id": "18211", + "misp.attribute.object_relation": "entropy", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1622200780", + "misp.attribute.to_ids": false, + "misp.attribute.type": "float", + "misp.attribute.uuid": "a85c0cbb-25a8-4bc9-b146-3cba1020e5bb", + "misp.attribute.value": "7.93280431051", + "misp.attribute_count": 9, + "misp.context.attribute.category": "Artifacts dropped", + "misp.context.attribute.comment": "", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3636", + "misp.context.attribute.id": "266277", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1622200249", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "windows-service-name", + "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "misp.context.attribute.value": "badmojopipe", + "misp.date": "2021-05-28", + "misp.disable_correlation": false, + "misp.distribution": "0", + "misp.extends_uuid": "", + "misp.id": "3636", + "misp.info": "Test event 6 with multiple objects and multiple attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "unknown", - "threatintel.misp.attribute.category": "Other", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3636", - "threatintel.misp.attribute.id": "266285", - "threatintel.misp.attribute.object_id": "18211", - "threatintel.misp.attribute.object_relation": "entropy", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1622200780", - "threatintel.misp.attribute.to_ids": false, - "threatintel.misp.attribute.type": "float", - "threatintel.misp.attribute.uuid": "a85c0cbb-25a8-4bc9-b146-3cba1020e5bb", - "threatintel.misp.attribute.value": "7.93280431051", - "threatintel.misp.attribute_count": "9", - "threatintel.misp.context.attribute.category": "Artifacts dropped", - "threatintel.misp.context.attribute.comment": "", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3636", - "threatintel.misp.context.attribute.id": "266277", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1622200249", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "windows-service-name", - "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "threatintel.misp.context.attribute.value": "badmojopipe", - "threatintel.misp.date": "2021-05-28", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "0", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3636", - "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "unknown", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1478,63 +1524,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 43125, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3636", + "misp.attribute.id": "266279", + "misp.attribute.object_id": "18210", + "misp.attribute.object_relation": "md5", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1622200348", + "misp.attribute.to_ids": true, + "misp.attribute.type": "md5", + "misp.attribute.uuid": "1c97c043-5de2-41a1-b591-3237174cd290", + "misp.attribute_count": 9, + "misp.context.attribute.category": "Artifacts dropped", + "misp.context.attribute.comment": "", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3636", + "misp.context.attribute.id": "266277", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1622200249", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "windows-service-name", + "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "misp.context.attribute.value": "badmojopipe", + "misp.date": "2021-05-28", + "misp.disable_correlation": false, + "misp.distribution": "0", + "misp.extends_uuid": "", + "misp.id": "3636", + "misp.info": "Test event 6 with multiple objects and multiple attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.hash.md5": "7392463caf95534d56460bc9f360adc1", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3636", - "threatintel.misp.attribute.id": "266279", - "threatintel.misp.attribute.object_id": "18210", - "threatintel.misp.attribute.object_relation": "md5", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1622200348", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "md5", - "threatintel.misp.attribute.uuid": "1c97c043-5de2-41a1-b591-3237174cd290", - "threatintel.misp.attribute_count": "9", - "threatintel.misp.context.attribute.category": "Artifacts dropped", - "threatintel.misp.context.attribute.comment": "", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3636", - "threatintel.misp.context.attribute.id": "266277", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1622200249", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "windows-service-name", - "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "threatintel.misp.context.attribute.value": "badmojopipe", - "threatintel.misp.date": "2021-05-28", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "0", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3636", - "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.md5": "7392463caf95534d56460bc9f360adc1", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1550,63 +1598,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 45136, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": false, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3636", + "misp.attribute.id": "266282", + "misp.attribute.object_id": "18211", + "misp.attribute.object_relation": "md5", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1622200780", + "misp.attribute.to_ids": true, + "misp.attribute.type": "md5", + "misp.attribute.uuid": "f3b8696e-5390-4383-ace2-6e06bfae497d", + "misp.attribute_count": 9, + "misp.context.attribute.category": "Artifacts dropped", + "misp.context.attribute.comment": "", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3636", + "misp.context.attribute.id": "266277", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1622200249", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "windows-service-name", + "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "misp.context.attribute.value": "badmojopipe", + "misp.date": "2021-05-28", + "misp.disable_correlation": false, + "misp.distribution": "0", + "misp.extends_uuid": "", + "misp.id": "3636", + "misp.info": "Test event 6 with multiple objects and multiple attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.hash.md5": "7295463caf95534d56460bc9f360adc1", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": false, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3636", - "threatintel.misp.attribute.id": "266282", - "threatintel.misp.attribute.object_id": "18211", - "threatintel.misp.attribute.object_relation": "md5", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1622200780", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "md5", - "threatintel.misp.attribute.uuid": "f3b8696e-5390-4383-ace2-6e06bfae497d", - "threatintel.misp.attribute_count": "9", - "threatintel.misp.context.attribute.category": "Artifacts dropped", - "threatintel.misp.context.attribute.comment": "", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3636", - "threatintel.misp.context.attribute.id": "266277", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1622200249", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "windows-service-name", - "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "threatintel.misp.context.attribute.value": "badmojopipe", - "threatintel.misp.date": "2021-05-28", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "0", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3636", - "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.hash.md5": "7295463caf95534d56460bc9f360adc1", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" @@ -1622,63 +1672,65 @@ "fileset.name": "misp", "input.type": "log", "log.offset": 47153, + "misp.attribute.category": "Payload delivery", + "misp.attribute.comment": "", + "misp.attribute.deleted": false, + "misp.attribute.disable_correlation": true, + "misp.attribute.distribution": 5, + "misp.attribute.event_id": "3636", + "misp.attribute.id": "266280", + "misp.attribute.object_id": "18210", + "misp.attribute.object_relation": "filename", + "misp.attribute.sharing_group_id": "0", + "misp.attribute.timestamp": "1622200348", + "misp.attribute.to_ids": true, + "misp.attribute.type": "filename", + "misp.attribute.uuid": "2dfcb937-e6af-4b5d-ad50-f8eb975990f3", + "misp.attribute_count": 9, + "misp.context.attribute.category": "Artifacts dropped", + "misp.context.attribute.comment": "", + "misp.context.attribute.deleted": false, + "misp.context.attribute.disable_correlation": false, + "misp.context.attribute.distribution": 5, + "misp.context.attribute.event_id": "3636", + "misp.context.attribute.id": "266277", + "misp.context.attribute.object_id": "0", + "misp.context.attribute.sharing_group_id": "0", + "misp.context.attribute.timestamp": "1622200249", + "misp.context.attribute.to_ids": false, + "misp.context.attribute.type": "windows-service-name", + "misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", + "misp.context.attribute.value": "badmojopipe", + "misp.date": "2021-05-28", + "misp.disable_correlation": false, + "misp.distribution": "0", + "misp.extends_uuid": "", + "misp.id": "3636", + "misp.info": "Test event 6 with multiple objects and multiple attributes", + "misp.locked": false, + "misp.org_id": "1", + "misp.orgc.id": "1", + "misp.orgc.local": true, + "misp.orgc.name": "ORGNAME", + "misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", + "misp.orgc_id": "1", + "misp.proposal_email_lock": false, + "misp.publish_timestamp": "0", + "misp.published": false, + "misp.sharing_group_id": "0", + "misp.threat_level_id": 1, + "misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-misp" ], - "threatintel.indicator.file.name": "badmojopipe.exe", - "threatintel.indicator.provider": "misp", - "threatintel.indicator.scanner_stats": 0, - "threatintel.indicator.type": "file", - "threatintel.misp.attribute.category": "Payload delivery", - "threatintel.misp.attribute.comment": "", - "threatintel.misp.attribute.deleted": false, - "threatintel.misp.attribute.disable_correlation": true, - "threatintel.misp.attribute.distribution": "5", - "threatintel.misp.attribute.event_id": "3636", - "threatintel.misp.attribute.id": "266280", - "threatintel.misp.attribute.object_id": "18210", - "threatintel.misp.attribute.object_relation": "filename", - "threatintel.misp.attribute.sharing_group_id": "0", - "threatintel.misp.attribute.timestamp": "1622200348", - "threatintel.misp.attribute.to_ids": true, - "threatintel.misp.attribute.type": "filename", - "threatintel.misp.attribute.uuid": "2dfcb937-e6af-4b5d-ad50-f8eb975990f3", - "threatintel.misp.attribute_count": "9", - "threatintel.misp.context.attribute.category": "Artifacts dropped", - "threatintel.misp.context.attribute.comment": "", - "threatintel.misp.context.attribute.deleted": false, - "threatintel.misp.context.attribute.disable_correlation": false, - "threatintel.misp.context.attribute.distribution": "5", - "threatintel.misp.context.attribute.event_id": "3636", - "threatintel.misp.context.attribute.id": "266277", - "threatintel.misp.context.attribute.object_id": "0", - "threatintel.misp.context.attribute.sharing_group_id": "0", - "threatintel.misp.context.attribute.timestamp": "1622200249", - "threatintel.misp.context.attribute.to_ids": false, - "threatintel.misp.context.attribute.type": "windows-service-name", - "threatintel.misp.context.attribute.uuid": "3bd56a61-77f0-4885-8d1c-8bd2e39b65fb", - "threatintel.misp.context.attribute.value": "badmojopipe", - "threatintel.misp.date": "2021-05-28", - "threatintel.misp.disable_correlation": false, - "threatintel.misp.distribution": "0", - "threatintel.misp.extends_uuid": "", - "threatintel.misp.id": "3636", - "threatintel.misp.info": "Test event 6 with multiple objects and multiple attributes", - "threatintel.misp.locked": false, - "threatintel.misp.org_id": "1", - "threatintel.misp.orgc.id": "1", - "threatintel.misp.orgc.local": true, - "threatintel.misp.orgc.name": "ORGNAME", - "threatintel.misp.orgc.uuid": "78acad2d-cc2d-4785-94d6-b428a0070488", - "threatintel.misp.orgc_id": "1", - "threatintel.misp.proposal_email_lock": false, - "threatintel.misp.publish_timestamp": "0", - "threatintel.misp.published": false, - "threatintel.misp.sharing_group_id": "0", - "threatintel.misp.threat_level_id": 1, - "threatintel.misp.uuid": "81aea1d1-bb23-4bcd-9b0c-496e9ce028df", + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] MISP", + "threat.indicator.file.name": "badmojopipe.exe", + "threat.indicator.provider": "misp", + "threat.indicator.scanner_stats": 0, + "threat.indicator.type": "file", "user.email": "admin@admin.test", "user.roles": [ "reporting_user" diff --git a/x-pack/filebeat/module/threatintel/otx/config/config.yml b/x-pack/filebeat/module/threatintel/otx/config/config.yml index 9e2f5169e6f..fe18e1141d3 100644 --- a/x-pack/filebeat/module/threatintel/otx/config/config.yml +++ b/x-pack/filebeat/module/threatintel/otx/config/config.yml @@ -55,17 +55,12 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} +tags: +{{if .preserve_original_event}} + - preserve_original_event +{{end}} +{{range $val := .tags}} + - {{$val}} +{{end}} -processors: - - decode_json_fields: - fields: [message] - target: json - - fingerprint: - fields: ["json.id"] - target_field: "@metadata._id" - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml index 4cb3ed37aef..4b3f6aeaea6 100644 --- a/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml @@ -1,4 +1,5 @@ -description: Pipeline for parsing MISP Threat Intel +--- +description: Pipeline for parsing Abuse.ch URL Threat Intel processors: #################### # Event ECS fields # @@ -6,6 +7,9 @@ processors: - set: field: event.ingested value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: "1.12" - set: field: event.kind value: enrichment @@ -20,108 +24,126 @@ processors: # General ECS fields # ###################### - rename: - field: json - target_field: threatintel.otx + field: message + target_field: event.original ignore_missing: true + - json: + field: event.original + target_field: otx + - fingerprint: + fields: + - otx.id + target_field: "_id" ##################### # Threat ECS Fields # ##################### + - set: + field: threat.feed.name + value: "[Filebeat] Alienvault OTX" + - set: + field: threat.feed.dashboard_id + value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f" ## File indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: file - if: "ctx.threatintel?.otx?.type.startsWith('FileHash') || ctx.threatintel?.otx?.type == 'filepath'" + if: "ctx.otx?.type.startsWith('FileHash') || ctx.otx?.type == 'filepath'" - rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.file.hash.md5 + field: otx.indicator + target_field: threat.indicator.file.hash.md5 ignore_missing: true - if: "ctx.threatintel?.otx?.type == 'FileHash-MD5'" + if: "ctx.otx?.type == 'FileHash-MD5'" - rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.file.hash.sha1 + field: otx.indicator + target_field: threat.indicator.file.hash.sha1 ignore_missing: true - if: "ctx.threatintel?.otx?.type == 'FileHash-SHA1'" + if: "ctx.otx?.type == 'FileHash-SHA1'" - rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.file.hash.sha256 + field: otx.indicator + target_field: threat.indicator.file.hash.sha256 ignore_missing: true - if: "ctx.threatintel?.otx?.type == 'FileHash-SHA256'" + if: "ctx.otx?.type == 'FileHash-SHA256'" - rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.file.hash.pehash + field: otx.indicator + target_field: threat.indicator.file.hash.pehash ignore_missing: true - if: "ctx.threatintel?.otx?.type == 'FileHash-PEHASH'" + if: "ctx.otx?.type == 'FileHash-PEHASH'" - rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.file.hash.imphash + field: otx.indicator + target_field: threat.indicator.file.hash.imphash ignore_missing: true - if: "ctx.threatintel?.otx?.type == 'FileHash-IMPHASH'" + if: "ctx.otx?.type == 'FileHash-IMPHASH'" ## IP indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: ipv4-addr - if: ctx.threatintel?.otx?.type == 'IPv4' + if: ctx.otx?.type == 'IPv4' - set: - field: threatintel.indicator.type + field: threat.indicator.type value: ipv6-addr - if: ctx.threatintel?.otx?.type == 'IPv6' + if: ctx.otx?.type == 'IPv6' - rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.ip + field: otx.indicator + target_field: threat.indicator.ip ignore_missing: true - if: "ctx?.threatintel?