From c45aba59df1429f3f6859f61ae5295fae9d22baf Mon Sep 17 00:00:00 2001
From: Alex Resnick <adr8292@gmail.com>
Date: Tue, 29 Jun 2021 09:12:10 -0500
Subject: [PATCH] [Filebeat] Fix `threatintel.indicator.url.full` field not
 populating (#26508)

* #26351: Fix Threat Intel Full URL field

* update changelog

* remove commented items

* updated pipelines per comments
---
 CHANGELOG.next.asciidoc                       |   1 +
 .../threatintel/abuseurl/ingest/pipeline.yml  |  18 +---
 .../test/abusechurl.ndjson.log-expected.json  | 100 ++++++++++++++++++
 .../threatintel/anomali/ingest/pipeline.yml   |  11 +-
 .../anomali_limo.ndjson.log-expected.json     |  85 +++++++++++++++
 .../anomalithreatstream/ingest/pipeline.yml   |   5 +
 .../test/generated.log-expected.json          |  25 +++++
 .../threatintel/misp/ingest/pipeline.yml      |  23 ++--
 .../test/misp_sample.ndjson.log-expected.json |   2 +
 .../threatintel/otx/ingest/pipeline.yml       |  15 +--
 .../otx/test/otx_sample.ndjson.log            |   3 +
 .../test/otx_sample.ndjson.log-expected.json  |  65 ++++++++++++
 12 files changed, 312 insertions(+), 41 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 1250f7ff555..c535654c921 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -388,6 +388,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add improvements to the azure activitylogs and platformlogs ingest pipelines. {pull}26148[26148]
 - Fix `kibana.log` pipeline when `event.duration` calculation becomes a Long. {issue}24556[24556] {pull}25675[25675]
 - Removed incorrect `http.request.referrer` field from `aws.elb` module. {issue}26435[26435] {pull}26441[26441]
+- Fix `threatintel.indicator.url.full` not being populated. {issue}26351[26351] {pull}26508[26508]
 
 *Heartbeat*
 
diff --git a/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml
index ed2ebeda10d..95759247e93 100644
--- a/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml
@@ -31,14 +31,6 @@ processors:
 - set:
     field: threatintel.indicator.type
     value: url
-- set:
-    field: threatintel.indicator.url.scheme
-    value: https
-    if: ctx?.threatintel?.abuseurl?.url.startsWith('https:')
-- set:
-    field: threatintel.indicator.url.scheme
-    value: http
-    if: ctx?.threatintel?.abuseurl?.url.startsWith('http:')
 - date:
     field: threatintel.abuseurl.date_added
     target_field: threatintel.indicator.first_seen
@@ -51,11 +43,10 @@ processors:
     target_field: threatintel.indicator.url
     keep_original: true
     remove_if_successful: true
-- rename:
-    field: threatintel.abuseurl.url
-    target_field: threatintel.indicator.url.full
-    ignore_missing: true
-    if: ctx?.threatintel?.indicator?.url?.original == null && ctx?.threatintel?.abuseurl?.url != null
+- set:
+    field: threatintel.indicator.url.full
+    copy_from: threatintel.indicator.url.original
+    ignore_empty_value: true
 - rename:
     field: threatintel.abuseurl.host
     target_field: threatintel.indicator.domain
@@ -65,7 +56,6 @@ processors:
     target_field: event.reference
     ignore_missing: true
 
-
 # Host can be both IP addresses and domain names
 - grok:
     field: threatintel.abuseurl.host
diff --git a/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json
index e0c47170106..a37eb5f45de 100644
--- a/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json
+++ b/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json
@@ -30,6 +30,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "103.72.223.103",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://103.72.223.103:34613/Mozi.m",
         "threatintel.indicator.url.original": "http://103.72.223.103:34613/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 34613,
@@ -66,6 +67,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "112.30.97.184",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://112.30.97.184:44941/Mozi.m",
         "threatintel.indicator.url.original": "http://112.30.97.184:44941/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 44941,
@@ -102,6 +104,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "113.110.198.53",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://113.110.198.53:37173/Mozi.m",
         "threatintel.indicator.url.original": "http://113.110.198.53:37173/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 37173,
@@ -138,6 +141,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "101.20.183.170",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://101.20.183.170:47545/Mozi.m",
         "threatintel.indicator.url.original": "http://101.20.183.170:47545/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 47545,
@@ -174,6 +178,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "59.8.35.22",
         "threatintel.indicator.url.extension": "a",
+        "threatintel.indicator.url.full": "http://59.8.35.22:44782/Mozi.a",
         "threatintel.indicator.url.original": "http://59.8.35.22:44782/Mozi.a",
         "threatintel.indicator.url.path": "/Mozi.a",
         "threatintel.indicator.url.port": 44782,
@@ -210,6 +215,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "59.96.37.35",
         "threatintel.indicator.url.extension": "a",
