From c45aba59df1429f3f6859f61ae5295fae9d22baf Mon Sep 17 00:00:00 2001 From: Alex Resnick <adr8292@gmail.com> Date: Tue, 29 Jun 2021 09:12:10 -0500 Subject: [PATCH] [Filebeat] Fix `threatintel.indicator.url.full` field not populating (#26508) * #26351: Fix Threat Intel Full URL field * update changelog * remove commented items * updated pipelines per comments --- CHANGELOG.next.asciidoc | 1 + .../threatintel/abuseurl/ingest/pipeline.yml | 18 +--- .../test/abusechurl.ndjson.log-expected.json | 100 ++++++++++++++++++ .../threatintel/anomali/ingest/pipeline.yml | 11 +- .../anomali_limo.ndjson.log-expected.json | 85 +++++++++++++++ .../anomalithreatstream/ingest/pipeline.yml | 5 + .../test/generated.log-expected.json | 25 +++++ .../threatintel/misp/ingest/pipeline.yml | 23 ++-- .../test/misp_sample.ndjson.log-expected.json | 2 + .../threatintel/otx/ingest/pipeline.yml | 15 +-- .../otx/test/otx_sample.ndjson.log | 3 + .../test/otx_sample.ndjson.log-expected.json | 65 ++++++++++++ 12 files changed, 312 insertions(+), 41 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 1250f7ff555..c535654c921 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -388,6 +388,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add improvements to the azure activitylogs and platformlogs ingest pipelines. {pull}26148[26148] - Fix `kibana.log` pipeline when `event.duration` calculation becomes a Long. {issue}24556[24556] {pull}25675[25675] - Removed incorrect `http.request.referrer` field from `aws.elb` module. {issue}26435[26435] {pull}26441[26441] +- Fix `threatintel.indicator.url.full` not being populated. {issue}26351[26351] {pull}26508[26508] *Heartbeat* diff --git a/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml index ed2ebeda10d..95759247e93 100644 --- a/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml @@ -31,14 +31,6 @@ processors: - set: field: threatintel.indicator.type value: url -- set: - field: threatintel.indicator.url.scheme - value: https - if: ctx?.threatintel?.abuseurl?.url.startsWith('https:') -- set: - field: threatintel.indicator.url.scheme - value: http - if: ctx?.threatintel?.abuseurl?.url.startsWith('http:') - date: field: threatintel.abuseurl.date_added target_field: threatintel.indicator.first_seen @@ -51,11 +43,10 @@ processors: target_field: threatintel.indicator.url keep_original: true remove_if_successful: true -- rename: - field: threatintel.abuseurl.url - target_field: threatintel.indicator.url.full - ignore_missing: true - if: ctx?.threatintel?.indicator?.url?.original == null && ctx?.threatintel?.abuseurl?.url != null +- set: + field: threatintel.indicator.url.full + copy_from: threatintel.indicator.url.original + ignore_empty_value: true - rename: field: threatintel.abuseurl.host target_field: threatintel.indicator.domain @@ -65,7 +56,6 @@ processors: target_field: event.reference ignore_missing: true - # Host can be both IP addresses and domain names - grok: field: threatintel.abuseurl.host diff --git a/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json index e0c47170106..a37eb5f45de 100644 --- a/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json @@ -30,6 +30,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "103.72.223.103", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://103.72.223.103:34613/Mozi.m", "threatintel.indicator.url.original": "http://103.72.223.103:34613/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 34613, @@ -66,6 +67,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "112.30.97.184", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://112.30.97.184:44941/Mozi.m", "threatintel.indicator.url.original": "http://112.30.97.184:44941/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 44941, @@ -102,6 +104,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "113.110.198.53", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://113.110.198.53:37173/Mozi.m", "threatintel.indicator.url.original": "http://113.110.198.53:37173/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 37173, @@ -138,6 +141,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "101.20.183.170", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://101.20.183.170:47545/Mozi.m", "threatintel.indicator.url.original": "http://101.20.183.170:47545/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 47545, @@ -174,6 +178,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "59.8.35.22", "threatintel.indicator.url.extension": "a", + "threatintel.indicator.url.full": "http://59.8.35.22:44782/Mozi.a", "threatintel.indicator.url.original": "http://59.8.35.22:44782/Mozi.a", "threatintel.indicator.url.path": "/Mozi.a", "threatintel.indicator.url.port": 44782, @@ -210,6 +215,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "59.96.37.35", "threatintel.indicator.url.extension": "a", + "threatintel.indicator.url.full": "http://59.96.37.35:44359/Mozi.a", "threatintel.indicator.url.original": "http://59.96.37.35:44359/Mozi.a", "threatintel.indicator.url.path": "/Mozi.a", "threatintel.indicator.url.port": 44359, @@ -246,6 +252,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "42.239.233.17", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://42.239.233.17:56507/Mozi.m", "threatintel.indicator.url.original": "http://42.239.233.17:56507/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 56507, @@ -282,6 +289,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "58.252.178.20", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://58.252.178.20:57562/Mozi.m", "threatintel.indicator.url.original": "http://58.252.178.20:57562/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 57562, @@ -318,6 +326,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "45.176.111.95", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://45.176.111.95:48845/Mozi.m", "threatintel.indicator.url.original": "http://45.176.111.95:48845/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 48845, @@ -354,6 +363,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "42.224.68.97", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://42.224.68.97:58245/Mozi.m", "threatintel.indicator.url.original": "http://42.224.68.97:58245/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 58245, @@ -390,6 +400,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "222.81.144.207", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://222.81.144.207:37198/Mozi.m", "threatintel.indicator.url.original": "http://222.81.144.207:37198/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 37198, @@ -426,6 +437,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "182.127.185.137", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://182.127.185.137:33524/Mozi.m", "threatintel.indicator.url.original": "http://182.127.185.137:33524/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 33524, @@ -462,6 +474,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "39.84.175.185", "threatintel.indicator.url.extension": "a", + "threatintel.indicator.url.full": "http://39.84.175.185:48261/Mozi.a", "threatintel.indicator.url.original": "http://39.84.175.185:48261/Mozi.a", "threatintel.indicator.url.path": "/Mozi.a", "threatintel.indicator.url.port": 48261, @@ -498,6 +511,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "27.41.11.238", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://27.41.11.238:34478/Mozi.m", "threatintel.indicator.url.original": "http://27.41.11.238:34478/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 34478, @@ -534,6 +548,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "182.127.133.68", "threatintel.indicator.url.extension": "a", + "threatintel.indicator.url.full": "http://182.127.133.68:35703/Mozi.a", "threatintel.indicator.url.original": "http://182.127.133.68:35703/Mozi.a", "threatintel.indicator.url.path": "/Mozi.a", "threatintel.indicator.url.port": 35703, @@ -570,6 +585,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "27.46.44.102", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://27.46.44.102:48666/Mozi.m", "threatintel.indicator.url.original": "http://27.46.44.102:48666/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 48666, @@ -606,6 +622,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "39.70.88.65", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://39.70.88.65:53923/Mozi.m", "threatintel.indicator.url.original": "http://39.70.88.65:53923/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 53923, @@ -642,6 +659,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "42.224.136.237", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://42.224.136.237:52794/Mozi.m", "threatintel.indicator.url.original": "http://42.224.136.237:52794/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 52794, @@ -678,6 +696,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "117.208.135.63", "threatintel.indicator.url.extension": "a", + "threatintel.indicator.url.full": "http://117.208.135.63:49312/Mozi.a", "threatintel.indicator.url.original": "http://117.208.135.63:49312/Mozi.a", "threatintel.indicator.url.path": "/Mozi.a", "threatintel.indicator.url.port": 49312, @@ -714,6 +733,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "125.47.66.60", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://125.47.66.60:38961/Mozi.m", "threatintel.indicator.url.original": "http://125.47.66.60:38961/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 38961, @@ -750,6 +770,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "182.117.95.148", "threatintel.indicator.url.extension": "a", + "threatintel.indicator.url.full": "http://182.117.95.148:50420/Mozi.a", "threatintel.indicator.url.original": "http://182.117.95.148:50420/Mozi.a", "threatintel.indicator.url.path": "/Mozi.a", "threatintel.indicator.url.port": 50420, @@ -786,6 +807,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "117.202.71.48", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://117.202.71.48:55007/Mozi.m", "threatintel.indicator.url.original": "http://117.202.71.48:55007/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 55007, @@ -822,6 +844,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "125.99.132.118", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://125.99.132.118:51143/Mozi.m", "threatintel.indicator.url.original": "http://125.99.132.118:51143/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 51143, @@ -858,6 +881,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "182.114.123.69", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://182.114.123.69:41003/Mozi.m", "threatintel.indicator.url.original": "http://182.114.123.69:41003/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 41003, @@ -893,6 +917,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "116.19.127.37", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://116.19.127.37:35739/Mozi.m", "threatintel.indicator.url.original": "http://116.19.127.37:35739/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 35739, @@ -928,6 +953,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "42.239.253.55", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://42.239.253.55:45653/Mozi.m", "threatintel.indicator.url.original": "http://42.239.253.55:45653/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 45653, @@ -963,6 +989,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "103.217.121.228", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://103.217.121.228:41349/Mozi.m", "threatintel.indicator.url.original": "http://103.217.121.228:41349/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 41349, @@ -998,6 +1025,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "111.92.81.255", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://111.92.81.255:48586/Mozi.m", "threatintel.indicator.url.original": "http://111.92.81.255:48586/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 48586, @@ -1033,6 +1061,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "45.229.55.75", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://45.229.55.75:38111/Mozi.m", "threatintel.indicator.url.original": "http://45.229.55.75:38111/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 38111, @@ -1068,6 +1097,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "182.121.242.148", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://182.121.242.148:34556/Mozi.m", "threatintel.indicator.url.original": "http://182.121.242.148:34556/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 34556, @@ -1104,6 +1134,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "106.115.189.249", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://106.115.189.249:59815/Mozi.m", "threatintel.indicator.url.original": "http://106.115.189.249:59815/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 59815, @@ -1141,6 +1172,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "182.117.93.110", "threatintel.indicator.url.extension": "sh", + "threatintel.indicator.url.full": "http://182.117.93.110:50587/bin.sh", "threatintel.indicator.url.original": "http://182.117.93.110:50587/bin.sh", "threatintel.indicator.url.path": "/bin.sh", "threatintel.indicator.url.port": 50587, @@ -1177,6 +1209,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "110.251.5.169", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://110.251.5.169:48322/Mozi.m", "threatintel.indicator.url.original": "http://110.251.5.169:48322/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 48322, @@ -1212,6 +1245,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "101.51.117.186", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://101.51.117.186:33317/Mozi.m", "threatintel.indicator.url.original": "http://101.51.117.186:33317/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 33317, @@ -1247,6 +1281,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "121.151.78.166", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://121.151.78.166:41516/Mozi.m", "threatintel.indicator.url.original": "http://121.151.78.166:41516/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 41516, @@ -1282,6 +1317,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "116.72.92.97", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://116.72.92.97:57798/Mozi.m", "threatintel.indicator.url.original": "http://116.72.92.97:57798/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 57798, @@ -1317,6 +1353,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "27.218.15.209", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://27.218.15.209:47671/Mozi.m", "threatintel.indicator.url.original": "http://27.218.15.209:47671/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 47671, @@ -1352,6 +1389,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "120.85.171.210", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://120.85.171.210:57690/Mozi.m", "threatintel.indicator.url.original": "http://120.85.171.210:57690/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 57690, @@ -1388,6 +1426,7 @@ "threatintel.indicator.provider": "geenensp", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "117.251.59.53", + "threatintel.indicator.url.full": "http://117.251.59.53:50611/i", "threatintel.indicator.url.original": "http://117.251.59.53:50611/i", "threatintel.indicator.url.path": "/i", "threatintel.indicator.url.port": 50611, @@ -1423,6 +1462,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "115.58.83.167", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://115.58.83.167:34141/Mozi.m", "threatintel.indicator.url.original": "http://115.58.83.167:34141/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 34141, @@ -1459,6 +1499,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "94.178.124.83", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://94.178.124.83:44399/Mozi.m", "threatintel.indicator.url.original": "http://94.178.124.83:44399/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 44399, @@ -1495,6 +1536,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "182.122.75.232", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://182.122.75.232:49120/Mozi.m", "threatintel.indicator.url.original": "http://182.122.75.232:49120/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 49120, @@ -1531,6 +1573,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "115.63.202.43", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://115.63.202.43:51136/Mozi.m", "threatintel.indicator.url.original": "http://115.63.202.43:51136/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 51136, @@ -1567,6 +1610,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "59.99.40.204", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://59.99.40.204:45773/Mozi.m", "threatintel.indicator.url.original": "http://59.99.40.204:45773/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 45773, @@ -1603,6 +1647,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "117.247.128.213", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://117.247.128.213:56528/Mozi.m", "threatintel.indicator.url.original": "http://117.247.128.213:56528/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 56528, @@ -1639,6 +1684,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "14.137.219.132", "threatintel.indicator.url.extension": "a", + "threatintel.indicator.url.full": "http://14.137.219.132:44427/Mozi.a", "threatintel.indicator.url.original": "http://14.137.219.132:44427/Mozi.a", "threatintel.indicator.url.path": "/Mozi.a", "threatintel.indicator.url.port": 44427, @@ -1675,6 +1721,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "42.224.40.14", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://42.224.40.14:36134/Mozi.m", "threatintel.indicator.url.original": "http://42.224.40.14:36134/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 36134, @@ -1711,6 +1758,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "186.33.104.107", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://186.33.104.107:43973/Mozi.m", "threatintel.indicator.url.original": "http://186.33.104.107:43973/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 43973, @@ -1747,6 +1795,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "85.105.16.154", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://85.105.16.154:41319/Mozi.m", "threatintel.indicator.url.original": "http://85.105.16.154:41319/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 41319, @@ -1783,6 +1832,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "178.141.73.115", "threatintel.indicator.url.extension": "a", + "threatintel.indicator.url.full": "http://178.141.73.115:51847/Mozi.a", "threatintel.indicator.url.original": "http://178.141.73.115:51847/Mozi.a", "threatintel.indicator.url.path": "/Mozi.a", "threatintel.indicator.url.port": 51847, @@ -1819,6 +1869,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "186.33.104.135", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://186.33.104.135:54469/Mozi.m", "threatintel.indicator.url.original": "http://186.33.104.135:54469/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 54469, @@ -1855,6 +1906,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "115.56.159.43", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://115.56.159.43:34547/Mozi.m", "threatintel.indicator.url.original": "http://115.56.159.43:34547/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 34547, @@ -1891,6 +1943,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "42.230.138.170", "threatintel.indicator.url.extension": "m", + "threatintel.indicator.url.full": "http://42.230.138.170:33932/Mozi.m", "threatintel.indicator.url.original": "http://42.230.138.170:33932/Mozi.m", "threatintel.indicator.url.path": "/Mozi.m", "threatintel.indicator.url.port": 33932, @@ -1926,6 +1979,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "jpg", + "threatintel.indicator.url.full": "https://univirtek.com/viro/02478080035/blank.jpg", "threatintel.indicator.url.original": "https://univirtek.com/viro/02478080035/blank.jpg", "threatintel.indicator.url.path": "/viro/02478080035/blank.jpg", "threatintel.indicator.url.scheme": "https" @@ -1960,6 +2014,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "png", + "threatintel.indicator.url.full": "https://univirtek.com/viro/FRRNDR77C25D325O/map.png", "threatintel.indicator.url.original": "https://univirtek.com/viro/FRRNDR77C25D325O/map.png", "threatintel.indicator.url.path": "/viro/FRRNDR77C25D325O/map.png", "threatintel.indicator.url.scheme": "https" @@ -1994,6 +2049,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "ladiesincode.com", "threatintel.indicator.url.extension": "jpg", + "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/CNNSRG83H04F158R/blank.jpg", "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/CNNSRG83H04F158R/blank.jpg", "threatintel.indicator.url.path": "/ladi/CNNSRG83H04F158R/blank.jpg", "threatintel.indicator.url.scheme": "https" @@ -2028,6 +2084,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "letonguesc.com", "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.full": "https://letonguesc.com/leto/02328510512/logo.css", "threatintel.indicator.url.original": "https://letonguesc.com/leto/02328510512/logo.css", "threatintel.indicator.url.path": "/leto/02328510512/logo.css", "threatintel.indicator.url.scheme": "https" @@ -2062,6 +2119,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "png", + "threatintel.indicator.url.full": "https://cxminute.com/minu/MLILSN74B21E507L/uk.png", "threatintel.indicator.url.original": "https://cxminute.com/minu/MLILSN74B21E507L/uk.png", "threatintel.indicator.url.path": "/minu/MLILSN74B21E507L/uk.png", "threatintel.indicator.url.scheme": "https" @@ -2096,6 +2154,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.full": "https://cxminute.com/minu/12875710159/blank.css", "threatintel.indicator.url.original": "https://cxminute.com/minu/12875710159/blank.css", "threatintel.indicator.url.path": "/minu/12875710159/blank.css", "threatintel.indicator.url.scheme": "https" @@ -2130,6 +2189,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "gif", + "threatintel.indicator.url.full": "https://cxminute.com/minu/CPNLNZ65M20A200N/maps.gif", "threatintel.indicator.url.original": "https://cxminute.com/minu/CPNLNZ65M20A200N/maps.gif", "threatintel.indicator.url.path": "/minu/CPNLNZ65M20A200N/maps.gif", "threatintel.indicator.url.scheme": "https" @@ -2164,6 +2224,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "belfetproduction.com", "threatintel.indicator.url.extension": "png", + "threatintel.indicator.url.full": "https://belfetproduction.com/bella/DLPCMN64D02D789E/logo.png", "threatintel.indicator.url.original": "https://belfetproduction.com/bella/DLPCMN64D02D789E/logo.png", "threatintel.indicator.url.path": "/bella/DLPCMN64D02D789E/logo.png", "threatintel.indicator.url.scheme": "https" @@ -2198,6 +2259,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "belfetproduction.com", "threatintel.indicator.url.extension": "jpg", + "threatintel.indicator.url.full": "https://belfetproduction.com/bella/01844510469/1x1.jpg", "threatintel.indicator.url.original": "https://belfetproduction.com/bella/01844510469/1x1.jpg", "threatintel.indicator.url.path": "/bella/01844510469/1x1.jpg", "threatintel.indicator.url.scheme": "https" @@ -2232,6 +2294,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "ladiesincode.com", "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/FRRDNI52M71E522D/logo.css", "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/FRRDNI52M71E522D/logo.css", "threatintel.indicator.url.path": "/ladi/FRRDNI52M71E522D/logo.css", "threatintel.indicator.url.scheme": "https" @@ -2266,6 +2329,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "letonguesc.com", "threatintel.indicator.url.extension": "gif", + "threatintel.indicator.url.full": "https://letonguesc.com/leto/CPPMRC65E04H980Q/it.gif", "threatintel.indicator.url.original": "https://letonguesc.com/leto/CPPMRC65E04H980Q/it.gif", "threatintel.indicator.url.path": "/leto/CPPMRC65E04H980Q/it.gif", "threatintel.indicator.url.scheme": "https" @@ -2300,6 +2364,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.full": "https://univirtek.com/viro/06389650018/it.css", "threatintel.indicator.url.original": "https://univirtek.com/viro/06389650018/it.css", "threatintel.indicator.url.path": "/viro/06389650018/it.css", "threatintel.indicator.url.scheme": "https" @@ -2334,6 +2399,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "belfetproduction.com", "threatintel.indicator.url.extension": "png", + "threatintel.indicator.url.full": "https://belfetproduction.com/bella/CRSRRT61E15H501H/logo.png", "threatintel.indicator.url.original": "https://belfetproduction.com/bella/CRSRRT61E15H501H/logo.png", "threatintel.indicator.url.path": "/bella/CRSRRT61E15H501H/logo.png", "threatintel.indicator.url.scheme": "https" @@ -2368,6 +2434,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "jpg", + "threatintel.indicator.url.full": "https://cxminute.com/minu/SMPMSM67P05F205U/it.jpg", "threatintel.indicator.url.original": "https://cxminute.com/minu/SMPMSM67P05F205U/it.jpg", "threatintel.indicator.url.path": "/minu/SMPMSM67P05F205U/it.jpg", "threatintel.indicator.url.scheme": "https" @@ -2402,6 +2469,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "png", + "threatintel.indicator.url.full": "https://univirtek.com/viro/SBNPQL78A24A783E/uk.png", "threatintel.indicator.url.original": "https://univirtek.com/viro/SBNPQL78A24A783E/uk.png", "threatintel.indicator.url.path": "/viro/SBNPQL78A24A783E/uk.png", "threatintel.indicator.url.scheme": "https" @@ -2436,6 +2504,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "jpg", + "threatintel.indicator.url.full": "https://cxminute.com/minu/15578761007/maps.jpg", "threatintel.indicator.url.original": "https://cxminute.com/minu/15578761007/maps.jpg", "threatintel.indicator.url.path": "/minu/15578761007/maps.jpg", "threatintel.indicator.url.scheme": "https" @@ -2470,6 +2539,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "png", + "threatintel.indicator.url.full": "https://univirtek.com/viro/03079590133/1x1.png", "threatintel.indicator.url.original": "https://univirtek.com/viro/03079590133/1x1.png", "threatintel.indicator.url.path": "/viro/03079590133/1x1.png", "threatintel.indicator.url.scheme": "https" @@ -2504,6 +2574,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "ladiesincode.com", "threatintel.indicator.url.extension": "gif", + "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/BNCLNR77T56M082U/it.gif", "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/BNCLNR77T56M082U/it.gif", "threatintel.indicator.url.path": "/ladi/BNCLNR77T56M082U/it.gif", "threatintel.indicator.url.scheme": "https" @@ -2538,6 +2609,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.full": "https://cxminute.com/minu/JNKMTJ64B29L424O/uk.css", "threatintel.indicator.url.original": "https://cxminute.com/minu/JNKMTJ64B29L424O/uk.css", "threatintel.indicator.url.path": "/minu/JNKMTJ64B29L424O/uk.css", "threatintel.indicator.url.scheme": "https" @@ -2572,6 +2644,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "belfetproduction.com", "threatintel.indicator.url.extension": "png", + "threatintel.indicator.url.full": "https://belfetproduction.com/bella/PGNMRA64S22I608Z/en.png", "threatintel.indicator.url.original": "https://belfetproduction.com/bella/PGNMRA64S22I608Z/en.png", "threatintel.indicator.url.path": "/bella/PGNMRA64S22I608Z/en.png", "threatintel.indicator.url.scheme": "https" @@ -2606,6 +2679,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "jpg", + "threatintel.indicator.url.full": "https://cxminute.com/minu/RZKDRD77T23Z229T/logo.jpg", "threatintel.indicator.url.original": "https://cxminute.com/minu/RZKDRD77T23Z229T/logo.jpg", "threatintel.indicator.url.path": "/minu/RZKDRD77T23Z229T/logo.jpg", "threatintel.indicator.url.scheme": "https" @@ -2640,6 +2714,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "fhivelifestyle.online", "threatintel.indicator.url.extension": "jpg", + "threatintel.indicator.url.full": "https://fhivelifestyle.online/nhbrwvdffsgt/adf/maps.jpg", "threatintel.indicator.url.original": "https://fhivelifestyle.online/nhbrwvdffsgt/adf/maps.jpg", "threatintel.indicator.url.path": "/nhbrwvdffsgt/adf/maps.jpg", "threatintel.indicator.url.scheme": "https" @@ -2674,6 +2749,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "belfetproduction.com", "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.full": "https://belfetproduction.com/bella/05739900487/1x1.css", "threatintel.indicator.url.original": "https://belfetproduction.com/bella/05739900487/1x1.css", "threatintel.indicator.url.path": "/bella/05739900487/1x1.css", "threatintel.indicator.url.scheme": "https" @@ -2708,6 +2784,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "belfetproduction.com", "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.full": "https://belfetproduction.com/bella/01767180597/map.css", "threatintel.indicator.url.original": "https://belfetproduction.com/bella/01767180597/map.css", "threatintel.indicator.url.path": "/bella/01767180597/map.css", "threatintel.indicator.url.scheme": "https" @@ -2742,6 +2819,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "belfetproduction.com", "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.full": "https://belfetproduction.com/bella/BRNGRG55D21F394K/map.css", "threatintel.indicator.url.original": "https://belfetproduction.com/bella/BRNGRG55D21F394K/map.css", "threatintel.indicator.url.path": "/bella/BRNGRG55D21F394K/map.css", "threatintel.indicator.url.scheme": "https" @@ -2776,6 +2854,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.full": "https://cxminute.com/minu/DLLTZN67L20L157J/1x1.css", "threatintel.indicator.url.original": "https://cxminute.com/minu/DLLTZN67L20L157J/1x1.css", "threatintel.indicator.url.path": "/minu/DLLTZN67L20L157J/1x1.css", "threatintel.indicator.url.scheme": "https" @@ -2810,6 +2889,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "jpg", + "threatintel.indicator.url.full": "https://cxminute.com/minu/08035410722/logo.jpg", "threatintel.indicator.url.original": "https://cxminute.com/minu/08035410722/logo.jpg", "threatintel.indicator.url.path": "/minu/08035410722/logo.jpg", "threatintel.indicator.url.scheme": "https" @@ -2844,6 +2924,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.full": "https://univirtek.com/viro/GRNZEI60M13G346L/en.css", "threatintel.indicator.url.original": "https://univirtek.com/viro/GRNZEI60M13G346L/en.css", "threatintel.indicator.url.path": "/viro/GRNZEI60M13G346L/en.css", "threatintel.indicator.url.scheme": "https" @@ -2878,6 +2959,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "letonguesc.com", "threatintel.indicator.url.extension": "png", + "threatintel.indicator.url.full": "https://letonguesc.com/leto/03253350239/1x1.png", "threatintel.indicator.url.original": "https://letonguesc.com/leto/03253350239/1x1.png", "threatintel.indicator.url.path": "/leto/03253350239/1x1.png", "threatintel.indicator.url.scheme": "https" @@ -2912,6 +2994,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "ladiesincode.com", "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/10582470158/uk.css", "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/10582470158/uk.css", "threatintel.indicator.url.path": "/ladi/10582470158/uk.css", "threatintel.indicator.url.scheme": "https" @@ -2946,6 +3029,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "ladiesincode.com", "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/BTTLNZ68A56D325C/map.css", "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/BTTLNZ68A56D325C/map.css", "threatintel.indicator.url.path": "/ladi/BTTLNZ68A56D325C/map.css", "threatintel.indicator.url.scheme": "https" @@ -2980,6 +3064,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "letonguesc.com", "threatintel.indicator.url.extension": "jpg", + "threatintel.indicator.url.full": "https://letonguesc.com/leto/NNTLRT68P28A717L/en.jpg", "threatintel.indicator.url.original": "https://letonguesc.com/leto/NNTLRT68P28A717L/en.jpg", "threatintel.indicator.url.path": "/leto/NNTLRT68P28A717L/en.jpg", "threatintel.indicator.url.scheme": "https" @@ -3014,6 +3099,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "png", + "threatintel.indicator.url.full": "https://univirtek.com/viro/CTTNDR89A19B149W/maps.png", "threatintel.indicator.url.original": "https://univirtek.com/viro/CTTNDR89A19B149W/maps.png", "threatintel.indicator.url.path": "/viro/CTTNDR89A19B149W/maps.png", "threatintel.indicator.url.scheme": "https" @@ -3048,6 +3134,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.full": "https://cxminute.com/minu/DRSNTN77B16I197U/logo.css", "threatintel.indicator.url.original": "https://cxminute.com/minu/DRSNTN77B16I197U/logo.css", "threatintel.indicator.url.path": "/minu/DRSNTN77B16I197U/logo.css", "threatintel.indicator.url.scheme": "https" @@ -3082,6 +3169,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.full": "https://univirtek.com/viro/02941830735/uk.css", "threatintel.indicator.url.original": "https://univirtek.com/viro/02941830735/uk.css", "threatintel.indicator.url.path": "/viro/02941830735/uk.css", "threatintel.indicator.url.scheme": "https" @@ -3116,6 +3204,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "belfetproduction.com", "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.full": "https://belfetproduction.com/bella/MNSGCM91A04G240K/it.css", "threatintel.indicator.url.original": "https://belfetproduction.com/bella/MNSGCM91A04G240K/it.css", "threatintel.indicator.url.path": "/bella/MNSGCM91A04G240K/it.css", "threatintel.indicator.url.scheme": "https" @@ -3150,6 +3239,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "ladiesincode.com", "threatintel.indicator.url.extension": "jpg", + "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/03108100615/it.jpg", "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/03108100615/it.jpg", "threatintel.indicator.url.path": "/ladi/03108100615/it.jpg", "threatintel.indicator.url.scheme": "https" @@ -3184,6 +3274,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "png", + "threatintel.indicator.url.full": "https://cxminute.com/minu/PTACSM56A31F604X/en.png", "threatintel.indicator.url.original": "https://cxminute.com/minu/PTACSM56A31F604X/en.png", "threatintel.indicator.url.path": "/minu/PTACSM56A31F604X/en.png", "threatintel.indicator.url.scheme": "https" @@ -3218,6 +3309,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "gif", + "threatintel.indicator.url.full": "https://univirtek.com/viro/00183050368/en.gif", "threatintel.indicator.url.original": "https://univirtek.com/viro/00183050368/en.gif", "threatintel.indicator.url.path": "/viro/00183050368/en.gif", "threatintel.indicator.url.scheme": "https" @@ -3252,6 +3344,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "gif", + "threatintel.indicator.url.full": "https://cxminute.com/minu/TSNLSN58H30G912H/uk.gif", "threatintel.indicator.url.original": "https://cxminute.com/minu/TSNLSN58H30G912H/uk.gif", "threatintel.indicator.url.path": "/minu/TSNLSN58H30G912H/uk.gif", "threatintel.indicator.url.scheme": "https" @@ -3286,6 +3379,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "letonguesc.com", "threatintel.indicator.url.extension": "gif", + "threatintel.indicator.url.full": "https://letonguesc.com/leto/08658331007/blank.gif", "threatintel.indicator.url.original": "https://letonguesc.com/leto/08658331007/blank.gif", "threatintel.indicator.url.path": "/leto/08658331007/blank.gif", "threatintel.indicator.url.scheme": "https" @@ -3320,6 +3414,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cxminute.com", "threatintel.indicator.url.extension": "png", + "threatintel.indicator.url.full": "https://cxminute.com/minu/01098910324/blank.png", "threatintel.indicator.url.original": "https://cxminute.com/minu/01098910324/blank.png", "threatintel.indicator.url.path": "/minu/01098910324/blank.png", "threatintel.indicator.url.scheme": "https" @@ -3354,6 +3449,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.full": "https://univirtek.com/viro/02794390233/uk.css", "threatintel.indicator.url.original": "https://univirtek.com/viro/02794390233/uk.css", "threatintel.indicator.url.path": "/viro/02794390233/uk.css", "threatintel.indicator.url.scheme": "https" @@ -3388,6 +3484,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "css", + "threatintel.indicator.url.full": "https://univirtek.com/viro/CSTDNT69D63F754D/en.css", "threatintel.indicator.url.original": "https://univirtek.com/viro/CSTDNT69D63F754D/en.css", "threatintel.indicator.url.path": "/viro/CSTDNT69D63F754D/en.css", "threatintel.indicator.url.scheme": "https" @@ -3422,6 +3519,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "jpg", + "threatintel.indicator.url.full": "https://univirtek.com/viro/GSTGNE91B06L219W/1x1.jpg", "threatintel.indicator.url.original": "https://univirtek.com/viro/GSTGNE91B06L219W/1x1.jpg", "threatintel.indicator.url.path": "/viro/GSTGNE91B06L219W/1x1.jpg", "threatintel.indicator.url.scheme": "https" @@ -3456,6 +3554,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "univirtek.com", "threatintel.indicator.url.extension": "jpg", + "threatintel.indicator.url.full": "https://univirtek.com/viro/03610140125/map.jpg", "threatintel.indicator.url.original": "https://univirtek.com/viro/03610140125/map.jpg", "threatintel.indicator.url.path": "/viro/03610140125/map.jpg", "threatintel.indicator.url.scheme": "https" @@ -3490,6 +3589,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "belfetproduction.com", "threatintel.indicator.url.extension": "png", + "threatintel.indicator.url.full": "https://belfetproduction.com/bella/CRRLRD74E09A462T/blank.png", "threatintel.indicator.url.original": "https://belfetproduction.com/bella/CRRLRD74E09A462T/blank.png", "threatintel.indicator.url.path": "/bella/CRRLRD74E09A462T/blank.png", "threatintel.indicator.url.scheme": "https" diff --git a/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml index 239cbc608f5..963671c0cb0 100644 --- a/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml @@ -65,7 +65,7 @@ processors: if: "ctx?.threatintel?.anomali?.valid_from != null" - grok: field: threatintel.anomali.pattern - patterns: + patterns: - "^\\[%{DATA:_tmp.threattype}:value%{SPACE}=%{SPACE}'%{DATA:_tmp.threatvalue}'\\]" - rename: field: _tmp.threattype @@ -82,11 +82,10 @@ processors: keep_original: true remove_if_successful: true if: ctx?.threatintel?.indicator?.type == 'url' -- rename: - field: _tmp.threatvalue - target_field: threatintel.indicator.url.full - ignore_missing: true - if: ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.indicator?.url?.original == null +- set: + field: threatintel.indicator.url.full + copy_from: threatintel.indicator.url.original + ignore_empty_value: true - rename: field: _tmp.threatvalue target_field: threatintel.indicator.email.address diff --git a/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json index d647be09675..1adbe043c7c 100644 --- a/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json @@ -31,6 +31,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "chol.cc", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.original": "http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.path": "/Work6/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.scheme": "http" @@ -67,6 +68,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "worldatdoor.in", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.original": "http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.path": "/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.scheme": "http" @@ -102,6 +104,7 @@ "threatintel.anomali.valid_from": "2020-01-22T02:58:57.570Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0387770.xsph.ru", + "threatintel.indicator.url.full": "http://f0387770.xsph.ru/login", "threatintel.indicator.url.original": "http://f0387770.xsph.ru/login", "threatintel.indicator.url.path": "/login", "threatintel.indicator.url.scheme": "http" @@ -137,6 +140,7 @@ "threatintel.anomali.valid_from": "2020-01-22T02:58:59.366Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "178.62.187.103", + "threatintel.indicator.url.full": "http://178.62.187.103/login", "threatintel.indicator.url.original": "http://178.62.187.103/login", "threatintel.indicator.url.path": "/login", "threatintel.indicator.url.scheme": "http" @@ -173,6 +177,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "appareluea.com", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://appareluea.com/panel/admin.php", "threatintel.indicator.url.original": "http://appareluea.com/panel/admin.php", "threatintel.indicator.url.path": "/panel/admin.php", "threatintel.indicator.url.scheme": "http" @@ -209,6 +214,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "nkpotu.xyz", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://nkpotu.xyz/Kpot3/login.php", "threatintel.indicator.url.original": "http://nkpotu.xyz/Kpot3/login.php", "threatintel.indicator.url.path": "/Kpot3/login.php", "threatintel.indicator.url.scheme": "http" @@ -277,6 +283,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "ntrcgroup.com", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://ntrcgroup.com/nze/panel/admin.php", "threatintel.indicator.url.original": "http://ntrcgroup.com/nze/panel/admin.php", "threatintel.indicator.url.path": "/nze/panel/admin.php", "threatintel.indicator.url.scheme": "http" @@ -313,6 +320,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "chol.cc", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.original": "http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.path": "/Work8/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.scheme": "http" @@ -348,6 +356,7 @@ "threatintel.anomali.valid_from": "2020-01-22T02:59:25.626Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0390764.xsph.ru", + "threatintel.indicator.url.full": "http://f0390764.xsph.ru/login", "threatintel.indicator.url.original": "http://f0390764.xsph.ru/login", "threatintel.indicator.url.path": "/login", "threatintel.indicator.url.scheme": "http" @@ -416,6 +425,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "aglfreight.com.my", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php", "threatintel.indicator.url.original": "http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php", "threatintel.indicator.url.path": "/inc/js/jstree/biu/panel/admin.php", "threatintel.indicator.url.scheme": "http" @@ -451,6 +461,7 @@ "threatintel.anomali.valid_from": "2020-01-22T02:59:41.228Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "95.182.122.184", + "threatintel.indicator.url.full": "http://95.182.122.184/", "threatintel.indicator.url.original": "http://95.182.122.184/", "threatintel.indicator.url.path": "/", "threatintel.indicator.url.scheme": "http" @@ -550,6 +561,7 @@ "threatintel.anomali.valid_from": "2020-01-22T02:59:51.442Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0389246.xsph.ru", + "threatintel.indicator.url.full": "http://f0389246.xsph.ru/login", "threatintel.indicator.url.original": "http://f0389246.xsph.ru/login", "threatintel.indicator.url.path": "/login", "threatintel.indicator.url.scheme": "http" @@ -586,6 +598,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "appareluea.com", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://appareluea.com/server/cp.php", "threatintel.indicator.url.original": "http://appareluea.com/server/cp.php", "threatintel.indicator.url.path": "/server/cp.php", "threatintel.indicator.url.scheme": "http" @@ -622,6 +635,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "nkpotu.xyz", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://nkpotu.xyz/Kpot2/login.php", "threatintel.indicator.url.original": "http://nkpotu.xyz/Kpot2/login.php", "threatintel.indicator.url.path": "/Kpot2/login.php", "threatintel.indicator.url.scheme": "http" @@ -658,6 +672,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "chol.cc", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.original": "http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.path": "/Work5/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.scheme": "http" @@ -694,6 +709,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "mecharnise.ir", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://mecharnise.ir/ca4/panel/admin.php", "threatintel.indicator.url.original": "http://mecharnise.ir/ca4/panel/admin.php", "threatintel.indicator.url.path": "/ca4/panel/admin.php", "threatintel.indicator.url.scheme": "http" @@ -730,6 +746,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "chol.cc", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.original": "http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.path": "/Work4/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.scheme": "http" @@ -766,6 +783,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "kironofer.com", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://kironofer.com/webpanel/login.php", "threatintel.indicator.url.original": "http://kironofer.com/webpanel/login.php", "threatintel.indicator.url.path": "/webpanel/login.php", "threatintel.indicator.url.scheme": "http" @@ -802,6 +820,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "worldatdoor.in", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.original": "http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.path": "/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.scheme": "http" @@ -838,6 +857,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "smartlinktelecom.top", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://smartlinktelecom.top/kings/panel/admin.php", "threatintel.indicator.url.original": "http://smartlinktelecom.top/kings/panel/admin.php", "threatintel.indicator.url.path": "/kings/panel/admin.php", "threatintel.indicator.url.scheme": "http" @@ -874,6 +894,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "carirero.net", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://carirero.net/login.php", "threatintel.indicator.url.original": "http://carirero.net/login.php", "threatintel.indicator.url.path": "/login.php", "threatintel.indicator.url.scheme": "http" @@ -941,6 +962,7 @@ "threatintel.anomali.valid_from": "2020-01-22T03:00:57.729Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "tuu.nu", + "threatintel.indicator.url.full": "http://tuu.nu/login", "threatintel.indicator.url.original": "http://tuu.nu/login", "threatintel.indicator.url.path": "/login", "threatintel.indicator.url.scheme": "http" @@ -977,6 +999,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "dulfix.com", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.original": "http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.path": "/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.scheme": "http" @@ -1013,6 +1036,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "deliciasdvally.com.pe", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.original": "http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.path": "/includes/gter/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.scheme": "http" @@ -1049,6 +1073,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "nkpotu.xyz", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://nkpotu.xyz/Kpot1/login.php", "threatintel.indicator.url.original": "http://nkpotu.xyz/Kpot1/login.php", "threatintel.indicator.url.path": "/Kpot1/login.php", "threatintel.indicator.url.scheme": "http" @@ -1117,6 +1142,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "35.158.92.3", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://35.158.92.3/panel/admin.php", "threatintel.indicator.url.original": "http://35.158.92.3/panel/admin.php", "threatintel.indicator.url.path": "/panel/admin.php", "threatintel.indicator.url.scheme": "http" @@ -1185,6 +1211,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "chol.cc", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.original": "http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.path": "/Work7/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.scheme": "http" @@ -1220,6 +1247,7 @@ "threatintel.anomali.valid_from": "2020-01-22T03:02:52.496Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0391600.xsph.ru", + "threatintel.indicator.url.full": "http://f0391600.xsph.ru/login", "threatintel.indicator.url.original": "http://f0391600.xsph.ru/login", "threatintel.indicator.url.path": "/login", "threatintel.indicator.url.scheme": "http" @@ -1256,6 +1284,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "extraclick.space", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://extraclick.space/login.php", "threatintel.indicator.url.original": "http://extraclick.space/login.php", "threatintel.indicator.url.path": "/login.php", "threatintel.indicator.url.scheme": "http" @@ -1292,6 +1321,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "petrogarmani.pw", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://petrogarmani.pw/login.php", "threatintel.indicator.url.original": "http://petrogarmani.pw/login.php", "threatintel.indicator.url.path": "/login.php", "threatintel.indicator.url.scheme": "http" @@ -1328,6 +1358,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "worldatdoor.in", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://worldatdoor.in/mighty/32/panel/admin.php", "threatintel.indicator.url.original": "http://worldatdoor.in/mighty/32/panel/admin.php", "threatintel.indicator.url.path": "/mighty/32/panel/admin.php", "threatintel.indicator.url.scheme": "http" @@ -1363,6 +1394,7 @@ "threatintel.anomali.valid_from": "2020-01-22T03:04:32.717Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "zanlma.com", + "threatintel.indicator.url.full": "http://zanlma.com/login", "threatintel.indicator.url.original": "http://zanlma.com/login", "threatintel.indicator.url.path": "/login", "threatintel.indicator.url.scheme": "http" @@ -1398,6 +1430,7 @@ "threatintel.anomali.valid_from": "2020-01-22T03:04:56.858Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0369688.xsph.ru", + "threatintel.indicator.url.full": "http://f0369688.xsph.ru/login", "threatintel.indicator.url.original": "http://f0369688.xsph.ru/login", "threatintel.indicator.url.path": "/login", "threatintel.indicator.url.scheme": "http" @@ -1434,6 +1467,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "chol.cc", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.original": "http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.path": "/Work2/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.scheme": "http" @@ -1502,6 +1536,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "softtouchcollars.com", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.original": "http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.path": "/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.scheme": "http" @@ -1538,6 +1573,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "imobiliariatirol.com", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://imobiliariatirol.com/gh/panelnew/admin.php", "threatintel.indicator.url.original": "http://imobiliariatirol.com/gh/panelnew/admin.php", "threatintel.indicator.url.path": "/gh/panelnew/admin.php", "threatintel.indicator.url.scheme": "http" @@ -1574,6 +1610,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "deliveryexpressworld.xyz", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.original": "http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.path": "/five/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.scheme": "http" @@ -1609,6 +1646,7 @@ "threatintel.anomali.valid_from": "2020-01-23T03:02:47.364Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0392261.xsph.ru", + "threatintel.indicator.url.full": "http://f0392261.xsph.ru/login", "threatintel.indicator.url.original": "http://f0392261.xsph.ru/login", "threatintel.indicator.url.path": "/login", "threatintel.indicator.url.scheme": "http" @@ -1645,6 +1683,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "104.168.99.168", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://104.168.99.168/panel/panel/admin.php", "threatintel.indicator.url.original": "http://104.168.99.168/panel/panel/admin.php", "threatintel.indicator.url.path": "/panel/panel/admin.php", "threatintel.indicator.url.scheme": "http" @@ -1681,6 +1720,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0387404.xsph.ru", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://f0387404.xsph.ru/panel/admin.php", "threatintel.indicator.url.original": "http://f0387404.xsph.ru/panel/admin.php", "threatintel.indicator.url.path": "/panel/admin.php", "threatintel.indicator.url.scheme": "http" @@ -1717,6 +1757,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "a0386457.xsph.ru", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://a0386457.xsph.ru/panel/admin.php", "threatintel.indicator.url.original": "http://a0386457.xsph.ru/panel/admin.php", "threatintel.indicator.url.path": "/panel/admin.php", "threatintel.indicator.url.scheme": "http" @@ -1753,6 +1794,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "defenseisrael.com", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://defenseisrael.com/dis/index.php", "threatintel.indicator.url.original": "http://defenseisrael.com/dis/index.php", "threatintel.indicator.url.path": "/dis/index.php", "threatintel.indicator.url.scheme": "http" @@ -1820,6 +1862,7 @@ "threatintel.anomali.valid_from": "2020-01-24T02:57:04.883Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "lbfb3f03.justinstalledpanel.com", + "threatintel.indicator.url.full": "http://lbfb3f03.justinstalledpanel.com/login", "threatintel.indicator.url.original": "http://lbfb3f03.justinstalledpanel.com/login", "threatintel.indicator.url.path": "/login", "threatintel.indicator.url.scheme": "http" @@ -1856,6 +1899,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "byedtronchgroup.yt", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.original": "http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.path": "/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.scheme": "http" @@ -1892,6 +1936,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "199.192.28.11", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://199.192.28.11/panel/admin.php", "threatintel.indicator.url.original": "http://199.192.28.11/panel/admin.php", "threatintel.indicator.url.path": "/panel/admin.php", "threatintel.indicator.url.scheme": "http" @@ -1928,6 +1973,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "217.8.117.51", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://217.8.117.51/aW8bVds1/login.php", "threatintel.indicator.url.original": "http://217.8.117.51/aW8bVds1/login.php", "threatintel.indicator.url.path": "/aW8bVds1/login.php", "threatintel.indicator.url.scheme": "http" @@ -1963,6 +2009,7 @@ "threatintel.anomali.valid_from": "2020-01-24T02:57:32.929Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "lansome.site", + "threatintel.indicator.url.full": "http://lansome.site/login", "threatintel.indicator.url.original": "http://lansome.site/login", "threatintel.indicator.url.path": "/login", "threatintel.indicator.url.scheme": "http" @@ -1999,6 +2046,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "iplusvietnam.com.vn", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.original": "http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.path": "/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.scheme": "http" @@ -2035,6 +2083,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "leakaryadeen.com", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.original": "http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.path": "/parl/id345/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.scheme": "http" @@ -2071,6 +2120,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "oaa-my.com", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.original": "http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.path": "/clap/five/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.scheme": "http" @@ -2107,6 +2157,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "thaubenuocngam.com", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.original": "http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.path": "/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.scheme": "http" @@ -2142,6 +2193,7 @@ "threatintel.anomali.valid_from": "2020-01-24T02:58:32.126Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "suspiciousactivity.xyz", + "threatintel.indicator.url.full": "http://suspiciousactivity.xyz/login", "threatintel.indicator.url.original": "http://suspiciousactivity.xyz/login", "threatintel.indicator.url.path": "/login", "threatintel.indicator.url.scheme": "http" @@ -2177,6 +2229,7 @@ "threatintel.anomali.valid_from": "2020-01-24T02:58:37.603Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "217.8.117.8", + "threatintel.indicator.url.full": "http://217.8.117.8/login", "threatintel.indicator.url.original": "http://217.8.117.8/login", "threatintel.indicator.url.path": "/login", "threatintel.indicator.url.scheme": "http" @@ -2212,6 +2265,7 @@ "threatintel.anomali.valid_from": "2020-01-24T02:58:37.643Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0387550.xsph.ru", + "threatintel.indicator.url.full": "http://f0387550.xsph.ru/login", "threatintel.indicator.url.original": "http://f0387550.xsph.ru/login", "threatintel.indicator.url.path": "/login", "threatintel.indicator.url.scheme": "http" @@ -2247,6 +2301,7 @@ "threatintel.anomali.valid_from": "2020-01-24T02:58:39.465Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "lf4e4abf.justinstalledpanel.com", + "threatintel.indicator.url.full": "http://lf4e4abf.justinstalledpanel.com/login", "threatintel.indicator.url.original": "http://lf4e4abf.justinstalledpanel.com/login", "threatintel.indicator.url.path": "/login", "threatintel.indicator.url.scheme": "http" @@ -2315,6 +2370,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "67.215.224.101", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://67.215.224.101/a1/panel/admin.php", "threatintel.indicator.url.original": "http://67.215.224.101/a1/panel/admin.php", "threatintel.indicator.url.path": "/a1/panel/admin.php", "threatintel.indicator.url.scheme": "http" @@ -2382,6 +2438,7 @@ "threatintel.anomali.valid_from": "2020-01-24T02:59:50.233Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "l60bdd58.justinstalledpanel.com", + "threatintel.indicator.url.full": "http://l60bdd58.justinstalledpanel.com/login", "threatintel.indicator.url.original": "http://l60bdd58.justinstalledpanel.com/login", "threatintel.indicator.url.path": "/login", "threatintel.indicator.url.scheme": "http" @@ -2418,6 +2475,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "107.175.150.73", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://107.175.150.73/~giftioz/.azma/panel/admin.php", "threatintel.indicator.url.original": "http://107.175.150.73/~giftioz/.azma/panel/admin.php", "threatintel.indicator.url.path": "/~giftioz/.azma/panel/admin.php", "threatintel.indicator.url.scheme": "http" @@ -2453,6 +2511,7 @@ "threatintel.anomali.valid_from": "2020-01-24T02:59:52.536Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "5.188.60.52", + "threatintel.indicator.url.full": "http://5.188.60.52/login", "threatintel.indicator.url.original": "http://5.188.60.52/login", "threatintel.indicator.url.path": "/login", "threatintel.indicator.url.scheme": "http" @@ -2488,6 +2547,7 @@ "threatintel.anomali.valid_from": "2020-01-24T02:59:54.784Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "trotdeiman.ga", + "threatintel.indicator.url.full": "http://trotdeiman.ga/login", "threatintel.indicator.url.original": "http://trotdeiman.ga/login", "threatintel.indicator.url.path": "/login", "threatintel.indicator.url.scheme": "http" @@ -2588,6 +2648,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "tavim.org", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://tavim.org/includes/firmino/admin.php", "threatintel.indicator.url.original": "http://tavim.org/includes/firmino/admin.php", "threatintel.indicator.url.path": "/includes/firmino/admin.php", "threatintel.indicator.url.scheme": "http" @@ -2623,6 +2684,7 @@ "threatintel.anomali.valid_from": "2020-01-24T03:00:10.928Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "onlinesecuritycenter.xyz", + "threatintel.indicator.url.full": "http://onlinesecuritycenter.xyz/login", "threatintel.indicator.url.original": "http://onlinesecuritycenter.xyz/login", "threatintel.indicator.url.path": "/login", "threatintel.indicator.url.scheme": "http" @@ -2659,6 +2721,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "oaa-my.com", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.original": "http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.path": "/cutter/five/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.scheme": "http" @@ -2694,6 +2757,7 @@ "threatintel.anomali.valid_from": "2020-01-24T03:00:24.048Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "jumbajumbadun.fun", + "threatintel.indicator.url.full": "http://jumbajumbadun.fun/login", "threatintel.indicator.url.original": "http://jumbajumbadun.fun/login", "threatintel.indicator.url.path": "/login", "threatintel.indicator.url.scheme": "http" @@ -2730,6 +2794,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "tavim.org", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://tavim.org/includes/salah/admin.php", "threatintel.indicator.url.original": "http://tavim.org/includes/salah/admin.php", "threatintel.indicator.url.path": "/includes/salah/admin.php", "threatintel.indicator.url.scheme": "http" @@ -2765,6 +2830,7 @@ "threatintel.anomali.valid_from": "2020-01-24T03:01:10.501Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "l0c23205.justinstalledpanel.com", + "threatintel.indicator.url.full": "http://l0c23205.justinstalledpanel.com/login", "threatintel.indicator.url.original": "http://l0c23205.justinstalledpanel.com/login", "threatintel.indicator.url.path": "/login", "threatintel.indicator.url.scheme": "http" @@ -2800,6 +2866,7 @@ "threatintel.anomali.valid_from": "2020-01-24T03:01:10.518Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "l535e9e5.justinstalledpanel.com", + "threatintel.indicator.url.full": "http://l535e9e5.justinstalledpanel.com/login", "threatintel.indicator.url.original": "http://l535e9e5.justinstalledpanel.com/login", "threatintel.indicator.url.path": "/login", "threatintel.indicator.url.scheme": "http" @@ -2867,6 +2934,7 @@ "threatintel.anomali.valid_from": "2020-01-25T02:57:12.699Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "46.161.27.57", + "threatintel.indicator.url.full": "http://46.161.27.57/northon/", "threatintel.indicator.url.original": "http://46.161.27.57/northon/", "threatintel.indicator.url.path": "/northon/", "threatintel.indicator.url.scheme": "http" @@ -2902,6 +2970,7 @@ "threatintel.anomali.valid_from": "2020-01-25T02:57:28.034Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "104.168.99.170", + "threatintel.indicator.url.full": "http://104.168.99.170/login", "threatintel.indicator.url.original": "http://104.168.99.170/login", "threatintel.indicator.url.path": "/login", "threatintel.indicator.url.scheme": "http" @@ -2938,6 +3007,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "officelog.org", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://officelog.org/inc/js/jstree/scan/panel/admin.php", "threatintel.indicator.url.original": "http://officelog.org/inc/js/jstree/scan/panel/admin.php", "threatintel.indicator.url.path": "/inc/js/jstree/scan/panel/admin.php", "threatintel.indicator.url.scheme": "http" @@ -2973,6 +3043,7 @@ "threatintel.anomali.valid_from": "2020-01-25T02:57:38.214Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0391587.xsph.ru", + "threatintel.indicator.url.full": "http://f0391587.xsph.ru/login", "threatintel.indicator.url.original": "http://f0391587.xsph.ru/login", "threatintel.indicator.url.path": "/login", "threatintel.indicator.url.scheme": "http" @@ -3008,6 +3079,7 @@ "threatintel.anomali.valid_from": "2020-01-25T02:57:47.281Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "46.161.27.57", + "threatintel.indicator.url.full": "http://46.161.27.57:8080/northon/", "threatintel.indicator.url.original": "http://46.161.27.57:8080/northon/", "threatintel.indicator.url.path": "/northon/", "threatintel.indicator.url.port": 8080, @@ -3044,6 +3116,7 @@ "threatintel.anomali.valid_from": "2020-01-25T02:57:51.296Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "f0393086.xsph.ru", + "threatintel.indicator.url.full": "http://f0393086.xsph.ru/login", "threatintel.indicator.url.original": "http://f0393086.xsph.ru/login", "threatintel.indicator.url.path": "/login", "threatintel.indicator.url.scheme": "http" @@ -3080,6 +3153,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "insuncos.com", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://insuncos.com/files1/panel/admin.php", "threatintel.indicator.url.original": "http://insuncos.com/files1/panel/admin.php", "threatintel.indicator.url.path": "/files1/panel/admin.php", "threatintel.indicator.url.scheme": "http" @@ -3115,6 +3189,7 @@ "threatintel.anomali.valid_from": "2020-01-25T02:57:56.044Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "tg-h.ru", + "threatintel.indicator.url.full": "http://tg-h.ru/login", "threatintel.indicator.url.original": "http://tg-h.ru/login", "threatintel.indicator.url.path": "/login", "threatintel.indicator.url.scheme": "http" @@ -3151,6 +3226,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "wusetwo.xyz", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.original": "http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.path": "/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.scheme": "http" @@ -3186,6 +3262,7 @@ "threatintel.anomali.valid_from": "2020-01-25T02:58:20.420Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "185.234.217.36", + "threatintel.indicator.url.full": "http://185.234.217.36/northon/", "threatintel.indicator.url.original": "http://185.234.217.36/northon/", "threatintel.indicator.url.path": "/northon/", "threatintel.indicator.url.scheme": "http" @@ -3222,6 +3299,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "topik07.mcdir.ru", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://topik07.mcdir.ru/papka/admin.php", "threatintel.indicator.url.original": "http://topik07.mcdir.ru/papka/admin.php", "threatintel.indicator.url.path": "/papka/admin.php", "threatintel.indicator.url.scheme": "http" @@ -3258,6 +3336,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "insuncos.com", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://insuncos.com/files2/panel/admin.php", "threatintel.indicator.url.original": "http://insuncos.com/files2/panel/admin.php", "threatintel.indicator.url.path": "/files2/panel/admin.php", "threatintel.indicator.url.scheme": "http" @@ -3293,6 +3372,7 @@ "threatintel.anomali.valid_from": "2020-01-25T02:58:49.056Z", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "185.234.218.68", + "threatintel.indicator.url.full": "http://185.234.218.68/kaspersky/", "threatintel.indicator.url.original": "http://185.234.218.68/kaspersky/", "threatintel.indicator.url.path": "/kaspersky/", "threatintel.indicator.url.scheme": "http" @@ -3329,6 +3409,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "officelog.org", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://officelog.org/inc/js/jstree/mh/panel/admin.php", "threatintel.indicator.url.original": "http://officelog.org/inc/js/jstree/mh/panel/admin.php", "threatintel.indicator.url.path": "/inc/js/jstree/mh/panel/admin.php", "threatintel.indicator.url.scheme": "http" @@ -3365,6 +3446,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "officelog.org", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://officelog.org/inc/js/jstree/ch/panel/admin.php", "threatintel.indicator.url.original": "http://officelog.org/inc/js/jstree/ch/panel/admin.php", "threatintel.indicator.url.path": "/inc/js/jstree/ch/panel/admin.php", "threatintel.indicator.url.scheme": "http" @@ -3401,6 +3483,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "officelog.org", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://officelog.org/inc/js/jstree/dar/panel/admin.php", "threatintel.indicator.url.original": "http://officelog.org/inc/js/jstree/dar/panel/admin.php", "threatintel.indicator.url.path": "/inc/js/jstree/dar/panel/admin.php", "threatintel.indicator.url.scheme": "http" @@ -3437,6 +3520,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "oaa-my.com", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.original": "http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.path": "/cage/five/PvqDq929BSx_A_D_M1n_a.php", "threatintel.indicator.url.scheme": "http" @@ -3505,6 +3589,7 @@ "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "insuncos.com", "threatintel.indicator.url.extension": "php", + "threatintel.indicator.url.full": "http://insuncos.com/files3/panel/admin.php", "threatintel.indicator.url.original": "http://insuncos.com/files3/panel/admin.php", "threatintel.indicator.url.path": "/files3/panel/admin.php", "threatintel.indicator.url.scheme": "http" diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml index 6d4658c0504..75854beaecc 100644 --- a/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml @@ -263,6 +263,11 @@ processors: field: error.message value: 'Cannot parse url field `{{{ json.url }}}`: {{{ _ingest.on_failure_message }}}' +- set: + field: threatintel.indicator.url.full + copy_from: threatintel.indicator.url.original + ignore_empty_value: true + - rename: field: json.country target_field: threatintel.indicator.geo.country_iso_code diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/test/generated.log-expected.json b/x-pack/filebeat/module/threatintel/anomalithreatstream/test/generated.log-expected.json index feab4d23952..fa19350c1b2 100644 --- a/x-pack/filebeat/module/threatintel/anomalithreatstream/test/generated.log-expected.json +++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/test/generated.log-expected.json @@ -380,6 +380,7 @@ "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "ax1a6o38z.example.org", + "threatintel.indicator.url.full": "https://ax1a6o38z.example.org/enec3i/f1n8fv?4shpqq9=fbo9osx8p", "threatintel.indicator.url.original": "https://ax1a6o38z.example.org/enec3i/f1n8fv?4shpqq9=fbo9osx8p", "threatintel.indicator.url.path": "/enec3i/f1n8fv", "threatintel.indicator.url.query": "4shpqq9=fbo9osx8p", @@ -426,6 +427,7 @@ "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "beko3.example.com", + "threatintel.indicator.url.full": "https://beko3.example.com/vkelnz/jdz6zf-ga?g39fu=88309ge", "threatintel.indicator.url.original": "https://beko3.example.com/vkelnz/jdz6zf-ga?g39fu=88309ge", "threatintel.indicator.url.path": "/vkelnz/jdz6zf-ga", "threatintel.indicator.url.query": "g39fu=88309ge", @@ -550,6 +552,7 @@ "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "sevs82.example.com", + "threatintel.indicator.url.full": "http://sevs82.example.com/c5-d/hdajog?4rs78hl=wvwi", "threatintel.indicator.url.original": "http://sevs82.example.com/c5-d/hdajog?4rs78hl=wvwi", "threatintel.indicator.url.path": "/c5-d/hdajog", "threatintel.indicator.url.query": "4rs78hl=wvwi", @@ -989,6 +992,7 @@ "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "faahk3drf.example.net", + "threatintel.indicator.url.full": "http://faahk3drf.example.net/julf98x5/0g1t8f?cbffxs2qv=vwgz", "threatintel.indicator.url.original": "http://faahk3drf.example.net/julf98x5/0g1t8f?cbffxs2qv=vwgz", "threatintel.indicator.url.path": "/julf98x5/0g1t8f", "threatintel.indicator.url.query": "cbffxs2qv=vwgz", @@ -1191,6 +1195,7 @@ "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "p9okf0.example.org", + "threatintel.indicator.url.full": "http://p9okf0.example.org/jyb3n8f/f55vfyt48?s2n=0t2d", "threatintel.indicator.url.original": "http://p9okf0.example.org/jyb3n8f/f55vfyt48?s2n=0t2d", "threatintel.indicator.url.path": "/jyb3n8f/f55vfyt48", "threatintel.indicator.url.query": "s2n=0t2d", @@ -1236,6 +1241,7 @@ "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "fxkeo24m.example.com", + "threatintel.indicator.url.full": "https://fxkeo24m.example.com/y75tg7sw/jnnu9xmc?apus=ob1hnba4", "threatintel.indicator.url.original": "https://fxkeo24m.example.com/y75tg7sw/jnnu9xmc?apus=ob1hnba4", "threatintel.indicator.url.path": "/y75tg7sw/jnnu9xmc", "threatintel.indicator.url.query": "apus=ob1hnba4", @@ -1596,6 +1602,7 @@ "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "ke4ffyj5.example.com", + "threatintel.indicator.url.full": "http://ke4ffyj5.example.com/t-9ikyrtt/ai91?s6u=3y1", "threatintel.indicator.url.original": "http://ke4ffyj5.example.com/t-9ikyrtt/ai91?s6u=3y1", "threatintel.indicator.url.path": "/t-9ikyrtt/ai91", "threatintel.indicator.url.query": "s6u=3y1", @@ -1757,6 +1764,7 @@ "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "rl27d.example.net", + "threatintel.indicator.url.full": "https://rl27d.example.net/ko6/4rtt?b12=o4mgzz2kk", "threatintel.indicator.url.original": "https://rl27d.example.net/ko6/4rtt?b12=o4mgzz2kk", "threatintel.indicator.url.path": "/ko6/4rtt", "threatintel.indicator.url.query": "b12=o4mgzz2kk", @@ -1841,6 +1849,7 @@ "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "6ygk0y.example.com", + "threatintel.indicator.url.full": "http://6ygk0y.example.com/t520/4twe?ql4bhkpop=yfpkef", "threatintel.indicator.url.original": "http://6ygk0y.example.com/t520/4twe?ql4bhkpop=yfpkef", "threatintel.indicator.url.path": "/t520/4twe", "threatintel.indicator.url.query": "ql4bhkpop=yfpkef", @@ -1885,6 +1894,7 @@ "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "rcsr9o.example.net", + "threatintel.indicator.url.full": "http://rcsr9o.example.net/e6f/08b?8d2y=d-42fr-", "threatintel.indicator.url.original": "http://rcsr9o.example.net/e6f/08b?8d2y=d-42fr-", "threatintel.indicator.url.path": "/e6f/08b", "threatintel.indicator.url.query": "8d2y=d-42fr-", @@ -2089,6 +2099,7 @@ "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "cc7d.example.com", + "threatintel.indicator.url.full": "https://cc7d.example.com/kxxwobg/hd6omn?tr8=essb", "threatintel.indicator.url.original": "https://cc7d.example.com/kxxwobg/hd6omn?tr8=essb", "threatintel.indicator.url.path": "/kxxwobg/hd6omn", "threatintel.indicator.url.query": "tr8=essb", @@ -2252,6 +2263,7 @@ "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "v9aqrp81q.example.net", + "threatintel.indicator.url.full": "http://v9aqrp81q.example.net/psuj4bs/rvp?qufy=ymryh", "threatintel.indicator.url.original": "http://v9aqrp81q.example.net/psuj4bs/rvp?qufy=ymryh", "threatintel.indicator.url.path": "/psuj4bs/rvp", "threatintel.indicator.url.query": "qufy=ymryh", @@ -2491,6 +2503,7 @@ "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "o4kqv8b8.example.net", + "threatintel.indicator.url.full": "https://o4kqv8b8.example.net/gm4d-9gt/v2iqt?x65ry67ao=skta9rp", "threatintel.indicator.url.original": "https://o4kqv8b8.example.net/gm4d-9gt/v2iqt?x65ry67ao=skta9rp", "threatintel.indicator.url.path": "/gm4d-9gt/v2iqt", "threatintel.indicator.url.query": "x65ry67ao=skta9rp", @@ -2811,6 +2824,7 @@ "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "91p0p.example.com", + "threatintel.indicator.url.full": "https://91p0p.example.com/easx3j6iy/xvnchuoa?dvkljl=h21", "threatintel.indicator.url.original": "https://91p0p.example.com/easx3j6iy/xvnchuoa?dvkljl=h21", "threatintel.indicator.url.path": "/easx3j6iy/xvnchuoa", "threatintel.indicator.url.query": "dvkljl=h21", @@ -2970,6 +2984,7 @@ "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "lzr6.example.org", + "threatintel.indicator.url.full": "https://lzr6.example.org/a7og/4vpv?e7k5=wun", "threatintel.indicator.url.original": "https://lzr6.example.org/a7og/4vpv?e7k5=wun", "threatintel.indicator.url.path": "/a7og/4vpv", "threatintel.indicator.url.query": "e7k5=wun", @@ -3130,6 +3145,7 @@ "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "932.example.com", + "threatintel.indicator.url.full": "http://932.example.com/1xmdjyom/tf3inx1?s6zgr=ajgw", "threatintel.indicator.url.original": "http://932.example.com/1xmdjyom/tf3inx1?s6zgr=ajgw", "threatintel.indicator.url.path": "/1xmdjyom/tf3inx1", "threatintel.indicator.url.query": "s6zgr=ajgw", @@ -3258,6 +3274,7 @@ "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "0te9x75e.example.net", + "threatintel.indicator.url.full": "https://0te9x75e.example.net/y2cbl5ov5/u-s9?vhppw120=bt0ze0du3", "threatintel.indicator.url.original": "https://0te9x75e.example.net/y2cbl5ov5/u-s9?vhppw120=bt0ze0du3", "threatintel.indicator.url.path": "/y2cbl5ov5/u-s9", "threatintel.indicator.url.query": "vhppw120=bt0ze0du3", @@ -3304,6 +3321,7 @@ "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "b7qdtnl8f.example.org", + "threatintel.indicator.url.full": "http://b7qdtnl8f.example.org/z2a-tx3ip/7cv?9a67ct3mb=ijse", "threatintel.indicator.url.original": "http://b7qdtnl8f.example.org/z2a-tx3ip/7cv?9a67ct3mb=ijse", "threatintel.indicator.url.path": "/z2a-tx3ip/7cv", "threatintel.indicator.url.query": "9a67ct3mb=ijse", @@ -3434,6 +3452,7 @@ "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "tfva.example.org", + "threatintel.indicator.url.full": "https://tfva.example.org/iih3qkj/b04g7?dwosh0qmt=wi9ao", "threatintel.indicator.url.original": "https://tfva.example.org/iih3qkj/b04g7?dwosh0qmt=wi9ao", "threatintel.indicator.url.path": "/iih3qkj/b04g7", "threatintel.indicator.url.query": "dwosh0qmt=wi9ao", @@ -3480,6 +3499,7 @@ "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "erg2.example.com", + "threatintel.indicator.url.full": "https://erg2.example.com/4ys/vywa93c?7oru=evpi", "threatintel.indicator.url.original": "https://erg2.example.com/4ys/vywa93c?7oru=evpi", "threatintel.indicator.url.path": "/4ys/vywa93c", "threatintel.indicator.url.query": "7oru=evpi", @@ -3531,6 +3551,7 @@ "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "0elz6c.example.com", + "threatintel.indicator.url.full": "https://0elz6c.example.com/3nhx/cadsn6?kfcj94=gnl", "threatintel.indicator.url.original": "https://0elz6c.example.com/3nhx/cadsn6?kfcj94=gnl", "threatintel.indicator.url.path": "/3nhx/cadsn6", "threatintel.indicator.url.query": "kfcj94=gnl", @@ -3577,6 +3598,7 @@ "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "6i0-utr.example.com", + "threatintel.indicator.url.full": "https://6i0-utr.example.com/hsv/50qcugwt?xcl=ofr", "threatintel.indicator.url.original": "https://6i0-utr.example.com/hsv/50qcugwt?xcl=ofr", "threatintel.indicator.url.path": "/hsv/50qcugwt", "threatintel.indicator.url.query": "xcl=ofr", @@ -3714,6 +3736,7 @@ "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "e5el.example.net", + "threatintel.indicator.url.full": "http://e5el.example.net/rncer/fky?8tc53bbz=1pd-6w5", "threatintel.indicator.url.original": "http://e5el.example.net/rncer/fky?8tc53bbz=1pd-6w5", "threatintel.indicator.url.path": "/rncer/fky", "threatintel.indicator.url.query": "8tc53bbz=1pd-6w5", @@ -3758,6 +3781,7 @@ "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "eryz36i.example.net", + "threatintel.indicator.url.full": "http://eryz36i.example.net/9a86hdj/zti5r9fx?ahz=l7dsg01qo", "threatintel.indicator.url.original": "http://eryz36i.example.net/9a86hdj/zti5r9fx?ahz=l7dsg01qo", "threatintel.indicator.url.path": "/9a86hdj/zti5r9fx", "threatintel.indicator.url.query": "ahz=l7dsg01qo", @@ -3804,6 +3828,7 @@ "threatintel.indicator.provider": "Default Organization", "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "i-pb.example.com", + "threatintel.indicator.url.full": "http://i-pb.example.com/pjmy3/w0tgzb?noe1pr9=eiwcfihd", "threatintel.indicator.url.original": "http://i-pb.example.com/pjmy3/w0tgzb?noe1pr9=eiwcfihd", "threatintel.indicator.url.path": "/pjmy3/w0tgzb", "threatintel.indicator.url.query": "noe1pr9=eiwcfihd", diff --git a/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml index 14868f968d3..365b63d9397 100644 --- a/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml @@ -110,13 +110,13 @@ processors: if: "ctx?.threatintel?.indicator?.type == 'file' && ctx?.threatintel?.misp?.attribute?.type == 'filename'" - grok: field: threatintel.misp.attribute.type - patterns: + patterns: - "%{WORD}\\|%{WORD:_tmp.hashtype}" ignore_missing: true if: ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') - grok: field: threatintel.misp.attribute.value - patterns: + patterns: - "%{DATA:threatintel.indicator.file.name}\\|%{GREEDYDATA:_tmp.hashvalue}" ignore_missing: true if: ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|') @@ -136,11 +136,12 @@ processors: keep_original: true remove_if_successful: true if: ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.misp?.attribute?.type != 'uri' -- rename: - field: threatintel.misp.attribute.value - target_field: threatintel.indicator.url.full - ignore_missing: true - if: "ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.indicator?.url?.original == null && ctx?.threatintel?.misp?.attribute?.type != 'uri'" + +- set: + field: threatintel.indicator.url.full + copy_from: threatintel.indicator.url.original + ignore_empty_value: true + if: "ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.misp?.attribute?.type != 'uri'" ## Regkey indicator operations - set: @@ -154,7 +155,7 @@ processors: if: "ctx?.threatintel?.indicator?.type == 'windows-registry-key' && ctx?.threatintel?.misp?.attribute?.type == 'regkey'" - grok: field: threatintel.misp.attribute.value - patterns: + patterns: - "%{DATA:threatintel.indicator.registry.key}\\|%{DATA:threatintel.indicator.registry.value}" ignore_missing: true if: "ctx?.threatintel?.misp?.attribute?.type == 'regkey|value'" @@ -192,13 +193,13 @@ processors: if: "ctx?.threatintel?.indicator?.type == 'ipv4-addr' && ctx?.threatintel?.misp?.attribute?.type != 'domain|ip' && !['ip-src|port', 'ip-dst|port'].contains(ctx?.threatintel?.misp?.attribute?.type)" - grok: field: threatintel.misp.attribute.value - patterns: + patterns: - "%{DATA:threatintel.indicator.domain}\\|%{IP:threatintel.indicator.ip}" ignore_missing: true if: ctx.threatintel?.misp?.attribute?.type == 'domain|ip' - grok: field: threatintel.misp.attribute.value - patterns: + patterns: - "%{IP:threatintel.indicator.ip}\\|%{NUMBER:threatintel.indicator.port}" ignore_missing: true if: "['ip-src|port', 'ip-dst|port'].contains(ctx.threatintel?.misp?.attribute?.type)" @@ -245,7 +246,7 @@ processors: .filter(t -> t.startsWith('tlp:')) .map(t -> t.replace('tlp:', '')) .collect(Collectors.toList()); - + ctx.tags = tags; ctx.threatintel.indicator.marking = [ 'tlp': tlpTags ]; diff --git a/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json index 06d0b79dc22..45edea74815 100644 --- a/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json @@ -138,6 +138,7 @@ "threatintel.indicator.scanner_stats": 2, "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "www.virustotal.com", + "threatintel.indicator.url.full": "https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/", "threatintel.indicator.url.original": "https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/", "threatintel.indicator.url.path": "/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/", "threatintel.indicator.url.scheme": "https", @@ -527,6 +528,7 @@ "threatintel.indicator.scanner_stats": 0, "threatintel.indicator.type": "url", "threatintel.indicator.url.domain": "get.adobe.com", + "threatintel.indicator.url.full": "http://get.adobe.com/stats/AbfFcBebD/?q=", "threatintel.indicator.url.original": "http://get.adobe.com/stats/AbfFcBebD/?q=", "threatintel.indicator.url.path": "/stats/AbfFcBebD/", "threatintel.indicator.url.query": "q=", diff --git a/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml index a4a16035111..234d01bae62 100644 --- a/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml +++ b/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml @@ -85,16 +85,11 @@ processors: keep_original: true remove_if_successful: true if: ctx?.threatintel?.indicator?.type == 'url' -- rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.url.full - ignore_missing: true - if: "ctx?.threatintel?.otx?.type == 'URL' && ctx?.threatintel?.indicator?.url?.original == null" -- rename: - field: threatintel.otx.indicator - target_field: threatintel.indicator.url.path - ignore_missing: true - if: "ctx?.threatintel?.otx?.type == 'URI'" +- set: + field: threatintel.indicator.url.full + copy_from: threatintel.indicator.url.original + ignore_empty_value: true + if: "ctx?.threatintel?.otx?.type == 'URL'" ## Email indicator operations - set: diff --git a/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log b/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log index cec2590a82b..22ed47e12f4 100644 --- a/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log +++ b/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log @@ -78,3 +78,6 @@ {"indicator":"36.89.106.69","description":null,"title":null,"content":"","type":"IPv4","id":2189036446} {"indicator":"96.9.73.73","description":null,"title":null,"content":"","type":"IPv4","id":2190596263} {"indicator":"10ec3571596c30b9993b89f12d29d23c","description":"MD5 of 9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6","title":"xor_0x20_xord_javascript","content":"","type":"FileHash-MD5","id":2192837907} +{"id":73,"indicator":"http://www.playboysplus.com","type":"URL","title":null,"description":null,"content":""} +{"id":74,"indicator":"http://join.playboysplus.com/signup/","type":"URL","title":null,"description":null,"content":""} +{"id":970,"indicator":"http://api.vk.com/method/wall.get?count=1&owner_id=-81972386","type":"URL","title":null,"description":null,"content":""} diff --git a/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json index 0b8ce8ddb19..8a8564626d5 100644 --- a/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json @@ -1409,5 +1409,70 @@ "threatintel.indicator.type": "file", "threatintel.otx.description": "MD5 of 9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6", "threatintel.otx.title": "xor_0x20_xord_javascript" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 12786, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-otx" + ], + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "www.playboysplus.com", + "threatintel.indicator.url.full": "http://www.playboysplus.com", + "threatintel.indicator.url.original": "http://www.playboysplus.com", + "threatintel.indicator.url.path": "", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 12896, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-otx" + ], + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "join.playboysplus.com", + "threatintel.indicator.url.full": "http://join.playboysplus.com/signup/", + "threatintel.indicator.url.original": "http://join.playboysplus.com/signup/", + "threatintel.indicator.url.path": "/signup/", + "threatintel.indicator.url.scheme": "http" + }, + { + "event.category": "threat", + "event.dataset": "threatintel.otx", + "event.kind": "enrichment", + "event.module": "threatintel", + "event.type": "indicator", + "fileset.name": "otx", + "input.type": "log", + "log.offset": 13015, + "service.type": "threatintel", + "tags": [ + "forwarded", + "threatintel-otx" + ], + "threatintel.indicator.type": "url", + "threatintel.indicator.url.domain": "api.vk.com", + "threatintel.indicator.url.extension": "get", + "threatintel.indicator.url.full": "http://api.vk.com/method/wall.get?count=1&owner_id=-81972386", + "threatintel.indicator.url.original": "http://api.vk.com/method/wall.get?count=1&owner_id=-81972386", + "threatintel.indicator.url.path": "/method/wall.get", + "threatintel.indicator.url.query": "count=1&owner_id=-81972386", + "threatintel.indicator.url.scheme": "http" } ] \ No newline at end of file