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx?.threatintel?.indicator?.type)" + if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat?.indicator?.type)" ## URL indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: url - if: "ctx?.threatintel?.indicator?.type == null && ['URL', 'URI'].contains(ctx.threatintel?.otx?.type)" + if: "ctx.threat?.indicator?.type == null && ['URL', 'URI'].contains(ctx.otx?.type)" - uri_parts: - field: threatintel.otx.indicator - target_field: threatintel.indicator.url + field: otx.indicator + target_field: threat.indicator.url keep_original: true remove_if_successful: true - if: ctx?.threatintel?.indicator?.type == 'url' + if: ctx.threat?.indicator?.type == 'url' - set: - field: threatintel.indicator.url.full - value: "{{{threatintel.indicator.url.original}}}" + field: threat.indicator.url.full + value: "{{{threat.indicator.url.original}}}" ignore_empty_value: true - if: "ctx?.threatintel?.otx?.type == 'URL'" + if: "ctx.otx?.type == 'URL'" ## Email indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: email-addr - if: ctx?.threatintel?.otx?.type == 'email' + if: ctx.otx?.type == 'email' - rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.email.address + field: otx.indicator + target_field: threat.indicator.email.address ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'email-addr'" + if: "ctx.threat?.indicator?.type == 'email-addr'" ## Domain indicator operations - set: - field: threatintel.indicator.type + field: threat.indicator.type value: domain-name - if: "ctx?.threatintel?.indicator?.type == null && ['domain', 'hostname'].contains(ctx.threatintel?.otx?.type)" + if: "ctx.threat?.indicator?.type == null && ['domain', 'hostname'].contains(ctx.otx?.type)" - rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.url.domain + field: otx.indicator + target_field: threat.indicator.url.domain ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'domain-name' && ctx.threatintel?.indicator?.url?.domain == null" + if: "ctx.threat?.indicator?.type == 'domain-name' && ctx.threat?.indicator?.url?.domain == null" ###################### # Cleanup processors # ###################### + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true - set: - field: threatintel.indicator.type + field: threat.indicator.type value: unknown - if: ctx?.threatintel?.indicator?.type == null + if: ctx.threat?.indicator?.type == null - script: lang: painless - if: ctx?.threatintel != null + if: ctx.otx != null source: | void handleMap(Map map) { for (def x : map.values()) { @@ -145,16 +167,16 @@ processors: handleMap(ctx); - remove: field: - - threatintel.otx.content + - otx.content ignore_missing: true - if: ctx?.threatintel?.otx?.content == "" + if: ctx.otx?.content == "" - remove: field: - - threatintel.otx.type - - threatintel.otx.id + - otx.type + - otx.id - message ignore_missing: true - if: ctx?.threatintel?.indicator?.type != null + if: ctx.threat?.indicator?.type != null on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/threatintel/otx/manifest.yml b/x-pack/filebeat/module/threatintel/otx/manifest.yml index 0fdefa51d76..72830224984 100644 --- a/x-pack/filebeat/module/threatintel/otx/manifest.yml +++ b/x-pack/filebeat/module/threatintel/otx/manifest.yml @@ -20,6 +20,8 @@ var: - name: tags default: [threatintel-otx, forwarded] - name: proxy_url + - name: preserve_original_event + default: false ingest_pipeline: - ingest/pipeline.yml diff --git a/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json index e56752d47c3..590bc64bfbc 100644 --- a/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json @@ -13,8 +13,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "86.104.194.30", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "86.104.194.30", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -25,15 +27,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 102, + "otx.description": "MD5 of a5725af4391d21a232dc6d4ad33d7d915bd190bdac9b1826b73f364dc5c1aa65", + "otx.title": "Win32:Hoblig-B", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "90421f8531f963d81cf54245b72cde80", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of a5725af4391d21a232dc6d4ad33d7d915bd190bdac9b1826b73f364dc5c1aa65", - "threatintel.otx.title": "Win32:Hoblig-B" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "90421f8531f963d81cf54245b72cde80", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -49,8 +53,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "ip.anysrc.net" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "ip.anysrc.net" }, { "event.category": "threat", @@ -66,8 +72,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "107.173.58.176", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "107.173.58.176", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -83,8 +91,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "d8c70ca70fd3555a0828fede6cc1f59e2c320ede80157039b6a2f09c336d5f7a", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "d8c70ca70fd3555a0828fede6cc1f59e2c320ede80157039b6a2f09c336d5f7a", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -95,14 +105,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 688, + "otx.description": "MD5 of df9b37477a83189cd4541674e64ce29bf7bf98338ed0d635276660e0c6419d09", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "f8e58af3ffefd4037fef246e93a55dc8", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of df9b37477a83189cd4541674e64ce29bf7bf98338ed0d635276660e0c6419d09" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "f8e58af3ffefd4037fef246e93a55dc8", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -118,8 +130,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "1c62f004d0c9b91d3467b1b8106772e667e7e2075470c2ec7982b63573c90c54", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "1c62f004d0c9b91d3467b1b8106772e667e7e2075470c2ec7982b63573c90c54", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -130,14 +144,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 1053, + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "8d24a14f2600482d0231396b6350cf21773335ec2f0b8919763317fdab78baae", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "8d24a14f2600482d0231396b6350cf21773335ec2f0b8919763317fdab78baae", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -153,8 +169,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "213.252.244.38", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "213.252.244.38", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -170,8 +188,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "c758ec922b173820374e552c2f015ac53cc5d9f99cc92080e608652aaa63695b", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "c758ec922b173820374e552c2f015ac53cc5d9f99cc92080e608652aaa63695b", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -187,8 +207,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "0df586aa0334dcbe047d24ce859d00e537fdb5e0ca41886dab27479b6fc61ba6", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "0df586aa0334dcbe047d24ce859d00e537fdb5e0ca41886dab27479b6fc61ba6", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -199,14 +221,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 1671, + "otx.description": "MD5 of 0df586aa0334dcbe047d24ce859d00e537fdb5e0ca41886dab27479b6fc61ba6", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "aeb08b0651bc8a13dcf5e5f6c0d482f8", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of 0df586aa0334dcbe047d24ce859d00e537fdb5e0ca41886dab27479b6fc61ba6" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "aeb08b0651bc8a13dcf5e5f6c0d482f8", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -222,8 +246,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "6df5e1a017dff52020c7ff6ad92fdd37494e31769e1be242f6b23d1ea2d60140", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "6df5e1a017dff52020c7ff6ad92fdd37494e31769e1be242f6b23d1ea2d60140", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -239,8 +265,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "c72fef3835f65cb380f6920b22c3488554d1af6d298562ccee92284f265c9619", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "c72fef3835f65cb380f6920b22c3488554d1af6d298562ccee92284f265c9619", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -256,8 +284,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "e711fcd0f182b214c6ec74011a395f4c853068d59eb7c57f90c4a3e1de64434a", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "e711fcd0f182b214c6ec74011a395f4c853068d59eb7c57f90c4a3e1de64434a", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -273,8 +303,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "d3ec8f4a46b21fb189fc3d58f3d87bf9897653ecdf90b7952dcc71f3b4023b4e", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "d3ec8f4a46b21fb189fc3d58f3d87bf9897653ecdf90b7952dcc71f3b4023b4e", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -290,8 +322,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "70447996722e5c04514d20b7a429d162b46546002fb0c87f512b40f16bac99bb", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "70447996722e5c04514d20b7a429d162b46546002fb0c87f512b40f16bac99bb", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -302,15 +336,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 2703, + "otx.description": "MD5 of 113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec", + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "29340643ca2e6677c19e1d3bf351d654", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of 113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "29340643ca2e6677c19e1d3bf351d654", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -321,15 +357,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 2919, + "otx.description": "MD5 of 9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2", + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "86c314bc2dc37ba84f7364acd5108c2b", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of 9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "86c314bc2dc37ba84f7364acd5108c2b", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -340,15 +378,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 3135, + "otx.description": "MD5 of 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56", + "otx.title": "Trojan:Win32/Occamy.B", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "cb0c1248d3899358a375888bb4e8f3fe", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56", - "threatintel.otx.title": "Trojan:Win32/Occamy.B" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "cb0c1248d3899358a375888bb4e8f3fe", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -359,15 +399,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 3355, + "otx.description": "MD5 of 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4", + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "d348f536e214a47655af387408b4fca5", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "d348f536e214a47655af387408b4fca5", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -378,14 +420,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 3571, + "otx.title": "vad_contains_network_strings", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "29ff1903832827e328ad9ec05fdf268eadd6db8b613597cf65f8740c211be413", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "vad_contains_network_strings" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "29ff1903832827e328ad9ec05fdf268eadd6db8b613597cf65f8740c211be413", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -401,8 +445,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "b105891f90b2a8730bbadf02b5adeccbba539883bf75dec2ff7a5a97625dd222", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "b105891f90b2a8730bbadf02b5adeccbba539883bf75dec2ff7a5a97625dd222", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -418,8 +464,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "e4db5405ac7ab517d43722e1ca8d653ea4a32802bc8a5410d032275eedc7b7ee", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "e4db5405ac7ab517d43722e1ca8d653ea4a32802bc8a5410d032275eedc7b7ee", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -430,14 +478,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 4098, + "otx.title": "Win.Malware.TrickbotSystemInfo-6335590-0", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Win.Malware.TrickbotSystemInfo-6335590-0" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -453,8 +503,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "5051906d6ed1b2ae9c9a9f070ef73c9be8f591d2e41d144649a0dc96e28d0400", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "5051906d6ed1b2ae9c9a9f070ef73c9be8f591d2e41d144649a0dc96e28d0400", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -465,15 +517,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 4470, + "otx.description": "MD5 of 465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa", + "otx.title": "Win.Malware.TrickbotSystemInfo-6335590-0", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "14b74cb9be8cad8eb5fa8842d00bb692", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of 465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa", - "threatintel.otx.title": "Win.Malware.TrickbotSystemInfo-6335590-0" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "14b74cb9be8cad8eb5fa8842d00bb692", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -484,15 +538,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 4709, + "otx.description": "SHA1 of 465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa", + "otx.title": "Win.Malware.TrickbotSystemInfo-6335590-0", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha1": "a5b59f7d133e354dfc73f40517aab730f322f0ef", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "SHA1 of 465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa", - "threatintel.otx.title": "Win.Malware.TrickbotSystemInfo-6335590-0" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha1": "a5b59f7d133e354dfc73f40517aab730f322f0ef", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -508,8 +564,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -520,15 +578,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 5125, + "otx.description": "MD5 of 5cb822616d2c9435c9ddd060d6abdbc286ab57cfcf6dc64768c52976029a925b", + "otx.title": "vad_contains_network_strings", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "ff2dcea4963e060a658f4dffbb119529", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of 5cb822616d2c9435c9ddd060d6abdbc286ab57cfcf6dc64768c52976029a925b", - "threatintel.otx.title": "vad_contains_network_strings" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "ff2dcea4963e060a658f4dffbb119529", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -539,15 +599,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 5352, + "otx.description": "MD5 of 29ff1903832827e328ad9ec05fdf268eadd6db8b613597cf65f8740c211be413", + "otx.title": "vad_contains_network_strings", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "0d73f1a1c4b2f8723fffc83eb3d00f31", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of 29ff1903832827e328ad9ec05fdf268eadd6db8b613597cf65f8740c211be413", - "threatintel.otx.title": "vad_contains_network_strings" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "0d73f1a1c4b2f8723fffc83eb3d00f31", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -563,8 +625,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "185.25.50.167", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "185.25.50.167", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -580,8 +644,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "d35a30264c0698709ad554489004e0077e263d354ced0c54552a0b500f91ecc0", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "d35a30264c0698709ad554489004e0077e263d354ced0c54552a0b500f91ecc0", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -597,8 +663,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "5264b455f453820be629a324196131492ff03c80491e823ac06657c9387250dd", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "5264b455f453820be629a324196131492ff03c80491e823ac06657c9387250dd", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -609,14 +677,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 6018, + "otx.title": "Trojan:Win32/Occamy.B", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Trojan:Win32/Occamy.B" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -627,14 +697,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 6204, + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -650,8 +722,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -662,14 +736,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 6553, + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -680,14 +756,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 6735, + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -703,8 +781,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "c51024bb119211c335f95e731cfa9a744fcdb645a57d35fb379d01b7dbdd098e", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "c51024bb119211c335f95e731cfa9a744fcdb645a57d35fb379d01b7dbdd098e", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -715,15 +795,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 7084, + "otx.description": "SHA1 of 9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2", + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha1": "ad20c6fac565f901c82a21b70f9739037eb54818", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "SHA1 of 9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha1": "ad20c6fac565f901c82a21b70f9739037eb54818", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -734,15 +816,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 7310, + "otx.description": "SHA1 of 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4", + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha1": "13f11e273f9a4a56557f03821c3bfd591cca6ebc", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "SHA1 of 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha1": "13f11e273f9a4a56557f03821c3bfd591cca6ebc", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -753,15 +837,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 7536, + "otx.description": "SHA1 of 113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec", + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha1": "1581fe76e3c96dc33182daafd09c8cf5c17004e0", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "SHA1 of 113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha1": "1581fe76e3c96dc33182daafd09c8cf5c17004e0", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -772,15 +858,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 7762, + "otx.description": "SHA1 of 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56", + "otx.title": "Trojan:Win32/Occamy.B", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha1": "b72e75e9e901a44b655a5cf89cf0eadcaff46037", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "SHA1 