+        "threatintel.indicator.url.full": "http://59.96.37.35:44359/Mozi.a",
         "threatintel.indicator.url.original": "http://59.96.37.35:44359/Mozi.a",
         "threatintel.indicator.url.path": "/Mozi.a",
         "threatintel.indicator.url.port": 44359,
@@ -246,6 +252,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "42.239.233.17",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://42.239.233.17:56507/Mozi.m",
         "threatintel.indicator.url.original": "http://42.239.233.17:56507/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 56507,
@@ -282,6 +289,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "58.252.178.20",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://58.252.178.20:57562/Mozi.m",
         "threatintel.indicator.url.original": "http://58.252.178.20:57562/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 57562,
@@ -318,6 +326,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "45.176.111.95",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://45.176.111.95:48845/Mozi.m",
         "threatintel.indicator.url.original": "http://45.176.111.95:48845/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 48845,
@@ -354,6 +363,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "42.224.68.97",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://42.224.68.97:58245/Mozi.m",
         "threatintel.indicator.url.original": "http://42.224.68.97:58245/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 58245,
@@ -390,6 +400,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "222.81.144.207",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://222.81.144.207:37198/Mozi.m",
         "threatintel.indicator.url.original": "http://222.81.144.207:37198/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 37198,
@@ -426,6 +437,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "182.127.185.137",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://182.127.185.137:33524/Mozi.m",
         "threatintel.indicator.url.original": "http://182.127.185.137:33524/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 33524,
@@ -462,6 +474,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "39.84.175.185",
         "threatintel.indicator.url.extension": "a",
+        "threatintel.indicator.url.full": "http://39.84.175.185:48261/Mozi.a",
         "threatintel.indicator.url.original": "http://39.84.175.185:48261/Mozi.a",
         "threatintel.indicator.url.path": "/Mozi.a",
         "threatintel.indicator.url.port": 48261,
@@ -498,6 +511,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "27.41.11.238",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://27.41.11.238:34478/Mozi.m",
         "threatintel.indicator.url.original": "http://27.41.11.238:34478/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 34478,
@@ -534,6 +548,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "182.127.133.68",
         "threatintel.indicator.url.extension": "a",
+        "threatintel.indicator.url.full": "http://182.127.133.68:35703/Mozi.a",
         "threatintel.indicator.url.original": "http://182.127.133.68:35703/Mozi.a",
         "threatintel.indicator.url.path": "/Mozi.a",
         "threatintel.indicator.url.port": 35703,
@@ -570,6 +585,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "27.46.44.102",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://27.46.44.102:48666/Mozi.m",
         "threatintel.indicator.url.original": "http://27.46.44.102:48666/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 48666,
@@ -606,6 +622,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "39.70.88.65",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://39.70.88.65:53923/Mozi.m",
         "threatintel.indicator.url.original": "http://39.70.88.65:53923/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 53923,
@@ -642,6 +659,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "42.224.136.237",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://42.224.136.237:52794/Mozi.m",
         "threatintel.indicator.url.original": "http://42.224.136.237:52794/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 52794,
@@ -678,6 +696,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "117.208.135.63",
         "threatintel.indicator.url.extension": "a",
+        "threatintel.indicator.url.full": "http://117.208.135.63:49312/Mozi.a",
         "threatintel.indicator.url.original": "http://117.208.135.63:49312/Mozi.a",
         "threatintel.indicator.url.path": "/Mozi.a",
         "threatintel.indicator.url.port": 49312,
@@ -714,6 +733,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "125.47.66.60",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://125.47.66.60:38961/Mozi.m",
         "threatintel.indicator.url.original": "http://125.47.66.60:38961/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 38961,
@@ -750,6 +770,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "182.117.95.148",
         "threatintel.indicator.url.extension": "a",
+        "threatintel.indicator.url.full": "http://182.117.95.148:50420/Mozi.a",
         "threatintel.indicator.url.original": "http://182.117.95.148:50420/Mozi.a",
         "threatintel.indicator.url.path": "/Mozi.a",