of 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56", - "threatintel.otx.title": "Trojan:Win32/Occamy.B" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha1": "b72e75e9e901a44b655a5cf89cf0eadcaff46037", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -796,8 +884,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "maper.info" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "maper.info" }, { "event.category": "threat", @@ -813,8 +903,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "213.252.244.126", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "213.252.244.126", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -830,8 +922,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "78.129.139.131", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "78.129.139.131", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -842,14 +936,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 8309, + "otx.title": "xor_0x20_xord_javascript", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "xor_0x20_xord_javascript" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -860,14 +956,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 8498, + "otx.title": "xor_0x20_xord_javascript", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "be9fb556a3c7aef0329e768d7f903e7dd42a821abc663e11fb637ce33b007087", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "xor_0x20_xord_javascript" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "be9fb556a3c7aef0329e768d7f903e7dd42a821abc663e11fb637ce33b007087", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -878,14 +976,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 8687, + "otx.title": "xor_0x20_xord_javascript", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "3bfec096c4837d1e6485fe0ae0ea6f1c0b44edc611d4f2204cc9cf73c985cbc2", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "xor_0x20_xord_javascript" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "3bfec096c4837d1e6485fe0ae0ea6f1c0b44edc611d4f2204cc9cf73c985cbc2", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -896,14 +996,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 8876, + "otx.title": "xor_0x20_xord_javascript", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "dff2e39b2e008ea89a3d6b36dcd9b8c927fb501d60c1ad5a52ed1ffe225da2e2", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "xor_0x20_xord_javascript" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "dff2e39b2e008ea89a3d6b36dcd9b8c927fb501d60c1ad5a52ed1ffe225da2e2", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -914,14 +1016,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 9065, + "otx.title": "xor_0x20_xord_javascript", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "6b4d271a48d118843aee3dee4481fa2930732ed7075db3241a8991418f00d92b", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "xor_0x20_xord_javascript" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "6b4d271a48d118843aee3dee4481fa2930732ed7075db3241a8991418f00d92b", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -932,14 +1036,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 9254, + "otx.title": "xor_0x20_xord_javascript", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "26de4265303491bed1424d85b263481ac153c2b3513f9ee48ffb42c12312ac43", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "xor_0x20_xord_javascript" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "26de4265303491bed1424d85b263481ac153c2b3513f9ee48ffb42c12312ac43", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -950,14 +1056,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 9443, + "otx.title": "xor_0x20_xord_javascript", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "02f54da6c6f2f87ff7b713d46e058dedac1cedabd693643bb7f6dfe994b2105d", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "xor_0x20_xord_javascript" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "02f54da6c6f2f87ff7b713d46e058dedac1cedabd693643bb7f6dfe994b2105d", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -973,8 +1081,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "103.13.67.4", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "103.13.67.4", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -990,8 +1100,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "80.90.87.201", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "80.90.87.201", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1007,8 +1119,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "80.80.163.182", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "80.80.163.182", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1024,8 +1138,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "91.187.114.210", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "91.187.114.210", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1041,8 +1157,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "170.238.117.187", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "170.238.117.187", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1058,8 +1176,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha256": "e999b83629355ec7ff3b6fda465ef53ce6992c9327344fbf124f7eb37808389d", - "threatintel.indicator.type": "file" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha256": "e999b83629355ec7ff3b6fda465ef53ce6992c9327344fbf124f7eb37808389d", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -1075,8 +1195,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "103.84.238.3", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "103.84.238.3", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1092,8 +1214,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "179.43.158.171", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "179.43.158.171", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1109,8 +1233,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "198.211.116.199", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "198.211.116.199", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1121,14 +1247,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 10641, + "otx.title": "Trickbot", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "203.176.135.102", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.otx.title": "Trickbot" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "203.176.135.102", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1144,8 +1272,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "fotmailz.com" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "fotmailz.com" }, { "event.category": "threat", @@ -1161,8 +1291,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "pori89g5jqo3v8.com" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "pori89g5jqo3v8.com" }, { "event.category": "threat", @@ -1178,8 +1310,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "sebco.co.ke" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "sebco.co.ke" }, { "event.category": "threat", @@ -1190,14 +1324,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 11077, + "otx.title": "Trickbot", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "177.74.232.124", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.otx.title": "Trickbot" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "177.74.232.124", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1213,8 +1349,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "chishir.com" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "chishir.com" }, { "event.category": "threat", @@ -1230,8 +1368,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "kostunivo.com" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "kostunivo.com" }, { "event.category": "threat", @@ -1247,8 +1387,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "mangoclone.com" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "mangoclone.com" }, { "event.category": "threat", @@ -1264,8 +1406,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "onixcellent.com" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "onixcellent.com" }, { "event.category": "threat", @@ -1276,14 +1420,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 11618, + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha1": "fc0efd612ad528795472e99cae5944b68b8e26dc", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha1": "fc0efd612ad528795472e99cae5944b68b8e26dc", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -1294,14 +1440,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 11774, + "otx.title": "Sf:ShellCode-DZ\\ [Trj]", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha1": "24d4bbc982a6a561f0426a683b9617de1a96a74a", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Sf:ShellCode-DZ\\ [Trj]" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha1": "24d4bbc982a6a561f0426a683b9617de1a96a74a", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -1312,14 +1460,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 11936, + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha1": "fa98074dc18ad7e2d357b5d168c00a91256d87d1", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha1": "fa98074dc18ad7e2d357b5d168c00a91256d87d1", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -1330,14 +1480,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 12092, + "otx.title": "Win64:Malware-gen", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.sha1": "e5dc7c8bfa285b61dda1618f0ade9c256be75d1a", - "threatintel.indicator.type": "file", - "threatintel.otx.title": "Win64:Malware-gen" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.sha1": "e5dc7c8bfa285b61dda1618f0ade9c256be75d1a", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -1348,14 +1500,16 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 12248, + "otx.title": "Trickbot", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "96.9.77.142", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.otx.title": "Trickbot" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "96.9.77.142", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1371,8 +1525,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "36.89.106.69", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "36.89.106.69", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1388,8 +1544,10 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.ip": "96.9.73.73", - "threatintel.indicator.type": "ipv4-addr" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.ip": "96.9.73.73", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -1400,15 +1558,17 @@ "fileset.name": "otx", "input.type": "log", "log.offset": 12563, + "otx.description": "MD5 of 9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6", + "otx.title": "xor_0x20_xord_javascript", "service.type": "threatintel", "tags": [ "forwarded", "threatintel-otx" ], - "threatintel.indicator.file.hash.md5": "10ec3571596c30b9993b89f12d29d23c", - "threatintel.indicator.type": "file", - "threatintel.otx.description": "MD5 of 9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6", - "threatintel.otx.title": "xor_0x20_xord_javascript" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.file.hash.md5": "10ec3571596c30b9993b89f12d29d23c", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -1424,12 +1584,14 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "www.playboysplus.com", - "threatintel.indicator.url.full": "http://www.playboysplus.com", - "threatintel.indicator.url.original": "http://www.playboysplus.com", - "threatintel.indicator.url.path": "", - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "www.playboysplus.com", + "threat.indicator.url.full": "http://www.playboysplus.com", + "threat.indicator.url.original": "http://www.playboysplus.com", + "threat.indicator.url.path": "", + "threat.indicator.url.scheme": "http" }, { "event.category": "threat", @@ -1445,12 +1607,14 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "join.playboysplus.com", - "threatintel.indicator.url.full": "http://join.playboysplus.com/signup/", - "threatintel.indicator.url.original": "http://join.playboysplus.com/signup/", - "threatintel.indicator.url.path": "/signup/", - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "join.playboysplus.com", + "threat.indicator.url.full": "http://join.playboysplus.com/signup/", + "threat.indicator.url.original": "http://join.playboysplus.com/signup/", + "threat.indicator.url.path": "/signup/", + "threat.indicator.url.scheme": "http" }, { "event.category": "threat", @@ -1466,13 +1630,15 @@ "forwarded", "threatintel-otx" ], - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "api.vk.com", - "threatintel.indicator.url.extension": "get", - "threatintel.indicator.url.full": "http://api.vk.com/method/wall.get?count=1&owner_id=-81972386", - "threatintel.indicator.url.original": "http://api.vk.com/method/wall.get?count=1&owner_id=-81972386", - "threatintel.indicator.url.path": "/method/wall.get", - "threatintel.indicator.url.query": "count=1&owner_id=-81972386", - "threatintel.indicator.url.scheme": "http" + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] Alienvault OTX", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "api.vk.com", + "threat.indicator.url.extension": "get", + "threat.indicator.url.full": "http://api.vk.com/method/wall.get?count=1&owner_id=-81972386", + "threat.indicator.url.original": "http://api.vk.com/method/wall.get?count=1&owner_id=-81972386", + "threat.indicator.url.path": "/method/wall.get", + "threat.indicator.url.query": "count=1&owner_id=-81972386", + "threat.indicator.url.scheme": "http" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/config/config.yml b/x-pack/filebeat/module/threatintel/recordedfuture/config/config.yml index 08b2f682f3f..2c610e5379d 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/config/config.yml +++ b/x-pack/filebeat/module/threatintel/recordedfuture/config/config.yml @@ -38,27 +38,12 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} +tags: +{{if .preserve_original_event}} + - preserve_original_event +{{end}} +{{range $val := .tags}} + - {{$val}} +{{end}} -processors: - - decode_json_fields: - fields: [message] - target: json - - fingerprint: - fields: - - event.dataset - - json.entity.id - target_field: "@metadata._id" - encoding: base64 - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 - - script: - lang: javascript - id: set_opt_type - source: > - function process(event) { - event.Put("@metadata.op_type", "index"); - } +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml index 8e0a6d4b334..6247c0cd882 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml @@ -1,19 +1,14 @@ description: Pipeline for parsing Recorded Future threat intel. processors: - # - # Safeguard against feeding the pipeline with documents other - # that the ones generated by Filebeat's httpjson input. - # - - fail: - if: "ctx.json == null || !(ctx.json instanceof Map)" - message: "missing json object in input document" - # # Set basic ECS fields. # - set: field: event.ingested - value: "{{{ _ingest.timestamp }}}" + value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: "1.12" - set: field: event.kind value: enrichment @@ -24,14 +19,29 @@ processors: field: event.type value: indicator + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + + - set: + field: threat.feed.name + value: "[Filebeat] RecordedFuture" + - set: + field: threat.feed.dashboard_id + value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f" + # - # Map itype field to STIX 2.0 Cyber Observable values (threatintel.indicator.type). + # Map itype field to STIX 2.0 Cyber Observable values (threat.indicator.type). # - script: lang: painless if: "ctx.json.entity?.type != null" description: > - Map entity.type field to STIX 2.0 Cyber Observable values (threatintel.indicator.type). + Map entity.type field to STIX 2.0 Cyber Observable values (threat.indicator.type). params: IpAddress: ipv4-addr InternetDomainName: domain-name @@ -40,7 +50,7 @@ processors: source: > String mapping = params[ctx.json.entity.type]; if (mapping != null) { - ctx["threatintel_indicator_type"] = mapping; + ctx["threat_indicator_type"] = mapping; } on_failure: - append: @@ -48,24 +58,24 @@ processors: value: 'Unable to determine indicator type from "{{{ json.entity.type }}}": {{{ _ingest.on_failure_message }}}' - rename: - field: threatintel_indicator_type - target_field: threatintel.indicator.type + field: threat_indicator_type + target_field: threat.indicator.type ignore_missing: true # # Detect ipv6 for ipv4-addr types. # - set: - field: threatintel.indicator.type + field: threat.indicator.type value: ipv6-addr - if: 'ctx.threatintel?.indicator?.type == "ipv4-addr" && ctx.json.entity.name != null && ctx.json.entity.name.contains(":")' + if: 'ctx.threat?.indicator?.type == "ipv4-addr" && ctx.json.entity.name != null && ctx.json.entity.name.contains(":")' # # Map first and last seen dates. # - date: field: json.timestamps.firstSeen - target_field: threatintel.indicator.first_seen + target_field: threat.indicator.first_seen formats: - ISO8601 if: "ctx.json.timestamps?.firstSeen != null" @@ -75,7 +85,7 @@ processors: value: 'Error parsing firstSeen field value "{{{ json.timestamps.firstSeen }}}": {{{ _ingest.on_failure_message }}}' - date: field: json.timestamps.lastSeen - target_field: threatintel.indicator.last_seen + target_field: threat.indicator.last_seen formats: - ISO8601 if: "ctx.json.timestamps?.lastSeen != null" @@ -89,20 +99,20 @@ processors: # - rename: field: json.location.location.city - target_field: threatintel.indicator.geo.city_name + target_field: threat.indicator.geo.city_name ignore_missing: true - rename: field: json.location.location.continent - target_field: threatintel.indicator.geo.continent_name + target_field: threat.indicator.geo.continent_name ignore_missing: true - rename: field: json.location.location.country - target_field: threatintel.indicator.geo.country_name + target_field: threat.indicator.geo.country_name ignore_missing: true - grok: field: json.location.asn patterns: - - "^(?:[Aa][Ss])?%{NUMBER:threatintel.indicator.as.number:long}$" + - "^(?:[Aa][Ss])?%{NUMBER:threat.indicator.as.number:long}$" ignore_missing: true on_failure: - append: @@ -110,10 +120,10 @@ processors: value: "Cannot parse asn field `{{{ json.location.asn }}}`: {{{ _ingest.on_failure_message }}}" - rename: field: json.location.organization - target_field: threatintel.indicator.as.organization.name + target_field: threat.indicator.as.organization.name ignore_missing: true - set: - field: threatintel.indicator.reference + field: threat.indicator.reference value: "{{{ json.intelCard }}}" ignore_empty_value: true - set: @@ -123,30 +133,30 @@ processors: - set: field: json.ip_range value: "{{{ json.entity.name }}}/32" - if: 'ctx.threatintel?.indicator?.type == "ipv4-addr" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")' + if: 'ctx.threat?.indicator?.type == "ipv4-addr" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")' - set: field: json.ip_range value: "{{{ json.entity.name }}}/128" - if: 'ctx.threatintel?.indicator?.type == "ipv6-addr" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")' + if: 'ctx.threat?.indicator?.type == "ipv6-addr" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")' - set: field: json.ip_range value: "{{{json.entity.name}}}" if: 'ctx.json.entity?.type == "IpAddress" && ctx.json.entity.name != null && ctx.json.entity.name.contains("/")' - rename: field: json.entity.name - target_field: threatintel.indicator.ip + target_field: threat.indicator.ip if: 'ctx.json.entity?.type == "IpAddress" && ctx.json.entity.name != null && !ctx.json.entity.name.contains("/")' - rename: field: json.entity.name - target_field: threatintel.indicator.url.domain + target_field: threat.indicator.url.domain ignore_missing: true - if: 'ctx.threatintel?.indicator?.type == "domain-name" && ctx.threatintel?.indicator?.url?.domain == null' + if: 'ctx.threat?.indicator?.type == "domain-name" && ctx.threat?.indicator?.url?.domain == null' - uri_parts: field: json.entity.name - target_field: threatintel.indicator.url + target_field: threat.indicator.url keep_original: true remove_if_successful: true - if: 'ctx.threatintel?.indicator?.type == "url"' + if: 'ctx.threat?.indicator?.type == "url"' on_failure: - append: field: error.message @@ -157,10 +167,10 @@ processors: field: json.fileHashes value: "{{{ json.entity.name }}}" allow_duplicates: false - if: 'ctx.threatintel?.indicator?.type == "file"' + if: 'ctx.threat?.indicator?.type == "file"' - remove: field: json.entity.name - if: 'ctx.threatintel?.indicator?.type == "file"' + if: 'ctx.threat?.indicator?.type == "file"' - script: lang: painless description: > @@ -187,7 +197,7 @@ processors: value: "Failed to map fileHashes field: {{ _ingest.on_failure_message }}" - rename: field: _hashes - target_field: threatintel.indicator.file.hash + target_field: threat.indicator.file.hash ignore_missing: true # @@ -213,11 +223,48 @@ processors: - message ignore_missing: true # - # Save fields without an ECS mapping under `threatintel.recordedfuture`. + # Save fields without an ECS mapping under `recordedfuture`. # - rename: field: json - target_field: threatintel.recordedfuture + target_field: recordedfuture + + ###################### + # Cleanup processors # + ###################### + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - set: + field: threat.indicator.type + value: unknown + if: ctx.threat?.indicator?.type == null + - script: + lang: painless + if: ctx.recordedfuture != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/manifest.yml b/x-pack/filebeat/module/threatintel/recordedfuture/manifest.yml index 93df3884160..da8a88e19da 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/manifest.yml +++ b/x-pack/filebeat/module/threatintel/recordedfuture/manifest.yml @@ -14,6 +14,8 @@ var: default: [threatintel-recordedfuture, forwarded] - name: proxy_url - name: api_token + - name: preserve_original_event + default: false ingest_pipeline: - ingest/pipeline.yml input: config/config.yml diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log-expected.json index 29b0a8ed4a5..7da98ffcc29 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/domain.ndjson.log-expected.json @@ -9,26 +9,28 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 0, + "recordedfuture.entity.id": "idn:16url-gy.example.net", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A16url-gy.example.net", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2016-07-25T20:29:32.750Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:47.901Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A16url-gy.example.net", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "16url-gy.example.net", - "threatintel.recordedfuture.entity.id": "idn:16url-gy.example.net", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A16url-gy.example.net", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2016-07-25T20:29:32.750Z", + "threat.indicator.last_seen": "2021-06-20T18:23:47.901Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A16url-gy.example.net", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "16url-gy.example.net" }, { "event.category": "threat", @@ -40,26 +42,28 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 482, + "recordedfuture.entity.id": "idn:b999f.example.org", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ab999f.example.org", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2012-11-21T01:54:04.292Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:47.812Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ab999f.example.org", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "b999f.example.org", - "threatintel.recordedfuture.entity.id": "idn:b999f.example.org", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ab999f.example.org", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2012-11-21T01:54:04.292Z", + "threat.indicator.last_seen": "2021-06-20T18:23:47.812Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ab999f.example.org", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "b999f.example.org" }, { "event.category": "threat", @@ -71,26 +75,28 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 955, + "recordedfuture.entity.id": "idn:c422.example.net", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac422.example.net", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2018-02-21T13:53:46.470Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:47.778Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac422.example.net", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "c422.example.net", - "threatintel.recordedfuture.entity.id": "idn:c422.example.net", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac422.example.net", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2018-02-21T13:53:46.470Z", + "threat.indicator.last_seen": "2021-06-20T18:23:47.778Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac422.example.net", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "c422.example.net" }, { "event.category": "threat", @@ -102,26 +108,28 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 1425, + "recordedfuture.entity.id": "idn:8rwcvgjsp.example.net", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A8rwcvgjsp.example.net", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2016-08-15T11:56:24.964Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:47.747Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A8rwcvgjsp.example.net", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "8rwcvgjsp.example.net", - "threatintel.recordedfuture.entity.id": "idn:8rwcvgjsp.example.net", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A8rwcvgjsp.example.net", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2016-08-15T11:56:24.964Z", + "threat.indicator.last_seen": "2021-06-20T18:23:47.747Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A8rwcvgjsp.example.net", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "8rwcvgjsp.example.net" }, { "event.category": "threat", @@ -133,26 +141,28 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 1910, + "recordedfuture.entity.id": "idn:c9px.example.net", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac9px.example.net", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2016-06-29T21:06:06.066Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:47.460Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac9px.example.net", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "c9px.example.net", - "threatintel.recordedfuture.entity.id": "idn:c9px.example.net", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac9px.example.net", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2016-06-29T21:06:06.066Z", + "threat.indicator.last_seen": "2021-06-20T18:23:47.460Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Ac9px.example.net", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "c9px.example.net" }, { "event.category": "threat", @@ -164,26 +174,28 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 2380, + "recordedfuture.entity.id": "idn:ttj1i9z7.example.com", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Attj1i9z7.example.com", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2018-09-20T03:26:08.564Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:47.373Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Attj1i9z7.example.com", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "ttj1i9z7.example.com", - "threatintel.recordedfuture.entity.id": "idn:ttj1i9z7.example.com", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Attj1i9z7.example.com", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2018-09-20T03:26:08.564Z", + "threat.indicator.last_seen": "2021-06-20T18:23:47.373Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Attj1i9z7.example.com", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "ttj1i9z7.example.com" }, { "event.category": "threat", @@ -195,26 +207,28 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 2862, + "recordedfuture.entity.id": "idn:7pgc.example.org", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A7pgc.example.org", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2017-02-23T17:44:16.104Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:47.373Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A7pgc.example.org", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "7pgc.example.org", - "threatintel.recordedfuture.entity.id": "idn:7pgc.example.org", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A7pgc.example.org", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2017-02-23T17:44:16.104Z", + "threat.indicator.last_seen": "2021-06-20T18:23:47.373Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A7pgc.example.org", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "7pgc.example.org" }, { "event.category": "threat", @@ -226,26 +240,28 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 3332, + "recordedfuture.entity.id": "idn:xm5u434.example.net", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Axm5u434.example.net", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2017-04-10T06:55:27.658Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:47.373Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Axm5u434.example.net", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "xm5u434.example.net", - "threatintel.recordedfuture.entity.id": "idn:xm5u434.example.net", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Axm5u434.example.net", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2017-04-10T06:55:27.658Z", + "threat.indicator.last_seen": "2021-06-20T18:23:47.373Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Axm5u434.example.net", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "xm5u434.example.net" }, { "event.category": "threat", @@ -257,26 +273,28 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 3811, + "recordedfuture.entity.id": "idn:gpgju.example.com", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Agpgju.example.com", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2018-07-27T15:22:39.390Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:47.373Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Agpgju.example.com", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "gpgju.example.com", - "threatintel.recordedfuture.entity.id": "idn:gpgju.example.com", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Agpgju.example.com", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2018-07-27T15:22:39.390Z", + "threat.indicator.last_seen": "2021-06-20T18:23:47.373Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3Agpgju.example.com", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "gpgju.example.com" }, { "event.category": "threat", @@ -288,25 +306,27 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 4284, + "recordedfuture.entity.id": "idn:55g.example.com", + "recordedfuture.entity.type": "InternetDomainName", + "recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A55g.example.com", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/44", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.first_seen": "2021-01-10T21:24:38.353Z", - "threatintel.indicator.last_seen": "2021-06-20T18:23:45.025Z", - "threatintel.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A55g.example.com", - "threatintel.indicator.type": "domain-name", - "threatintel.indicator.url.domain": "55g.example.com", - "threatintel.recordedfuture.entity.id": "idn:55g.example.com", - "threatintel.recordedfuture.entity.type": "InternetDomainName", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A55g.example.com", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/44", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-01-10T21:24:38.353Z", + "threat.indicator.last_seen": "2021-06-20T18:23:45.025Z", + "threat.indicator.reference": "https://app.recordedfuture.com.local/live/sc/entity/idn%3A55g.example.com", + "threat.indicator.type": "domain-name", + "threat.indicator.url.domain": "55g.example.com" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log-expected.json index dbc47e31767..cf8b9c1b23e 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/hash.ndjson.log-expected.json @@ -9,24 +9,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 0, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "25328d1a481903f2d900479570842247", - "threatintel.indicator.file.hash.sha1": "d73c663e2ac0c7a14ca0e2681dd599b2e7a24f65", - "threatintel.indicator.file.hash.sha256": "dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", - "threatintel.indicator.first_seen": "2021-06-20T18:40:18.503Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:18.503Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Adec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Adec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Adec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -44,10 +32,24 @@ "timestamp": "2021-06-20T18:40:18.503Z" } ], - "threatintel.recordedfuture.risk.riskString": "2/14", - "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 2, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "2/14", + "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 2, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "25328d1a481903f2d900479570842247", + "threat.indicator.file.hash.sha1": "d73c663e2ac0c7a14ca0e2681dd599b2e7a24f65", + "threat.indicator.file.hash.sha256": "dec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", + "threat.indicator.first_seen": "2021-06-20T18:40:18.503Z", + "threat.indicator.last_seen": "2021-06-20T18:40:18.503Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Adec3a20fa1493c8e669b26d3f8b6084b34fda9906c978f9f12fb43f76504b5d6", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -59,24 +61,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 1478, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "7b8d9afd032f0c253b7dd68aca6fb50b", - "threatintel.indicator.file.hash.sha1": "f9ece49c249aabab29fd9c2193d897b7d131ed17", - "threatintel.indicator.file.hash.sha256": "4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", - "threatintel.indicator.first_seen": "2021-06-20T18:40:18.452Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:18.452Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -94,10 +84,24 @@ "timestamp": "2021-06-20T18:40:18.452Z" } ], - "threatintel.recordedfuture.risk.riskString": "2/14", - "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 2, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "2/14", + "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 2, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "7b8d9afd032f0c253b7dd68aca6fb50b", + "threat.indicator.file.hash.sha1": "f9ece49c249aabab29fd9c2193d897b7d131ed17", + "threat.indicator.file.hash.sha256": "4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", + "threat.indicator.first_seen": "2021-06-20T18:40:18.452Z", + "threat.indicator.last_seen": "2021-06-20T18:40:18.452Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A4014355fdfee5fe9e01f3a84356d743c022cd75510f6c96ffe16fb332855d6f2", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -109,24 +113,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 2954, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "7b65b50ed4554c86cb777e35e7750209", - "threatintel.indicator.file.hash.sha1": "e10942ba3fbb937c90c7cb3e39c06a13324981a8", - "threatintel.indicator.file.hash.sha256": "299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", - "threatintel.indicator.first_seen": "2021-06-20T18:40:18.343Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:18.343Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -144,10 +136,24 @@ "timestamp": "2021-06-20T18:40:18.343Z" } ], - "threatintel.recordedfuture.risk.riskString": "2/14", - "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 2, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "2/14", + "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 2, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "7b65b50ed4554c86cb777e35e7750209", + "threat.indicator.file.hash.sha1": "e10942ba3fbb937c90c7cb3e39c06a13324981a8", + "threat.indicator.file.hash.sha256": "299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", + "threat.indicator.first_seen": "2021-06-20T18:40:18.343Z", + "threat.indicator.last_seen": "2021-06-20T18:40:18.343Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A299e7a30217e2137854308e7be79227635f409b0e00897cfff11806ad8449cc5", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -159,24 +165,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 4457, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "c6353df35499ca6934da2169b7bd1635", - "threatintel.indicator.file.hash.sha1": "3e208c649da0a9efbde7bbde6eece2142fdac3f9", - "threatintel.indicator.file.hash.sha256": "e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", - "threatintel.indicator.first_seen": "2021-06-20T18:40:18.258Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:18.258Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ae5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ae5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ae5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -194,10 +188,24 @@ "timestamp": "2021-06-20T18:40:18.257Z" } ], - "threatintel.recordedfuture.risk.riskString": "2/14", - "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 2, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "2/14", + "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 2, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "c6353df35499ca6934da2169b7bd1635", + "threat.indicator.file.hash.sha1": "3e208c649da0a9efbde7bbde6eece2142fdac3f9", + "threat.indicator.file.hash.sha256": "e5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", + "threat.indicator.first_seen": "2021-06-20T18:40:18.258Z", + "threat.indicator.last_seen": "2021-06-20T18:40:18.258Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ae5c73c63ba71659fbb9e0670cc203532aa61e3b8fa51f70ee5ce37b66784cd61", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -209,24 +217,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 5932, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "3d568bd03766a8d47c8fabb7d392c32e", - "threatintel.indicator.file.hash.sha1": "3ea8b08bc9ed3009a4d6a0ab5851b8e3fc10ead2", - "threatintel.indicator.file.hash.sha256": "184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", - "threatintel.indicator.first_seen": "2021-06-20T18:40:18.131Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:18.131Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -236,10 +232,24 @@ "timestamp": "2021-06-19T17:39:24.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/14", - "threatintel.recordedfuture.risk.riskSummary": "1 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "1/14", + "recordedfuture.risk.riskSummary": "1 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "3d568bd03766a8d47c8fabb7d392c32e", + "threat.indicator.file.hash.sha1": "3ea8b08bc9ed3009a4d6a0ab5851b8e3fc10ead2", + "threat.indicator.file.hash.sha256": "184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", + "threat.indicator.first_seen": "2021-06-20T18:40:18.131Z", + "threat.indicator.last_seen": "2021-06-20T18:40:18.131Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A184527a5436086cff0c06197330089f7964a9b6b8fc86327e6778363b7297ef1", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -251,24 +261,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 7054, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "a40e91f2d29616076114eea0f2a693af", - "threatintel.indicator.file.hash.sha1": "e38ccd47629c1b75385a83fbfbba0ea7f3b3a705", - "threatintel.indicator.file.hash.sha256": "1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", - "threatintel.indicator.first_seen": "2021-06-20T18:40:18.093Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:18.093Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -286,10 +284,24 @@ "timestamp": "2021-06-20T18:40:18.093Z" } ], - "threatintel.recordedfuture.risk.riskString": "2/14", - "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 2, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "2/14", + "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 2, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "a40e91f2d29616076114eea0f2a693af", + "threat.indicator.file.hash.sha1": "e38ccd47629c1b75385a83fbfbba0ea7f3b3a705", + "threat.indicator.file.hash.sha256": "1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", + "threat.indicator.first_seen": "2021-06-20T18:40:18.093Z", + "threat.indicator.last_seen": "2021-06-20T18:40:18.093Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A1136b8991c6f180a6c67eaff7c2a998d67dbcadc2d9cf5a3f816de03503817a8", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -301,24 +313,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 8550, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "02062782c7eeaff185ea6966460f7c9a", - "threatintel.indicator.file.hash.sha1": "64355796dc38992ca5e434682ddbf63bdfabeb4e", - "threatintel.indicator.file.hash.sha256": "bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", - "threatintel.indicator.first_seen": "2021-06-20T18:40:18.070Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:18.070Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Abf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Abf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Abf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -336,10 +336,24 @@ "timestamp": "2021-06-20T18:40:18.070Z" } ], - "threatintel.recordedfuture.risk.riskString": "2/14", - "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 2, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "2/14", + "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 2, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "02062782c7eeaff185ea6966460f7c9a", + "threat.indicator.file.hash.sha1": "64355796dc38992ca5e434682ddbf63bdfabeb4e", + "threat.indicator.file.hash.sha256": "bf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", + "threat.indicator.first_seen": "2021-06-20T18:40:18.070Z", + "threat.indicator.last_seen": "2021-06-20T18:40:18.070Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Abf325093d87f746c297b2752c38a41a8f41b32aca01146b3632e24e90cdd14a1", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -351,24 +365,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 10020, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "bdd205ffc81c54e7cc1a9080cfa093e4", - "threatintel.indicator.file.hash.sha1": "a6b928fd6fee43495b96941ef80b25d074f6e0e2", - "threatintel.indicator.file.hash.sha256": "c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", - "threatintel.indicator.first_seen": "2021-06-20T18:40:18.011Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:18.011Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -386,10 +388,24 @@ "timestamp": "2021-06-20T18:40:18.010Z" } ], - "threatintel.recordedfuture.risk.riskString": "2/14", - "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 2, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "2/14", + "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 2, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "bdd205ffc81c54e7cc1a9080cfa093e4", + "threat.indicator.file.hash.sha1": "a6b928fd6fee43495b96941ef80b25d074f6e0e2", + "threat.indicator.file.hash.sha256": "c06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", + "threat.indicator.first_seen": "2021-06-20T18:40:18.011Z", + "threat.indicator.last_seen": "2021-06-20T18:40:18.011Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac06f58340d8e7b1f466942db18f67b5eb048c9adc45d843db370c836e125e3f9", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -401,24 +417,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 11492, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "af45390e39574cdb037d684074e6a542", - "threatintel.indicator.file.hash.sha1": "f6a14c7424604cd51ba6a6d3f7594ec762f48645", - "threatintel.indicator.file.hash.sha256": "c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", - "threatintel.indicator.first_seen": "2021-06-20T18:40:17.964Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:17.964Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -436,10 +440,24 @@ "timestamp": "2021-06-20T18:40:17.964Z" } ], - "threatintel.recordedfuture.risk.riskString": "2/14", - "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 2, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "2/14", + "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 2, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "af45390e39574cdb037d684074e6a542", + "threat.indicator.file.hash.sha1": "f6a14c7424604cd51ba6a6d3f7594ec762f48645", + "threat.indicator.file.hash.sha256": "c878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", + "threat.indicator.first_seen": "2021-06-20T18:40:17.964Z", + "threat.indicator.last_seen": "2021-06-20T18:40:17.964Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3Ac878bdb6c62ace8f001f979f7c7b2c6b38d135ac1c69bfa63785bf86721619fc", + "threat.indicator.type": "file" }, { "event.category": "threat", @@ -451,24 +469,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 12964, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.file.hash.md5": "5b8bcd367f802cd104210bb47abb3ab1", - "threatintel.indicator.file.hash.sha1": "b40d1796bd6974860ce6be691152ad963300c711", - "threatintel.indicator.file.hash.sha256": "0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", - "threatintel.indicator.first_seen": "2021-06-20T18:40:17.919Z", - "threatintel.indicator.last_seen": "2021-06-20T18:40:17.919Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", - "threatintel.indicator.type": "file", - "threatintel.recordedfuture.entity.id": "hash:0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", - "threatintel.recordedfuture.entity.type": "Hash", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", - "threatintel.recordedfuture.risk.criticality": 3, - "threatintel.recordedfuture.risk.criticalityLabel": "Malicious", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "hash:0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", + "recordedfuture.entity.type": "Hash", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/hash%3A0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", + "recordedfuture.risk.criticality": 3, + "recordedfuture.risk.criticalityLabel": "Malicious", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 3, "criticalityLabel": "Malicious", @@ -486,9 +492,23 @@ "timestamp": "2021-06-20T18:40:17.919Z" } ], - "threatintel.recordedfuture.risk.riskString": "2/14", - "threatintel.recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 2, - "threatintel.recordedfuture.risk.score": 65 + "recordedfuture.risk.riskString": "2/14", + "recordedfuture.risk.riskSummary": "2 of 14 Risk Rules currently observed.", + "recordedfuture.risk.rules": 2, + "recordedfuture.risk.score": 65, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.file.hash.md5": "5b8bcd367f802cd104210bb47abb3ab1", + "threat.indicator.file.hash.sha1": "b40d1796bd6974860ce6be691152ad963300c711", + "threat.indicator.file.hash.sha256": "0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", + "threat.indicator.first_seen": "2021-06-20T18:40:17.919Z", + "threat.indicator.last_seen": "2021-06-20T18:40:17.919Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/hash%3A0996575c7d2f07513d0dafe67ddde9805bbea35cf9d98edf8faf12c0e7f4334c", + "threat.indicator.type": "file" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log-expected.json index 74488f715da..c46c3e2a51f 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/ip.ndjson.log-expected.json @@ -9,32 +9,34 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 0, + "recordedfuture.entity.id": "ip:2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", + "recordedfuture.entity.name": "2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", + "recordedfuture.ip_range": "2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/54", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.as.number": 31287, - "threatintel.indicator.as.organization.name": "IPACCT CABLE Ltd", - "threatintel.indicator.first_seen": "2021-04-18T00:11:48.512Z", - "threatintel.indicator.geo.city_name": "Radnevo", - "threatintel.indicator.geo.continent_name": "Europe", - "threatintel.indicator.geo.country_name": "Bulgaria", - "threatintel.indicator.last_seen": "2021-06-19T19:40:32.897Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", - "threatintel.indicator.type": "ipv6-addr", - "threatintel.recordedfuture.entity.id": "ip:2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", - "threatintel.recordedfuture.entity.name": "2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", - "threatintel.recordedfuture.ip_range": "2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/54", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.as.number": 31287, + "threat.indicator.as.organization.name": "IPACCT CABLE Ltd", + "threat.indicator.first_seen": "2021-04-18T00:11:48.512Z", + "threat.indicator.geo.city_name": "Radnevo", + "threat.indicator.geo.continent_name": "Europe", + "threat.indicator.geo.country_name": "Bulgaria", + "threat.indicator.last_seen": "2021-06-19T19:40:32.897Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:cdb4:ff33:c406:fcdc:6961:c8af/21", + "threat.indicator.type": "ipv6-addr" }, { "event.category": "threat", @@ -46,32 +48,33 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 763, + "recordedfuture.entity.id": "ip:2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", + "recordedfuture.ip_range": "2001:db8:f800:5c3f:c9f8:fbf8:d537:9071/128", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/54", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.as.number": 197207, - "threatintel.indicator.as.organization.name": "Mobile Communication Company of Iran PLC", - "threatintel.indicator.first_seen": "2021-06-19T17:55:58.019Z", - "threatintel.indicator.geo.city_name": null, - "threatintel.indicator.geo.continent_name": "Asia", - "threatintel.indicator.geo.country_name": "Iran", - "threatintel.indicator.ip": "2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", - "threatintel.indicator.last_seen": "2021-06-19T19:40:32.839Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", - "threatintel.indicator.type": "ipv6-addr", - "threatintel.recordedfuture.entity.id": "ip:2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", - "threatintel.recordedfuture.ip_range": "2001:db8:f800:5c3f:c9f8:fbf8:d537:9071/128", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/54", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.as.number": 197207, + "threat.indicator.as.organization.name": "Mobile Communication Company of Iran PLC", + "threat.indicator.first_seen": "2021-06-19T17:55:58.019Z", + "threat.indicator.geo.continent_name": "Asia", + "threat.indicator.geo.country_name": "Iran", + "threat.indicator.ip": "2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", + "threat.indicator.last_seen": "2021-06-19T19:40:32.839Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:f800:5c3f:c9f8:fbf8:d537:9071", + "threat.indicator.type": "ipv6-addr" }, { "event.category": "threat", @@ -83,31 +86,29 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 1531, + "recordedfuture.entity.id": "ip:203.0.113.55", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.55", + "recordedfuture.ip_range": "203.0.113.55/32", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/54", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.as.organization.name": null, - "threatintel.indicator.first_seen": "2021-06-19T19:40:30.596Z", - "threatintel.indicator.geo.city_name": null, - "threatintel.indicator.geo.continent_name": null, - "threatintel.indicator.geo.country_name": null, - "threatintel.indicator.ip": "203.0.113.55", - "threatintel.indicator.last_seen": "2021-06-19T19:40:30.596Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.55", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.recordedfuture.entity.id": "ip:203.0.113.55", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.55", - "threatintel.recordedfuture.ip_range": "203.0.113.55/32", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/54", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-19T19:40:30.596Z", + "threat.indicator.ip": "203.0.113.55", + "threat.indicator.last_seen": "2021-06-19T19:40:30.596Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.55", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -119,32 +120,34 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 