         "threatintel.indicator.url.port": 50420,
@@ -786,6 +807,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "117.202.71.48",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://117.202.71.48:55007/Mozi.m",
         "threatintel.indicator.url.original": "http://117.202.71.48:55007/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 55007,
@@ -822,6 +844,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "125.99.132.118",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://125.99.132.118:51143/Mozi.m",
         "threatintel.indicator.url.original": "http://125.99.132.118:51143/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 51143,
@@ -858,6 +881,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "182.114.123.69",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://182.114.123.69:41003/Mozi.m",
         "threatintel.indicator.url.original": "http://182.114.123.69:41003/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 41003,
@@ -893,6 +917,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "116.19.127.37",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://116.19.127.37:35739/Mozi.m",
         "threatintel.indicator.url.original": "http://116.19.127.37:35739/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 35739,
@@ -928,6 +953,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "42.239.253.55",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://42.239.253.55:45653/Mozi.m",
         "threatintel.indicator.url.original": "http://42.239.253.55:45653/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 45653,
@@ -963,6 +989,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "103.217.121.228",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://103.217.121.228:41349/Mozi.m",
         "threatintel.indicator.url.original": "http://103.217.121.228:41349/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 41349,
@@ -998,6 +1025,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "111.92.81.255",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://111.92.81.255:48586/Mozi.m",
         "threatintel.indicator.url.original": "http://111.92.81.255:48586/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 48586,
@@ -1033,6 +1061,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "45.229.55.75",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://45.229.55.75:38111/Mozi.m",
         "threatintel.indicator.url.original": "http://45.229.55.75:38111/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 38111,
@@ -1068,6 +1097,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "182.121.242.148",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://182.121.242.148:34556/Mozi.m",
         "threatintel.indicator.url.original": "http://182.121.242.148:34556/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 34556,
@@ -1104,6 +1134,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "106.115.189.249",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://106.115.189.249:59815/Mozi.m",
         "threatintel.indicator.url.original": "http://106.115.189.249:59815/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 59815,
@@ -1141,6 +1172,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "182.117.93.110",
         "threatintel.indicator.url.extension": "sh",
+        "threatintel.indicator.url.full": "http://182.117.93.110:50587/bin.sh",
         "threatintel.indicator.url.original": "http://182.117.93.110:50587/bin.sh",
         "threatintel.indicator.url.path": "/bin.sh",
         "threatintel.indicator.url.port": 50587,
@@ -1177,6 +1209,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "110.251.5.169",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://110.251.5.169:48322/Mozi.m",
         "threatintel.indicator.url.original": "http://110.251.5.169:48322/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 48322,
@@ -1212,6 +1245,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "101.51.117.186",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://101.51.117.186:33317/Mozi.m",
         "threatintel.indicator.url.original": "http://101.51.117.186:33317/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 33317,
@@ -1247,6 +1281,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "121.151.78.166",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://121.151.78.166:41516/Mozi.m",
         "threatintel.indicator.url.original": "http://121.151.78.166:41516/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 41516,
@@ -1282,6 +1317,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "116.72.92.97",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://116.72.92.97:57798/Mozi.m",
         "threatintel.indicator.url.original": "http://116.72.92.97:57798/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 57798,
@@ -1317,6 +1353,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "27.218.15.209",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://27.218.15.209:47671/Mozi.m",
         "threatintel.indicator.url.original": "http://27.218.15.209:47671/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 47671,
@@ -1352,6 +1389,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "120.85.171.210",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://120.85.171.210:57690/Mozi.m",