2161, + "recordedfuture.entity.id": "ip:203.0.113.108", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.108", + "recordedfuture.ip_range": "203.0.113.108/32", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/54", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.as.number": 17622, - "threatintel.indicator.as.organization.name": "China Unicom Guangzhou network", - "threatintel.indicator.first_seen": "2021-06-19T19:40:20.534Z", - "threatintel.indicator.geo.city_name": "Guangzhou", - "threatintel.indicator.geo.continent_name": "Asia", - "threatintel.indicator.geo.country_name": "China", - "threatintel.indicator.ip": "203.0.113.108", - "threatintel.indicator.last_seen": "2021-06-19T19:40:20.534Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.108", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.recordedfuture.entity.id": "ip:203.0.113.108", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.108", - "threatintel.recordedfuture.ip_range": "203.0.113.108/32", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/54", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.as.number": 17622, + "threat.indicator.as.organization.name": "China Unicom Guangzhou network", + "threat.indicator.first_seen": "2021-06-19T19:40:20.534Z", + "threat.indicator.geo.city_name": "Guangzhou", + "threat.indicator.geo.continent_name": "Asia", + "threat.indicator.geo.country_name": "China", + "threat.indicator.ip": "203.0.113.108", + "threat.indicator.last_seen": "2021-06-19T19:40:20.534Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.108", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -156,32 +159,33 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 2851, + "recordedfuture.entity.id": "ip:203.0.113.139", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.139", + "recordedfuture.ip_range": "203.0.113.139/32", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/54", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.as.number": 7713, - "threatintel.indicator.as.organization.name": "PT Telekomunikasi Indonesia", - "threatintel.indicator.first_seen": "2016-06-23T07:39:06.418Z", - "threatintel.indicator.geo.city_name": null, - "threatintel.indicator.geo.continent_name": "Asia", - "threatintel.indicator.geo.country_name": "Indonesia", - "threatintel.indicator.ip": "203.0.113.139", - "threatintel.indicator.last_seen": "2021-06-19T19:40:03.882Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.139", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.recordedfuture.entity.id": "ip:203.0.113.139", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.139", - "threatintel.recordedfuture.ip_range": "203.0.113.139/32", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/54", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.as.number": 7713, + "threat.indicator.as.organization.name": "PT Telekomunikasi Indonesia", + "threat.indicator.first_seen": "2016-06-23T07:39:06.418Z", + "threat.indicator.geo.continent_name": "Asia", + "threat.indicator.geo.country_name": "Indonesia", + "threat.indicator.ip": "203.0.113.139", + "threat.indicator.last_seen": "2021-06-19T19:40:03.882Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.139", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -193,32 +197,34 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 3532, + "recordedfuture.entity.id": "ip:2001:db8:bf58:c5c3:7a06:5267:82e0:621a", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:bf58:c5c3:7a06:5267:82e0:621a", + "recordedfuture.ip_range": "2001:db8:bf58:c5c3:7a06:5267:82e0:621a/128", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/54", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.as.number": 17622, - "threatintel.indicator.as.organization.name": "China Unicom Guangzhou network", - "threatintel.indicator.first_seen": "2021-06-19T19:40:02.557Z", - "threatintel.indicator.geo.city_name": "Guangzhou", - "threatintel.indicator.geo.continent_name": "Asia", - "threatintel.indicator.geo.country_name": "China", - "threatintel.indicator.ip": "2001:db8:bf58:c5c3:7a06:5267:82e0:621a", - "threatintel.indicator.last_seen": "2021-06-19T19:40:02.557Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:bf58:c5c3:7a06:5267:82e0:621a", - "threatintel.indicator.type": "ipv6-addr", - "threatintel.recordedfuture.entity.id": "ip:2001:db8:bf58:c5c3:7a06:5267:82e0:621a", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:bf58:c5c3:7a06:5267:82e0:621a", - "threatintel.recordedfuture.ip_range": "2001:db8:bf58:c5c3:7a06:5267:82e0:621a/128", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/54", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.as.number": 17622, + "threat.indicator.as.organization.name": "China Unicom Guangzhou network", + "threat.indicator.first_seen": "2021-06-19T19:40:02.557Z", + "threat.indicator.geo.city_name": "Guangzhou", + "threat.indicator.geo.continent_name": "Asia", + "threat.indicator.geo.country_name": "China", + "threat.indicator.ip": "2001:db8:bf58:c5c3:7a06:5267:82e0:621a", + "threat.indicator.last_seen": "2021-06-19T19:40:02.557Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A2001:db8:bf58:c5c3:7a06:5267:82e0:621a", + "threat.indicator.type": "ipv6-addr" }, { "event.category": "threat", @@ -230,32 +236,34 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 4295, + "recordedfuture.entity.id": "ip:192.0.2.147", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.147", + "recordedfuture.ip_range": "192.0.2.147/32", + "recordedfuture.risk.criticality": 0, + "recordedfuture.risk.criticalityLabel": "None", + "recordedfuture.risk.evidenceDetails": [], + "recordedfuture.risk.riskString": "0/54", + "recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", + "recordedfuture.risk.rules": 0, + "recordedfuture.risk.score": 0, "service.type": "threatintel", "tags": [ "forwarded", "threatintel-recordedfuture" ], - "threatintel.indicator.as.number": 4837, - "threatintel.indicator.as.organization.name": "CHINA UNICOM China169 Backbone", - "threatintel.indicator.first_seen": "2017-12-20T02:21:07.734Z", - "threatintel.indicator.geo.city_name": "Zhengzhou", - "threatintel.indicator.geo.continent_name": "Asia", - "threatintel.indicator.geo.country_name": "China", - "threatintel.indicator.ip": "192.0.2.147", - "threatintel.indicator.last_seen": "2021-06-19T19:39:43.160Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.147", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.recordedfuture.entity.id": "ip:192.0.2.147", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.147", - "threatintel.recordedfuture.ip_range": "192.0.2.147/32", - "threatintel.recordedfuture.risk.criticality": 0, - "threatintel.recordedfuture.risk.criticalityLabel": "None", - "threatintel.recordedfuture.risk.evidenceDetails": [], - "threatintel.recordedfuture.risk.riskString": "0/54", - "threatintel.recordedfuture.risk.riskSummary": "No Risk Rules are currently observed.", - "threatintel.recordedfuture.risk.rules": 0, - "threatintel.recordedfuture.risk.score": 0 + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.as.number": 4837, + "threat.indicator.as.organization.name": "CHINA UNICOM China169 Backbone", + "threat.indicator.first_seen": "2017-12-20T02:21:07.734Z", + "threat.indicator.geo.city_name": "Zhengzhou", + "threat.indicator.geo.continent_name": "Asia", + "threat.indicator.geo.country_name": "China", + "threat.indicator.ip": "192.0.2.147", + "threat.indicator.last_seen": "2021-06-19T19:39:43.160Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.147", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -267,28 +275,13 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 4972, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.as.number": 9829, - "threatintel.indicator.as.organization.name": "National Internet Backbone", - "threatintel.indicator.first_seen": "2019-12-24T09:54:02.935Z", - "threatintel.indicator.geo.city_name": "Palakkad", - "threatintel.indicator.geo.continent_name": "Asia", - "threatintel.indicator.geo.country_name": "India", - "threatintel.indicator.ip": "203.0.113.198", - "threatintel.indicator.last_seen": "2021-06-19T19:39:25.532Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.198", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.recordedfuture.entity.id": "ip:203.0.113.198", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.198", - "threatintel.recordedfuture.ip_range": "203.0.113.198/32", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "ip:203.0.113.198", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.198", + "recordedfuture.ip_range": "203.0.113.198/32", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -298,10 +291,27 @@ "timestamp": "2019-12-24T09:53:13.546Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/54", - "threatintel.recordedfuture.risk.riskSummary": "1 of 54 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/54", + "recordedfuture.risk.riskSummary": "1 of 54 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.as.number": 9829, + "threat.indicator.as.organization.name": "National Internet Backbone", + "threat.indicator.first_seen": "2019-12-24T09:54:02.935Z", + "threat.indicator.geo.city_name": "Palakkad", + "threat.indicator.geo.continent_name": "Asia", + "threat.indicator.geo.country_name": "India", + "threat.indicator.ip": "203.0.113.198", + "threat.indicator.last_seen": "2021-06-19T19:39:25.532Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A203.0.113.198", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -313,28 +323,13 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 5970, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.as.number": 9829, - "threatintel.indicator.as.organization.name": "National Internet Backbone", - "threatintel.indicator.first_seen": "2020-03-03T08:10:28.489Z", - "threatintel.indicator.geo.city_name": "Bangalore", - "threatintel.indicator.geo.continent_name": "Asia", - "threatintel.indicator.geo.country_name": "India", - "threatintel.indicator.ip": "192.0.2.179", - "threatintel.indicator.last_seen": "2021-06-19T19:39:11.694Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.179", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.recordedfuture.entity.id": "ip:192.0.2.179", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.179", - "threatintel.recordedfuture.ip_range": "192.0.2.179/32", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "ip:192.0.2.179", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.179", + "recordedfuture.ip_range": "192.0.2.179/32", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -360,10 +355,27 @@ "timestamp": "2021-06-21T19:53:19.897Z" } ], - "threatintel.recordedfuture.risk.riskString": "3/54", - "threatintel.recordedfuture.risk.riskSummary": "3 of 54 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 3, - "threatintel.recordedfuture.risk.score": 15 + "recordedfuture.risk.riskString": "3/54", + "recordedfuture.risk.riskSummary": "3 of 54 Risk Rules currently observed.", + "recordedfuture.risk.rules": 3, + "recordedfuture.risk.score": 15, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.as.number": 9829, + "threat.indicator.as.organization.name": "National Internet Backbone", + "threat.indicator.first_seen": "2020-03-03T08:10:28.489Z", + "threat.indicator.geo.city_name": "Bangalore", + "threat.indicator.geo.continent_name": "Asia", + "threat.indicator.geo.country_name": "India", + "threat.indicator.ip": "192.0.2.179", + "threat.indicator.last_seen": "2021-06-19T19:39:11.694Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.179", + "threat.indicator.type": "ipv4-addr" }, { "event.category": "threat", @@ -375,28 +387,13 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 7483, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.as.number": 45899, - "threatintel.indicator.as.organization.name": "VNPT Corp", - "threatintel.indicator.first_seen": "2021-06-19T19:38:57.372Z", - "threatintel.indicator.geo.city_name": "Long Phu", - "threatintel.indicator.geo.continent_name": "Asia", - "threatintel.indicator.geo.country_name": "Vietnam", - "threatintel.indicator.ip": "192.0.2.245", - "threatintel.indicator.last_seen": "2021-06-19T19:38:57.372Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.245", - "threatintel.indicator.type": "ipv4-addr", - "threatintel.recordedfuture.entity.id": "ip:192.0.2.245", - "threatintel.recordedfuture.entity.type": "IpAddress", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.245", - "threatintel.recordedfuture.ip_range": "192.0.2.245/32", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "ip:192.0.2.245", + "recordedfuture.entity.type": "IpAddress", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.245", + "recordedfuture.ip_range": "192.0.2.245/32", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -406,9 +403,26 @@ "timestamp": "2021-06-19T19:50:20.162Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/54", - "threatintel.recordedfuture.risk.riskSummary": "1 of 54 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/54", + "recordedfuture.risk.riskSummary": "1 of 54 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.as.number": 45899, + "threat.indicator.as.organization.name": "VNPT Corp", + "threat.indicator.first_seen": "2021-06-19T19:38:57.372Z", + "threat.indicator.geo.city_name": "Long Phu", + "threat.indicator.geo.continent_name": "Asia", + "threat.indicator.geo.country_name": "Vietnam", + "threat.indicator.ip": "192.0.2.245", + "threat.indicator.last_seen": "2021-06-19T19:38:57.372Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/ip%3A192.0.2.245", + "threat.indicator.type": "ipv4-addr" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log-expected.json index 779d86ae965..f840643fef3 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/recordedfuture/test/url.ndjson.log-expected.json @@ -9,26 +9,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 0, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "d6s.example.net", - "threatintel.indicator.url.original": "https://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", - "threatintel.indicator.url.path": "/nzy/vvc68ke", - "threatintel.indicator.url.query": "p5uxwn=1bj", - "threatintel.indicator.url.scheme": "https", - "threatintel.recordedfuture.entity.id": "url:https://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:https://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -38,10 +24,26 @@ "timestamp": "2021-04-15T00:00:00.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "d6s.example.net", + "threat.indicator.url.original": "https://d6s.example.net/nzy/vvc68ke?p5uxwn=1bj", + "threat.indicator.url.path": "/nzy/vvc68ke", + "threat.indicator.url.query": "p5uxwn=1bj", + "threat.indicator.url.scheme": "https" }, { "event.category": "threat", @@ -53,26 +55,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 874, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "ga7v9u.example.org", - "threatintel.indicator.url.original": "https://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", - "threatintel.indicator.url.path": "/bnqv8e2v8/qb49", - "threatintel.indicator.url.query": "7kq=iw61", - "threatintel.indicator.url.scheme": "https", - "threatintel.recordedfuture.entity.id": "url:https://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:https://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -82,10 +70,26 @@ "timestamp": "2021-02-14T00:00:00.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "ga7v9u.example.org", + "threat.indicator.url.original": "https://ga7v9u.example.org/bnqv8e2v8/qb49?7kq=iw61", + "threat.indicator.url.path": "/bnqv8e2v8/qb49", + "threat.indicator.url.query": "7kq=iw61", + "threat.indicator.url.scheme": "https" }, { "event.category": "threat", @@ -97,26 +101,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 1760, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "cdmw.example.net", - "threatintel.indicator.url.original": "https://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", - "threatintel.indicator.url.path": "/c20fwa/wwn", - "threatintel.indicator.url.query": "dlz53=z6ovc", - "threatintel.indicator.url.scheme": "https", - "threatintel.recordedfuture.entity.id": "url:https://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:https://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -126,10 +116,26 @@ "timestamp": "2021-05-15T00:00:00.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "cdmw.example.net", + "threat.indicator.url.original": "https://cdmw.example.net/c20fwa/wwn?dlz53=z6ovc", + "threat.indicator.url.path": "/c20fwa/wwn", + "threat.indicator.url.query": "dlz53=z6ovc", + "threat.indicator.url.scheme": "https" }, { "event.category": "threat", @@ -141,26 +147,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 2627, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "4mne.example.local", - "threatintel.indicator.url.original": "https://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", - "threatintel.indicator.url.path": "/ns2rk8f/wngtk2xz", - "threatintel.indicator.url.query": "vceuk7wl6=3p0", - "threatintel.indicator.url.scheme": "https", - "threatintel.recordedfuture.entity.id": "url:https://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:https://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -170,10 +162,26 @@ "timestamp": "2021-02-14T00:00:00.