         "threatintel.indicator.url.original": "http://120.85.171.210:57690/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 57690,
@@ -1388,6 +1426,7 @@
         "threatintel.indicator.provider": "geenensp",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "117.251.59.53",
+        "threatintel.indicator.url.full": "http://117.251.59.53:50611/i",
         "threatintel.indicator.url.original": "http://117.251.59.53:50611/i",
         "threatintel.indicator.url.path": "/i",
         "threatintel.indicator.url.port": 50611,
@@ -1423,6 +1462,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "115.58.83.167",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://115.58.83.167:34141/Mozi.m",
         "threatintel.indicator.url.original": "http://115.58.83.167:34141/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 34141,
@@ -1459,6 +1499,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "94.178.124.83",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://94.178.124.83:44399/Mozi.m",
         "threatintel.indicator.url.original": "http://94.178.124.83:44399/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 44399,
@@ -1495,6 +1536,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "182.122.75.232",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://182.122.75.232:49120/Mozi.m",
         "threatintel.indicator.url.original": "http://182.122.75.232:49120/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 49120,
@@ -1531,6 +1573,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "115.63.202.43",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://115.63.202.43:51136/Mozi.m",
         "threatintel.indicator.url.original": "http://115.63.202.43:51136/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 51136,
@@ -1567,6 +1610,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "59.99.40.204",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://59.99.40.204:45773/Mozi.m",
         "threatintel.indicator.url.original": "http://59.99.40.204:45773/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 45773,
@@ -1603,6 +1647,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "117.247.128.213",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://117.247.128.213:56528/Mozi.m",
         "threatintel.indicator.url.original": "http://117.247.128.213:56528/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 56528,
@@ -1639,6 +1684,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "14.137.219.132",
         "threatintel.indicator.url.extension": "a",
+        "threatintel.indicator.url.full": "http://14.137.219.132:44427/Mozi.a",
         "threatintel.indicator.url.original": "http://14.137.219.132:44427/Mozi.a",
         "threatintel.indicator.url.path": "/Mozi.a",
         "threatintel.indicator.url.port": 44427,
@@ -1675,6 +1721,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "42.224.40.14",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://42.224.40.14:36134/Mozi.m",
         "threatintel.indicator.url.original": "http://42.224.40.14:36134/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 36134,
@@ -1711,6 +1758,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "186.33.104.107",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://186.33.104.107:43973/Mozi.m",
         "threatintel.indicator.url.original": "http://186.33.104.107:43973/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 43973,
@@ -1747,6 +1795,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "85.105.16.154",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://85.105.16.154:41319/Mozi.m",
         "threatintel.indicator.url.original": "http://85.105.16.154:41319/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 41319,
@@ -1783,6 +1832,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "178.141.73.115",
         "threatintel.indicator.url.extension": "a",
+        "threatintel.indicator.url.full": "http://178.141.73.115:51847/Mozi.a",
         "threatintel.indicator.url.original": "http://178.141.73.115:51847/Mozi.a",
         "threatintel.indicator.url.path": "/Mozi.a",
         "threatintel.indicator.url.port": 51847,
@@ -1819,6 +1869,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "186.33.104.135",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://186.33.104.135:54469/Mozi.m",
         "threatintel.indicator.url.original": "http://186.33.104.135:54469/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 54469,
@@ -1855,6 +1906,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "115.56.159.43",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://115.56.159.43:34547/Mozi.m",
         "threatintel.indicator.url.original": "http://115.56.159.43:34547/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 34547,
@@ -1891,6 +1943,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "42.230.138.170",
         "threatintel.indicator.url.extension": "m",
+        "threatintel.indicator.url.full": "http://42.230.138.170:33932/Mozi.m",
         "threatintel.indicator.url.original": "http://42.230.138.170:33932/Mozi.m",
         "threatintel.indicator.url.path": "/Mozi.m",
         "threatintel.indicator.url.port": 33932,
@@ -1926,6 +1979,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "univirtek.com",
         "threatintel.indicator.url.extension": "jpg",
+        "threatintel.indicator.url.full": "https://univirtek.com/viro/02478080035/blank.jpg",
         "threatintel.indicator.url.original": "https://univirtek.com/viro/02478080035/blank.jpg",
         "threatintel.indicator.url.path": "/viro/02478080035/blank.jpg",
         "threatintel.indicator.url.scheme": "https"
@@ -1960,6 +2014,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "univirtek.com",
         "threatintel.indicator.url.extension": "png",
+        "threatintel.indicator.url.full": "https://univirtek.com/viro/FRRNDR77C25D325O/map.png",
         "threatintel.indicator.url.original": "https://univirtek.com/viro/FRRNDR77C25D325O/map.png",
         "threatintel.indicator.url.path": "/viro/FRRNDR77C25D325O/map.png",
         "threatintel.indicator.url.scheme": "https"
@@ -1994,6 +2049,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "ladiesincode.com",
         "threatintel.indicator.url.extension": "jpg",
+        "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/CNNSRG83H04F158R/blank.jpg",
         "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/CNNSRG83H04F158R/blank.jpg",
         "threatintel.indicator.url.path": "/ladi/CNNSRG83H04F158R/blank.jpg",
         "threatintel.indicator.url.scheme": "https"
@@ -2028,6 +2084,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "letonguesc.com",
         "threatintel.indicator.url.extension": "css",
+        "threatintel.indicator.url.full": "https://letonguesc.com/leto/02328510512/logo.css",
         "threatintel.indicator.url.original": "https://letonguesc.com/leto/02328510512/logo.css",
         "threatintel.indicator.url.path": "/leto/02328510512/logo.css",
         "threatintel.indicator.url.scheme": "https"
@@ -2062,6 +2119,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "cxminute.com",
         "threatintel.indicator.url.extension": "png",
+        "threatintel.indicator.url.full": "https://cxminute.com/minu/MLILSN74B21E507L/uk.png",
         "threatintel.indicator.url.original": "https://cxminute.com/minu/MLILSN74B21E507L/uk.png",
         "threatintel.indicator.url.path": "/minu/MLILSN74B21E507L/uk.png",
         "threatintel.indicator.url.scheme": "https"
@@ -2096,6 +2154,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "cxminute.com",
         "threatintel.indicator.url.extension": "css",
+        "threatintel.indicator.url.full": "https://cxminute.com/minu/12875710159/blank.css",
         "threatintel.indicator.url.original": "https://cxminute.com/minu/12875710159/blank.css",
         "threatintel.indicator.url.path": "/minu/12875710159/blank.css",
         "threatintel.indicator.url.scheme": "https"
@@ -2130,6 +2189,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "cxminute.com",
         "threatintel.indicator.url.extension": "gif",
+        "threatintel.indicator.url.full": "https://cxminute.com/minu/CPNLNZ65M20A200N/maps.gif",
         "threatintel.indicator.url.original": "https://cxminute.com/minu/CPNLNZ65M20A200N/maps.gif",
         "threatintel.indicator.url.path": "/minu/CPNLNZ65M20A200N/maps.gif",
         "threatintel.indicator.url.scheme": "https"
@@ -2164,6 +2224,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "belfetproduction.com",
         "threatintel.indicator.url.extension": "png",
+        "threatintel.indicator.url.full": "https://belfetproduction.com/bella/DLPCMN64D02D789E/logo.png",
         "threatintel.indicator.url.original": "https://belfetproduction.com/bella/DLPCMN64D02D789E/logo.png",
         "threatintel.indicator.url.path": "/bella/DLPCMN64D02D789E/logo.png",
         "threatintel.indicator.url.scheme": "https"
@@ -2198,6 +2259,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "belfetproduction.com",
         "threatintel.indicator.url.extension": "jpg",
+        "threatintel.indicator.url.full": "https://belfetproduction.com/bella/01844510469/1x1.jpg",
         "threatintel.indicator.url.original": "https://belfetproduction.com/bella/01844510469/1x1.jpg",
         "threatintel.indicator.url.path": "/bella/01844510469/1x1.jpg",
         "threatintel.indicator.url.scheme": "https"
@@ -2232,6 +2294,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "ladiesincode.com",
         "threatintel.indicator.url.extension": "css",
+        "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/FRRDNI52M71E522D/logo.css",
         "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/FRRDNI52M71E522D/logo.css",
         "threatintel.indicator.url.path": "/ladi/FRRDNI52M71E522D/logo.css",
         "threatintel.indicator.url.scheme": "https"
@@ -2266,6 +2329,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "letonguesc.com",
         "threatintel.indicator.url.extension": "gif",
+        "threatintel.indicator.url.full": "https://letonguesc.com/leto/CPPMRC65E04H980Q/it.gif",
         "threatintel.indicator.url.original": "https://letonguesc.com/leto/CPPMRC65E04H980Q/it.gif",
         "threatintel.indicator.url.path": "/leto/CPPMRC65E04H980Q/it.gif",
         "threatintel.indicator.url.scheme": "https"