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "4mne.example.local", + "threat.indicator.url.original": "https://4mne.example.local/ns2rk8f/wngtk2xz?vceuk7wl6=3p0", + "threat.indicator.url.path": "/ns2rk8f/wngtk2xz", + "threat.indicator.url.query": "vceuk7wl6=3p0", + "threat.indicator.url.scheme": "https" }, { "event.category": "threat", @@ -185,26 +193,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 3524, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "z198hloc8.example.com", - "threatintel.indicator.url.original": "http://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", - "threatintel.indicator.url.path": "/f8ih39/f6kou", - "threatintel.indicator.url.query": "f6-u3=uwhii", - "threatintel.indicator.url.scheme": "http", - "threatintel.recordedfuture.entity.id": "url:http://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:http://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -214,10 +208,26 @@ "timestamp": "2020-06-24T12:01:33.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "z198hloc8.example.com", + "threat.indicator.url.original": "http://z198hloc8.example.com/f8ih39/f6kou?f6-u3=uwhii", + "threat.indicator.url.path": "/f8ih39/f6kou", + "threat.indicator.url.query": "f6-u3=uwhii", + "threat.indicator.url.scheme": "http" }, { "event.category": "threat", @@ -229,26 +239,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 4377, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "y484j-fb6.example.local", - "threatintel.indicator.url.original": "http://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", - "threatintel.indicator.url.path": "/b97s24xf/prz", - "threatintel.indicator.url.query": "sg-x1do=4myont", - "threatintel.indicator.url.scheme": "http", - "threatintel.recordedfuture.entity.id": "url:http://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:http://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -258,10 +254,26 @@ "timestamp": "2021-02-14T00:00:00.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "y484j-fb6.example.local", + "threat.indicator.url.original": "http://y484j-fb6.example.local/b97s24xf/prz?sg-x1do=4myont", + "threat.indicator.url.path": "/b97s24xf/prz", + "threat.indicator.url.query": "sg-x1do=4myont", + "threat.indicator.url.scheme": "http" }, { "event.category": "threat", @@ -273,26 +285,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 5272, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "sp2xyqq82.example.local", - "threatintel.indicator.url.original": "http://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", - "threatintel.indicator.url.path": "/zxvm093/kat1rcz", - "threatintel.indicator.url.query": "vaev0aeod=rc0513", - "threatintel.indicator.url.scheme": "http", - "threatintel.recordedfuture.entity.id": "url:http://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:http://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -302,10 +300,26 @@ "timestamp": "2020-11-16T00:00:00.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "sp2xyqq82.example.local", + "threat.indicator.url.original": "http://sp2xyqq82.example.local/zxvm093/kat1rcz?vaev0aeod=rc0513", + "threat.indicator.url.path": "/zxvm093/kat1rcz", + "threat.indicator.url.query": "vaev0aeod=rc0513", + "threat.indicator.url.scheme": "http" }, { "event.category": "threat", @@ -317,26 +331,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 6187, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "zh4o7xc.example.com", - "threatintel.indicator.url.original": "https://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", - "threatintel.indicator.url.path": "/-yiq/vg2whtxif", - "threatintel.indicator.url.query": "cb0-knk=s6poib5r", - "threatintel.indicator.url.scheme": "https", - "threatintel.recordedfuture.entity.id": "url:https://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:https://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -346,10 +346,26 @@ "timestamp": "2021-05-15T00:00:00.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttps://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "zh4o7xc.example.com", + "threat.indicator.url.original": "https://zh4o7xc.example.com/-yiq/vg2whtxif?cb0-knk=s6poib5r", + "threat.indicator.url.path": "/-yiq/vg2whtxif", + "threat.indicator.url.query": "cb0-knk=s6poib5r", + "threat.indicator.url.scheme": "https" }, { "event.category": "threat", @@ -361,26 +377,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 7094, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "fiivf4s.example.org", - "threatintel.indicator.url.original": "http://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", - "threatintel.indicator.url.path": "/8u2qi/86vfcfq7m", - "threatintel.indicator.url.query": "pfb2ensc0=h7imk8io2", - "threatintel.indicator.url.scheme": "http", - "threatintel.recordedfuture.entity.id": "url:http://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:http://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -390,10 +392,26 @@ "timestamp": "2021-02-14T00:00:00.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "fiivf4s.example.org", + "threat.indicator.url.original": "http://fiivf4s.example.org/8u2qi/86vfcfq7m?pfb2ensc0=h7imk8io2", + "threat.indicator.url.path": "/8u2qi/86vfcfq7m", + "threat.indicator.url.query": "pfb2ensc0=h7imk8io2", + "threat.indicator.url.scheme": "http" }, { "event.category": "threat", @@ -405,26 +423,12 @@ "fileset.name": "recordedfuture", "input.type": "log", "log.offset": 8007, - "service.type": "threatintel", - "tags": [ - "forwarded", - "threatintel-recordedfuture" - ], - "threatintel.indicator.first_seen": "2021-06-20T00:00:00.000Z", - "threatintel.indicator.last_seen": "2021-06-20T23:59:59.000Z", - "threatintel.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", - "threatintel.indicator.type": "url", - "threatintel.indicator.url.domain": "abav9v.example.org", - "threatintel.indicator.url.original": "http://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", - "threatintel.indicator.url.path": "/gj93q/7fs7", - "threatintel.indicator.url.query": "kcq7=pjaj1", - "threatintel.indicator.url.scheme": "http", - "threatintel.recordedfuture.entity.id": "url:http://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", - "threatintel.recordedfuture.entity.type": "URL", - "threatintel.recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", - "threatintel.recordedfuture.risk.criticality": 1, - "threatintel.recordedfuture.risk.criticalityLabel": "Unusual", - "threatintel.recordedfuture.risk.evidenceDetails": [ + "recordedfuture.entity.id": "url:http://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", + "recordedfuture.entity.type": "URL", + "recordedfuture.intelCard": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", + "recordedfuture.risk.criticality": 1, + "recordedfuture.risk.criticalityLabel": "Unusual", + "recordedfuture.risk.evidenceDetails": [ { "criticality": 1, "criticalityLabel": "Unusual", @@ -434,9 +438,25 @@ "timestamp": "2021-02-14T00:00:00.000Z" } ], - "threatintel.recordedfuture.risk.riskString": "1/25", - "threatintel.recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", - "threatintel.recordedfuture.risk.rules": 1, - "threatintel.recordedfuture.risk.score": 5 + "recordedfuture.risk.riskString": "1/25", + "recordedfuture.risk.riskSummary": "1 of 25 Risk Rules currently observed.", + "recordedfuture.risk.rules": 1, + "recordedfuture.risk.score": 5, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-recordedfuture" + ], + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] RecordedFuture", + "threat.indicator.first_seen": "2021-06-20T00:00:00.000Z", + "threat.indicator.last_seen": "2021-06-20T23:59:59.000Z", + "threat.indicator.reference": "https://app.recordedfuture.local/live/sc/entity/url%3Ahttp://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", + "threat.indicator.type": "url", + "threat.indicator.url.domain": "abav9v.example.org", + "threat.indicator.url.original": "http://abav9v.example.org/gj93q/7fs7?kcq7=pjaj1", + "threat.indicator.url.path": "/gj93q/7fs7", + "threat.indicator.url.query": "kcq7=pjaj1", + "threat.indicator.url.scheme": "http" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/threatq/config/config.yml b/x-pack/filebeat/module/threatintel/threatq/config/config.yml index 89e8cab731e..0f520215bc8 100644 --- a/x-pack/filebeat/module/threatintel/threatq/config/config.yml +++ b/x-pack/filebeat/module/threatintel/threatq/config/config.yml @@ -1,7 +1,6 @@ {{ if eq .input "httpjson" }} type: httpjson -config_version: "2" interval: {{ .interval }} auth.oauth2: @@ -50,22 +49,12 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} +tags: +{{if .preserve_original_event}} + - preserve_original_event +{{end}} +{{range $val := .tags}} + - {{$val}} +{{end}} -processors: - - decode_json_fields: - fields: [message] - target: json - process_array: true - max_depth: 5 - overwrite_keys: true - add_error_key: true - - fingerprint: - fields: ["json.id", "json.indicator_id"] - target_field: "@metadata._id" - ignore_missing: true - - add_fields: - target: '' - fields: - ecs.version: 1.12.0 \ No newline at end of file +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/threatintel/threatq/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/threatq/ingest/pipeline.yml index 6d301f89844..96f8b224e19 100644 --- a/x-pack/filebeat/module/threatintel/threatq/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/threatq/ingest/pipeline.yml @@ -1,3 +1,4 @@ +--- description: Pipeline for parsing ThreatQ Threat Intel processors: #################### @@ -6,6 +7,9 @@ processors: - set: field: event.ingested value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: "1.12" - set: field: event.kind value: enrichment @@ -19,6 +23,19 @@ processors: ############### # Parse dates # ############### + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - fingerprint: + fields: + - json.id + - json.indicator_id + target_field: "_id" + ignore_missing: true - date: target_field: "@timestamp" field: "json.updated_at" @@ -27,28 +44,28 @@ processors: if: "ctx.json.updated_at != null" ignore_failure: true - date: - target_field: "threatintel.threatq.created_at" + target_field: "threatq.created_at" field: "json.created_at" formats: - "yyyy-MM-dd HH:mm:ss" if: "ctx.json.created_at != null" ignore_failure: true - date: - target_field: "threatintel.threatq.expires_at" + target_field: "threatq.expires_at" field: "json.expires_at" formats: - "yyyy-MM-dd HH:mm:ss" if: "ctx.json.expires_at != null" ignore_failure: true - date: - target_field: "threatintel.threatq.expires_calculated_at" + target_field: "threatq.expires_calculated_at" field: "json.expires_calculated_at" formats: - "yyyy-MM-dd HH:mm:ss" if: "ctx.json.expires_calculated_at != null" ignore_failure: true - date: - target_field: "threatintel.threatq.published_at" + target_field: "threatq.published_at" field: "json.published_at" formats: - "yyyy-MM-dd HH:mm:ss" @@ -58,29 +75,50 @@ processors: ##################### # Threat ECS Fields # ##################### + - set: + field: threat.feed.name + value: "[Filebeat] ThreatQuotient" + - set: + field: threat.feed.dashboard_id + value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f" - rename: field: json.type.name - target_field: threatintel.indicator.type + target_field: threat.indicator.type ignore_missing: true - rename: field: json.description - target_field: threatintel.indicator.description + target_field: threat.indicator.description ignore_missing: true - - convert: - field: json.score - target_field: threatintel.indicator.confidence - type: integer - on_failure: - - append: - field: error.message - value: "Cannot convert json.score to integer: {{{ _ingest.on_failure_message }}}" + - script: + lang: painless + if: ctx.json?.score != null + description: > + Normalize confidence level. + source: > + def value = ctx.json.score; + if (value <= 0.0 || value > 100.0) { + ctx.threat.indicator.confidence = "None"; + return; + } + if (value >= 1.0 && value <= 29.0) { + ctx.threat.indicator.confidence = "Low"; + return; + } + if (value >= 30.0 && value <= 69.0) { + ctx.threat.indicator.confidence = "Med"; + return; + } + if (value >= 70 && value <= 100) { + ctx.threat.indicator.confidence = "High"; + return; + } - rename: field: json.status.name - target_field: threatintel.threatq.status + target_field: threatq.status ignore_missing: true - rename: field: json.value - target_field: threatintel.threatq.indicator_value + target_field: threatq.indicator_value ignore_missing: true ######################################### @@ -89,119 +127,144 @@ processors: # Indicator type: Email Address - set: - field: threatintel.indicator.email.address - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'Email Address'" + field: threat.indicator.email.address + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'Email Address'" + ignore_empty_value: true - set: - field: threatintel.indicator.type + field: threat.indicator.type value: email-addr - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'Email Address'" + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'Email Address'" # Indicator type: FQDN - set: - field: threatintel.indicator.domain - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'FQDN'" + field: threat.indicator.domain + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'FQDN'" + ignore_empty_value: true - set: - field: threatintel.indicator.type + field: threat.indicator.type value: domain-name - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'FQDN'" + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'FQDN'" # Indicator type: IP Address - set: - field: threatintel.indicator.ip - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'IP Address'" + field: threat.indicator.ip + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'IP Address'" + ignore_empty_value: true + - set: - field: threatintel.indicator.type + field: threat.indicator.type value: ipv4-addr - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'IP Address'" + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'IP Address'" # Indicator type: IPv6 Address - set: - field: threatintel.indicator.domain - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'IPv6 Address'" + field: threat.indicator.domain + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'IPv6 Address'" + ignore_empty_value: true - set: - field: threatintel.indicator.type + field: threat.indicator.type value: ipv6-addr - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'IPv6 Address'" + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'IPv6 Address'" # Indicator type: MD5 - set: - field: threatintel.indicator.file.hash.md5 - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'MD5'" + field: threat.indicator.file.hash.md5 + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'MD5'" + ignore_empty_value: true - set: - field: threatintel.indicator.type + field: threat.indicator.type value: file - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'MD5'" + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'MD5'" # Indicator type: SHA-1 - set: - field: threatintel.indicator.file.hash.sha1 - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'SHA-1'" + field: threat.indicator.file.hash.sha1 + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-1'" + ignore_empty_value: true - set: - field: threatintel.indicator.type + field: threat.indicator.type value: file - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'SHA-1'" + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-1'" # Indicator type: SHA-256 - set: - field: threatintel.indicator.file.hash.sha256 - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'SHA-256'" + field: threat.indicator.file.hash.sha256 + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-256'" + ignore_empty_value: true - set: - field: threatintel.indicator.type + field: threat.indicator.type value: file - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'SHA-256'" + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-256'" # Indicator type: SHA-512 - set: - field: threatintel.indicator.file.hash.sha512 - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'SHA-512'" + field: threat.indicator.file.hash.sha512 + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-512'" + ignore_empty_value: true - set: - field: threatintel.indicator.type + field: threat.indicator.type value: file - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'SHA-512'" + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-512'" # Indicator type: URL + - uri_parts: + field: threatq.indicator_value + target_field: threat.indicator.url + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'URL' && ctx.threatq?.indicator_value != null" + remove_if_successful: true - set: - field: threatintel.indicator.url.full - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'URL'" - - set: - field: threatintel.indicator.type + field: threat.indicator.type value: url - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'URL'" + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'URL'" # Indicator type: x509 Serial - set: - field: threatintel.indicator.x509.serial_number - value: "{{threatintel.threatq.indicator_value}}" - if: "ctx?.threatintel?.indicator?.type != null && ctx?.threatintel?.indicator?.type == 'x509 Serial'" + field: threat.indicator.x509.serial_number + copy_from: threatq.indicator_value + if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'x509 Serial'" + ignore_empty_value: true ################################### # Map indicator providers and TLP # ################################### - - foreach: - description: Append threat intel sources - field: json.sources - ignore_missing: true - processor: - append: - field: threatintel.indicator.provider - value: "{{{ _ingest._value.name }}}" - - foreach: - description: Append threat intel source TLP values - field: json.sources - ignore_missing: true - processor: - append: - field: threatintel.indicator.marking.tlp - value: "{{{ _ingest._value.tlp_name }}}" + - script: + if: "ctx.json?.sources != null && ctx.json?.sources instanceof List && ctx.json?.sources.size() > 0" + lang: painless + description: "Extract TLP and providers from source" + source: |- + def providers = new ArrayList(); + def tlps = new ArrayList(); + for (source in ctx.json.sources) { + if (source == null) { + return; + } + if (source.containsKey("provider") && source["provider"] != null) { + providers.add(source["provider"]); + } + if (source.containsKey("tlp_name") && source["tlp_name"] != null) { + tlps.add(source["tlp_name"]); + } + } + if (tlps.size() > 0) { + if (ctx.threat.indicator.marking == null) { + ctx.threat.indicator.marking = new HashMap(); + } + ctx.threat.indicator.marking.tlp = tlps; + } + if (providers.size() > 0) { + if (ctx.threat.indicator.provider == null) { + ctx.threat.indicator.provider = new HashMap(); + } + ctx.threat.indicator.provider = providers; + } ############################ # Map indicator attributes # @@ -228,7 +291,7 @@ processors: ignore_missing: true processor: append: - field: threatintel.threatq.attributes.