@@ -2300,6 +2364,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "univirtek.com",
         "threatintel.indicator.url.extension": "css",
+        "threatintel.indicator.url.full": "https://univirtek.com/viro/06389650018/it.css",
         "threatintel.indicator.url.original": "https://univirtek.com/viro/06389650018/it.css",
         "threatintel.indicator.url.path": "/viro/06389650018/it.css",
         "threatintel.indicator.url.scheme": "https"
@@ -2334,6 +2399,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "belfetproduction.com",
         "threatintel.indicator.url.extension": "png",
+        "threatintel.indicator.url.full": "https://belfetproduction.com/bella/CRSRRT61E15H501H/logo.png",
         "threatintel.indicator.url.original": "https://belfetproduction.com/bella/CRSRRT61E15H501H/logo.png",
         "threatintel.indicator.url.path": "/bella/CRSRRT61E15H501H/logo.png",
         "threatintel.indicator.url.scheme": "https"
@@ -2368,6 +2434,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "cxminute.com",
         "threatintel.indicator.url.extension": "jpg",
+        "threatintel.indicator.url.full": "https://cxminute.com/minu/SMPMSM67P05F205U/it.jpg",
         "threatintel.indicator.url.original": "https://cxminute.com/minu/SMPMSM67P05F205U/it.jpg",
         "threatintel.indicator.url.path": "/minu/SMPMSM67P05F205U/it.jpg",
         "threatintel.indicator.url.scheme": "https"
@@ -2402,6 +2469,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "univirtek.com",
         "threatintel.indicator.url.extension": "png",
+        "threatintel.indicator.url.full": "https://univirtek.com/viro/SBNPQL78A24A783E/uk.png",
         "threatintel.indicator.url.original": "https://univirtek.com/viro/SBNPQL78A24A783E/uk.png",
         "threatintel.indicator.url.path": "/viro/SBNPQL78A24A783E/uk.png",
         "threatintel.indicator.url.scheme": "https"
@@ -2436,6 +2504,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "cxminute.com",
         "threatintel.indicator.url.extension": "jpg",
+        "threatintel.indicator.url.full": "https://cxminute.com/minu/15578761007/maps.jpg",
         "threatintel.indicator.url.original": "https://cxminute.com/minu/15578761007/maps.jpg",
         "threatintel.indicator.url.path": "/minu/15578761007/maps.jpg",
         "threatintel.indicator.url.scheme": "https"
@@ -2470,6 +2539,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "univirtek.com",
         "threatintel.indicator.url.extension": "png",
+        "threatintel.indicator.url.full": "https://univirtek.com/viro/03079590133/1x1.png",
         "threatintel.indicator.url.original": "https://univirtek.com/viro/03079590133/1x1.png",
         "threatintel.indicator.url.path": "/viro/03079590133/1x1.png",
         "threatintel.indicator.url.scheme": "https"
@@ -2504,6 +2574,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "ladiesincode.com",
         "threatintel.indicator.url.extension": "gif",
+        "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/BNCLNR77T56M082U/it.gif",
         "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/BNCLNR77T56M082U/it.gif",
         "threatintel.indicator.url.path": "/ladi/BNCLNR77T56M082U/it.gif",
         "threatintel.indicator.url.scheme": "https"
@@ -2538,6 +2609,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "cxminute.com",
         "threatintel.indicator.url.extension": "css",
+        "threatintel.indicator.url.full": "https://cxminute.com/minu/JNKMTJ64B29L424O/uk.css",
         "threatintel.indicator.url.original": "https://cxminute.com/minu/JNKMTJ64B29L424O/uk.css",
         "threatintel.indicator.url.path": "/minu/JNKMTJ64B29L424O/uk.css",
         "threatintel.indicator.url.scheme": "https"
@@ -2572,6 +2644,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "belfetproduction.com",
         "threatintel.indicator.url.extension": "png",
+        "threatintel.indicator.url.full": "https://belfetproduction.com/bella/PGNMRA64S22I608Z/en.png",
         "threatintel.indicator.url.original": "https://belfetproduction.com/bella/PGNMRA64S22I608Z/en.png",
         "threatintel.indicator.url.path": "/bella/PGNMRA64S22I608Z/en.png",
         "threatintel.indicator.url.scheme": "https"
@@ -2606,6 +2679,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "cxminute.com",
         "threatintel.indicator.url.extension": "jpg",
+        "threatintel.indicator.url.full": "https://cxminute.com/minu/RZKDRD77T23Z229T/logo.jpg",
         "threatintel.indicator.url.original": "https://cxminute.com/minu/RZKDRD77T23Z229T/logo.jpg",
         "threatintel.indicator.url.path": "/minu/RZKDRD77T23Z229T/logo.jpg",
         "threatintel.indicator.url.scheme": "https"
@@ -2640,6 +2714,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "fhivelifestyle.online",
         "threatintel.indicator.url.extension": "jpg",
+        "threatintel.indicator.url.full": "https://fhivelifestyle.online/nhbrwvdffsgt/adf/maps.jpg",
         "threatintel.indicator.url.original": "https://fhivelifestyle.online/nhbrwvdffsgt/adf/maps.jpg",
         "threatintel.indicator.url.path": "/nhbrwvdffsgt/adf/maps.jpg",
         "threatintel.indicator.url.scheme": "https"
@@ -2674,6 +2749,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "belfetproduction.com",
         "threatintel.indicator.url.extension": "css",
+        "threatintel.indicator.url.full": "https://belfetproduction.com/bella/05739900487/1x1.css",
         "threatintel.indicator.url.original": "https://belfetproduction.com/bella/05739900487/1x1.css",
         "threatintel.indicator.url.path": "/bella/05739900487/1x1.css",
         "threatintel.indicator.url.scheme": "https"
@@ -2708,6 +2784,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "belfetproduction.com",
         "threatintel.indicator.url.extension": "css",
+        "threatintel.indicator.url.full": "https://belfetproduction.com/bella/01767180597/map.css",
         "threatintel.indicator.url.original": "https://belfetproduction.com/bella/01767180597/map.css",
         "threatintel.indicator.url.path": "/bella/01767180597/map.css",
         "threatintel.indicator.url.scheme": "https"
@@ -2742,6 +2819,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "belfetproduction.com",
         "threatintel.indicator.url.extension": "css",
+        "threatintel.indicator.url.full": "https://belfetproduction.com/bella/BRNGRG55D21F394K/map.css",
         "threatintel.indicator.url.original": "https://belfetproduction.com/bella/BRNGRG55D21F394K/map.css",
         "threatintel.indicator.url.path": "/bella/BRNGRG55D21F394K/map.css",
         "threatintel.indicator.url.scheme": "https"
@@ -2776,6 +2854,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "cxminute.com",
         "threatintel.indicator.url.extension": "css",
+        "threatintel.indicator.url.full": "https://cxminute.com/minu/DLLTZN67L20L157J/1x1.css",
         "threatintel.indicator.url.original": "https://cxminute.com/minu/DLLTZN67L20L157J/1x1.css",
         "threatintel.indicator.url.path": "/minu/DLLTZN67L20L157J/1x1.css",
         "threatintel.indicator.url.scheme": "https"
@@ -2810,6 +2889,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "cxminute.com",
         "threatintel.indicator.url.extension": "jpg",
+        "threatintel.indicator.url.full": "https://cxminute.com/minu/08035410722/logo.jpg",
         "threatintel.indicator.url.original": "https://cxminute.com/minu/08035410722/logo.jpg",
         "threatintel.indicator.url.path": "/minu/08035410722/logo.jpg",
         "threatintel.indicator.url.scheme": "https"
@@ -2844,6 +2924,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "univirtek.com",
         "threatintel.indicator.url.extension": "css",
+        "threatintel.indicator.url.full": "https://univirtek.com/viro/GRNZEI60M13G346L/en.css",
         "threatintel.indicator.url.original": "https://univirtek.com/viro/GRNZEI60M13G346L/en.css",
         "threatintel.indicator.url.path": "/viro/GRNZEI60M13G346L/en.css",
         "threatintel.indicator.url.scheme": "https"
@@ -2878,6 +2959,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "letonguesc.com",
         "threatintel.indicator.url.extension": "png",
+        "threatintel.indicator.url.full": "https://letonguesc.com/leto/03253350239/1x1.png",
         "threatintel.indicator.url.original": "https://letonguesc.com/leto/03253350239/1x1.png",
         "threatintel.indicator.url.path": "/leto/03253350239/1x1.png",
         "threatintel.indicator.url.scheme": "https"
@@ -2912,6 +2994,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "ladiesincode.com",
         "threatintel.indicator.url.extension": "css",
+        "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/10582470158/uk.css",
         "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/10582470158/uk.css",
         "threatintel.indicator.url.path": "/ladi/10582470158/uk.css",
         "threatintel.indicator.url.scheme": "https"
@@ -2946,6 +3029,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "ladiesincode.com",
         "threatintel.indicator.url.extension": "css",
+        "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/BTTLNZ68A56D325C/map.css",
         "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/BTTLNZ68A56D325C/map.css",
         "threatintel.indicator.url.path": "/ladi/BTTLNZ68A56D325C/map.css",
         "threatintel.indicator.url.scheme": "https"
@@ -2980,6 +3064,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "letonguesc.com",
         "threatintel.indicator.url.extension": "jpg",
+        "threatintel.indicator.url.full": "https://letonguesc.com/leto/NNTLRT68P28A717L/en.jpg",
         "threatintel.indicator.url.original": "https://letonguesc.com/leto/NNTLRT68P28A717L/en.jpg",
         "threatintel.indicator.url.path": "/leto/NNTLRT68P28A717L/en.jpg",
         "threatintel.indicator.url.scheme": "https"
@@ -3014,6 +3099,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "univirtek.com",
         "threatintel.indicator.url.extension": "png",
+        "threatintel.indicator.url.full": "https://univirtek.com/viro/CTTNDR89A19B149W/maps.png",
         "threatintel.indicator.url.original": "https://univirtek.com/viro/CTTNDR89A19B149W/maps.png",
         "threatintel.indicator.url.path": "/viro/CTTNDR89A19B149W/maps.png",
         "threatintel.indicator.url.scheme": "https"
@@ -3048,6 +3134,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "cxminute.com",