{{{ _ingest._value.name }}} + field: threatq.attributes.{{{ _ingest._value.name }}} value: "{{{ _ingest._value.value }}}" ############################# @@ -239,20 +302,25 @@ processors: ignore_missing: true processor: append: - field: threatintel.threatq.adversaries + field: threatq.adversaries value: "{{{ _ingest._value.name }}}" ###################### # Cleanup processors # ###################### # Setting indicator type to unknown if it does not match anything + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true - set: - field: threatintel.indicator.type + field: threat.indicator.type value: unknown - if: ctx?.threatintel?.indicator?.type == null + if: ctx.threat?.indicator?.type == null - script: lang: painless - if: ctx?.threatintel != null + if: ctx.threat != null source: | void handleMap(Map map) { for (def x : map.values()) { diff --git a/x-pack/filebeat/module/threatintel/threatq/manifest.yml b/x-pack/filebeat/module/threatintel/threatq/manifest.yml index dd7165b182f..d5628d2a705 100644 --- a/x-pack/filebeat/module/threatintel/threatq/manifest.yml +++ b/x-pack/filebeat/module/threatintel/threatq/manifest.yml @@ -11,11 +11,13 @@ var: - name: client_id - name: client_secret - name: host - default: "https://www.threatq.com/" + default: "https://www.threatq.com" - name: proxy_url - name: http_client_timeout - name: tags default: [threatintel-threatq, forwarded] + - name: preserve_original_event + default: false ingest_pipeline: - ingest/pipeline.yml diff --git a/x-pack/filebeat/module/threatintel/threatq/test/threatq_sample.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/threatq/test/threatq_sample.ndjson.log-expected.json index 58c61e5161c..58958850bd5 100644 --- a/x-pack/filebeat/module/threatintel/threatq/test/threatq_sample.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/threatq/test/threatq_sample.ndjson.log-expected.json @@ -14,38 +14,34 @@ "forwarded", "threatintel-threatq" ], - "threatintel.indicator.confidence": 4, - "threatintel.indicator.ip": "69.44.202.220", - "threatintel.indicator.marking.tlp": [ - "" - ], - "threatintel.indicator.provider": [ - "AlienVault OTX" - ], - "threatintel.indicator.type": "ipv4-addr", - "threatintel.threatq.attributes.alienvault_reliability": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] ThreatQuotient", + "threat.indicator.confidence": "Low", + "threat.indicator.ip": "69.44.202.220", + "threat.indicator.type": "ipv4-addr", + "threatq.attributes.alienvault_reliability": [ "4" ], - "threatintel.threatq.attributes.alienvault_revision": [ + "threatq.attributes.alienvault_revision": [ "3" ], - "threatintel.threatq.attributes.alienvault_threat_level": [ + "threatq.attributes.alienvault_threat_level": [ "3" ], - "threatintel.threatq.attributes.city": [ + "threatq.attributes.city": [ "Saipan" ], - "threatintel.threatq.attributes.country": [ + "threatq.attributes.country": [ "MP" ], - "threatintel.threatq.attributes.description": [ + "threatq.attributes.description": [ "Malicious Host" ], - "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", - "threatintel.threatq.indicator_value": "69.44.202.220", - "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.status": "Expired" + "threatq.created_at": "2020-09-11T14:35:51.000Z", + "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", + "threatq.indicator_value": "69.44.202.220", + "threatq.published_at": "2020-09-11T14:35:51.000Z", + "threatq.status": "Expired" }, { "@timestamp": "2020-11-15T00:00:02.000Z", @@ -62,38 +58,34 @@ "forwarded", "threatintel-threatq" ], - "threatintel.indicator.confidence": 4, - "threatintel.indicator.ip": "69.94.155.176", - "threatintel.indicator.marking.tlp": [ - "" - ], - "threatintel.indicator.provider": [ - "AlienVault OTX" - ], - "threatintel.indicator.type": "ipv4-addr", - "threatintel.threatq.attributes.alienvault_reliability": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] ThreatQuotient", + "threat.indicator.confidence": "Low", + "threat.indicator.ip": "69.94.155.176", + "threat.indicator.type": "ipv4-addr", + "threatq.attributes.alienvault_reliability": [ "4" ], - "threatintel.threatq.attributes.alienvault_revision": [ + "threatq.attributes.alienvault_revision": [ "3" ], - "threatintel.threatq.attributes.alienvault_threat_level": [ + "threatq.attributes.alienvault_threat_level": [ "2" ], - "threatintel.threatq.attributes.city": [ + "threatq.attributes.city": [ "Sacramento" ], - "threatintel.threatq.attributes.country": [ + "threatq.attributes.country": [ "US" ], - "threatintel.threatq.attributes.description": [ + "threatq.attributes.description": [ "Malicious Host" ], - "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", - "threatintel.threatq.indicator_value": "69.94.155.176", - "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.status": "Expired" + "threatq.created_at": "2020-09-11T14:35:51.000Z", + "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", + "threatq.indicator_value": "69.94.155.176", + "threatq.published_at": "2020-09-11T14:35:51.000Z", + "threatq.status": "Expired" }, { "@timestamp": "2020-11-15T00:00:02.000Z", @@ -110,38 +102,34 @@ "forwarded", "threatintel-threatq" ], - "threatintel.indicator.confidence": 4, - "threatintel.indicator.ip": "69.42.81.68", - "threatintel.indicator.marking.tlp": [ - "" - ], - "threatintel.indicator.provider": [ - "AlienVault OTX" - ], - "threatintel.indicator.type": "ipv4-addr", - "threatintel.threatq.attributes.alienvault_reliability": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] ThreatQuotient", + "threat.indicator.confidence": "Low", + "threat.indicator.ip": "69.42.81.68", + "threat.indicator.type": "ipv4-addr", + "threatq.attributes.alienvault_reliability": [ "4" ], - "threatintel.threatq.attributes.alienvault_revision": [ + "threatq.attributes.alienvault_revision": [ "3" ], - "threatintel.threatq.attributes.alienvault_threat_level": [ + "threatq.attributes.alienvault_threat_level": [ "2" ], - "threatintel.threatq.attributes.city": [ + "threatq.attributes.city": [ "New York" ], - "threatintel.threatq.attributes.country": [ + "threatq.attributes.country": [ "US" ], - "threatintel.threatq.attributes.description": [ + "threatq.attributes.description": [ "Malicious Host" ], - "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", - "threatintel.threatq.indicator_value": "69.42.81.68", - "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.status": "Expired" + "threatq.created_at": "2020-09-11T14:35:51.000Z", + "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", + "threatq.indicator_value": "69.42.81.68", + "threatq.published_at": "2020-09-11T14:35:51.000Z", + "threatq.status": "Expired" }, { "@timestamp": "2020-11-15T00:00:02.000Z", @@ -158,32 +146,28 @@ "forwarded", "threatintel-threatq" ], - "threatintel.indicator.confidence": 4, - "threatintel.indicator.ip": "37.17.250.101", - "threatintel.indicator.marking.tlp": [ - "" - ], - "threatintel.indicator.provider": [ - "AlienVault OTX" - ], - "threatintel.indicator.type": "ipv4-addr", - "threatintel.threatq.attributes.alienvault_reliability": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] ThreatQuotient", + "threat.indicator.confidence": "Low", + "threat.indicator.ip": "37.17.250.101", + "threat.indicator.type": "ipv4-addr", + "threatq.attributes.alienvault_reliability": [ "4" ], - "threatintel.threatq.attributes.alienvault_revision": [ + "threatq.attributes.alienvault_revision": [ "3" ], - "threatintel.threatq.attributes.alienvault_threat_level": [ + "threatq.attributes.alienvault_threat_level": [ "2" ], - "threatintel.threatq.attributes.description": [ + "threatq.attributes.description": [ "Malicious Host" ], - "threatintel.threatq.created_at": "2020-09-11T14:35:41.000Z", - "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:02.000Z", - "threatintel.threatq.indicator_value": "37.17.250.101", - "threatintel.threatq.published_at": "2020-09-11T14:35:41.000Z", - "threatintel.threatq.status": "Expired" + "threatq.created_at": "2020-09-11T14:35:41.000Z", + "threatq.expires_calculated_at": "2020-10-15T14:40:02.000Z", + "threatq.indicator_value": "37.17.250.101", + "threatq.published_at": "2020-09-11T14:35:41.000Z", + "threatq.status": "Expired" }, { "@timestamp": "2020-11-15T00:00:02.000Z", @@ -200,38 +184,34 @@ "forwarded", "threatintel-threatq" ], - "threatintel.indicator.confidence": 4, - "threatintel.indicator.ip": "69.94.129.203", - "threatintel.indicator.marking.tlp": [ - "" - ], - "threatintel.indicator.provider": [ - "AlienVault OTX" - ], - "threatintel.indicator.type": "ipv4-addr", - "threatintel.threatq.attributes.alienvault_reliability": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] ThreatQuotient", + "threat.indicator.confidence": "Low", + "threat.indicator.ip": "69.94.129.203", + "threat.indicator.type": "ipv4-addr", + "threatq.attributes.alienvault_reliability": [ "4" ], - "threatintel.threatq.attributes.alienvault_revision": [ + "threatq.attributes.alienvault_revision": [ "3" ], - "threatintel.threatq.attributes.alienvault_threat_level": [ + "threatq.attributes.alienvault_threat_level": [ "2" ], - "threatintel.threatq.attributes.city": [ + "threatq.attributes.city": [ "Sacramento" ], - "threatintel.threatq.attributes.country": [ + "threatq.attributes.country": [ "US" ], - "threatintel.threatq.attributes.description": [ + "threatq.attributes.description": [ "Malicious Host" ], - "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", - "threatintel.threatq.indicator_value": "69.94.129.203", - "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.status": "Expired" + "threatq.created_at": "2020-09-11T14:35:51.000Z", + "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", + "threatq.indicator_value": "69.94.129.203", + "threatq.published_at": "2020-09-11T14:35:51.000Z", + "threatq.status": "Expired" }, { "@timestamp": "2020-11-15T00:00:02.000Z", @@ -248,38 +228,34 @@ "forwarded", "threatintel-threatq" ], - "threatintel.indicator.confidence": 4, - "threatintel.indicator.ip": "69.216.117.22", - "threatintel.indicator.marking.tlp": [ - "" - ], - "threatintel.indicator.provider": [ - "AlienVault OTX" - ], - "threatintel.indicator.type": "ipv4-addr", - "threatintel.threatq.attributes.alienvault_reliability": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] ThreatQuotient", + "threat.indicator.confidence": "Low", + "threat.indicator.ip": "69.216.117.22", + "threat.indicator.type": "ipv4-addr", + "threatq.attributes.alienvault_reliability": [ "4" ], - "threatintel.threatq.attributes.alienvault_revision": [ + "threatq.attributes.alienvault_revision": [ "3" ], - "threatintel.threatq.attributes.alienvault_threat_level": [ + "threatq.attributes.alienvault_threat_level": [ "3" ], - "threatintel.threatq.attributes.city": [ + "threatq.attributes.city": [ "Houston" ], - "threatintel.threatq.attributes.country": [ + "threatq.attributes.country": [ "US" ], - "threatintel.threatq.attributes.description": [ + "threatq.attributes.description": [ "Malicious Host" ], - "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", - "threatintel.threatq.indicator_value": "69.216.117.22", - "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.status": "Expired" + "threatq.created_at": "2020-09-11T14:35:51.000Z", + "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", + "threatq.indicator_value": "69.216.117.22", + "threatq.published_at": "2020-09-11T14:35:51.000Z", + "threatq.status": "Expired" }, { "@timestamp": "2020-11-15T00:00:02.000Z", @@ -296,38 +272,34 @@ "forwarded", "threatintel-threatq" ], - "threatintel.indicator.confidence": 4, - "threatintel.indicator.ip": "69.80.70.115", - "threatintel.indicator.marking.tlp": [ - "" - ], - "threatintel.indicator.provider": [ - "AlienVault OTX" - ], - "threatintel.indicator.type": "ipv4-addr", - "threatintel.threatq.attributes.alienvault_reliability": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] ThreatQuotient", + "threat.indicator.confidence": "Low", + "threat.indicator.ip": "69.80.70.115", + "threat.indicator.type": "ipv4-addr", + "threatq.attributes.alienvault_reliability": [ "4" ], - "threatintel.threatq.attributes.alienvault_revision": [ + "threatq.attributes.alienvault_revision": [ "3" ], - "threatintel.threatq.attributes.alienvault_threat_level": [ + "threatq.attributes.alienvault_threat_level": [ "2" ], - "threatintel.threatq.attributes.city": [ + "threatq.attributes.city": [ "Fort Lauderdale" ], - "threatintel.threatq.attributes.country": [ + "threatq.attributes.country": [ "US" ], - "threatintel.threatq.attributes.description": [ + "threatq.attributes.description": [ "Malicious Host" ], - "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", - "threatintel.threatq.indicator_value": "69.80.70.115", - "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.status": "Expired" + "threatq.created_at": "2020-09-11T14:35:51.000Z", + "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", + "threatq.indicator_value": "69.80.70.115", + "threatq.published_at": "2020-09-11T14:35:51.000Z", + "threatq.status": "Expired" }, { "@timestamp": "2020-11-15T00:00:02.000Z", @@ -344,38 +316,34 @@ "forwarded", "threatintel-threatq" ], - "threatintel.indicator.confidence": 4, - "threatintel.indicator.ip": "69.65.79.99", - "threatintel.indicator.marking.tlp": [ - "" - ], - "threatintel.indicator.provider": [ - "AlienVault OTX" - ], - "threatintel.indicator.type": "ipv4-addr", - "threatintel.threatq.attributes.alienvault_reliability": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] ThreatQuotient", + "threat.indicator.confidence": "Low", + "threat.indicator.ip": "69.65.79.99", + "threat.indicator.type": "ipv4-addr", + "threatq.attributes.alienvault_reliability": [ "4" ], - "threatintel.threatq.attributes.alienvault_revision": [ + "threatq.attributes.alienvault_revision": [ "3" ], - "threatintel.threatq.attributes.alienvault_threat_level": [ + "threatq.attributes.alienvault_threat_level": [ "2" ], - "threatintel.threatq.attributes.city": [ + "threatq.attributes.city": [ "Pompano Beach" ], - "threatintel.threatq.attributes.country": [ + "threatq.attributes.country": [ "US" ], - "threatintel.threatq.attributes.description": [ + "threatq.attributes.description": [ "Malicious Host" ], - "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", - "threatintel.threatq.indicator_value": "69.65.79.99", - "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.status": "Expired" + "threatq.created_at": "2020-09-11T14:35:51.000Z", + "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", + "threatq.indicator_value": "69.65.79.99", + "threatq.published_at": "2020-09-11T14:35:51.000Z", + "threatq.status": "Expired" }, { "@timestamp": "2020-11-15T00:00:02.000Z", @@ -392,37 +360,33 @@ "forwarded", "threatintel-threatq" ], - "threatintel.indicator.confidence": 4, - "threatintel.indicator.ip": "69.199.22.46", - "threatintel.indicator.marking.tlp": [ - "" - ], - "threatintel.indicator.provider": [ - "AlienVault OTX" - ], - "threatintel.indicator.type": "ipv4-addr", - "threatintel.threatq.attributes.alienvault_reliability": [ + "threat.feed.dashboard_id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "threat.feed.name": "[Filebeat] ThreatQuotient", + "threat.indicator.confidence": "Low", + "threat.indicator.ip": "69.199.22.46", + "threat.indicator.type": "ipv4-addr", + "threatq.attributes.alienvault_reliability": [ "4" ], - "threatintel.threatq.attributes.alienvault_revision": [ + "threatq.attributes.alienvault_revision": [ "3" ], - "threatintel.threatq.attributes.alienvault_threat_level": [ + "threatq.attributes.alienvault_threat_level": [ "2" ], - "threatintel.threatq.attributes.city": [ + "threatq.attributes.city": [ "Little Elm" ], - "threatintel.threatq.attributes.country": [ + "threatq.attributes.country": [ "US" ], - "threatintel.threatq.attributes.description": [ + "threatq.attributes.description": [ "Malicious Host" ], - "threatintel.threatq.created_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", - "threatintel.threatq.indicator_value": "69.199.22.46", - "threatintel.threatq.published_at": "2020-09-11T14:35:51.000Z", - "threatintel.threatq.status": "Expired" + "threatq.created_at": "2020-09-11T14:35:51.000Z", + "threatq.expires_calculated_at": "2020-10-15T14:40:03.000Z", + "threatq.indicator_value": "69.199.22.46", + "threatq.published_at": "2020-09-11T14:35:51.000Z", + "threatq.status": "Expired" } ] \ No newline at end of file