         "threatintel.indicator.url.extension": "css",
+        "threatintel.indicator.url.full": "https://cxminute.com/minu/DRSNTN77B16I197U/logo.css",
         "threatintel.indicator.url.original": "https://cxminute.com/minu/DRSNTN77B16I197U/logo.css",
         "threatintel.indicator.url.path": "/minu/DRSNTN77B16I197U/logo.css",
         "threatintel.indicator.url.scheme": "https"
@@ -3082,6 +3169,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "univirtek.com",
         "threatintel.indicator.url.extension": "css",
+        "threatintel.indicator.url.full": "https://univirtek.com/viro/02941830735/uk.css",
         "threatintel.indicator.url.original": "https://univirtek.com/viro/02941830735/uk.css",
         "threatintel.indicator.url.path": "/viro/02941830735/uk.css",
         "threatintel.indicator.url.scheme": "https"
@@ -3116,6 +3204,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "belfetproduction.com",
         "threatintel.indicator.url.extension": "css",
+        "threatintel.indicator.url.full": "https://belfetproduction.com/bella/MNSGCM91A04G240K/it.css",
         "threatintel.indicator.url.original": "https://belfetproduction.com/bella/MNSGCM91A04G240K/it.css",
         "threatintel.indicator.url.path": "/bella/MNSGCM91A04G240K/it.css",
         "threatintel.indicator.url.scheme": "https"
@@ -3150,6 +3239,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "ladiesincode.com",
         "threatintel.indicator.url.extension": "jpg",
+        "threatintel.indicator.url.full": "https://ladiesincode.com/ladi/03108100615/it.jpg",
         "threatintel.indicator.url.original": "https://ladiesincode.com/ladi/03108100615/it.jpg",
         "threatintel.indicator.url.path": "/ladi/03108100615/it.jpg",
         "threatintel.indicator.url.scheme": "https"
@@ -3184,6 +3274,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "cxminute.com",
         "threatintel.indicator.url.extension": "png",
+        "threatintel.indicator.url.full": "https://cxminute.com/minu/PTACSM56A31F604X/en.png",
         "threatintel.indicator.url.original": "https://cxminute.com/minu/PTACSM56A31F604X/en.png",
         "threatintel.indicator.url.path": "/minu/PTACSM56A31F604X/en.png",
         "threatintel.indicator.url.scheme": "https"
@@ -3218,6 +3309,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "univirtek.com",
         "threatintel.indicator.url.extension": "gif",
+        "threatintel.indicator.url.full": "https://univirtek.com/viro/00183050368/en.gif",
         "threatintel.indicator.url.original": "https://univirtek.com/viro/00183050368/en.gif",
         "threatintel.indicator.url.path": "/viro/00183050368/en.gif",
         "threatintel.indicator.url.scheme": "https"
@@ -3252,6 +3344,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "cxminute.com",
         "threatintel.indicator.url.extension": "gif",
+        "threatintel.indicator.url.full": "https://cxminute.com/minu/TSNLSN58H30G912H/uk.gif",
         "threatintel.indicator.url.original": "https://cxminute.com/minu/TSNLSN58H30G912H/uk.gif",
         "threatintel.indicator.url.path": "/minu/TSNLSN58H30G912H/uk.gif",
         "threatintel.indicator.url.scheme": "https"
@@ -3286,6 +3379,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "letonguesc.com",
         "threatintel.indicator.url.extension": "gif",
+        "threatintel.indicator.url.full": "https://letonguesc.com/leto/08658331007/blank.gif",
         "threatintel.indicator.url.original": "https://letonguesc.com/leto/08658331007/blank.gif",
         "threatintel.indicator.url.path": "/leto/08658331007/blank.gif",
         "threatintel.indicator.url.scheme": "https"
@@ -3320,6 +3414,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "cxminute.com",
         "threatintel.indicator.url.extension": "png",
+        "threatintel.indicator.url.full": "https://cxminute.com/minu/01098910324/blank.png",
         "threatintel.indicator.url.original": "https://cxminute.com/minu/01098910324/blank.png",
         "threatintel.indicator.url.path": "/minu/01098910324/blank.png",
         "threatintel.indicator.url.scheme": "https"
@@ -3354,6 +3449,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "univirtek.com",
         "threatintel.indicator.url.extension": "css",
+        "threatintel.indicator.url.full": "https://univirtek.com/viro/02794390233/uk.css",
         "threatintel.indicator.url.original": "https://univirtek.com/viro/02794390233/uk.css",
         "threatintel.indicator.url.path": "/viro/02794390233/uk.css",
         "threatintel.indicator.url.scheme": "https"
@@ -3388,6 +3484,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "univirtek.com",
         "threatintel.indicator.url.extension": "css",
+        "threatintel.indicator.url.full": "https://univirtek.com/viro/CSTDNT69D63F754D/en.css",
         "threatintel.indicator.url.original": "https://univirtek.com/viro/CSTDNT69D63F754D/en.css",
         "threatintel.indicator.url.path": "/viro/CSTDNT69D63F754D/en.css",
         "threatintel.indicator.url.scheme": "https"
@@ -3422,6 +3519,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "univirtek.com",
         "threatintel.indicator.url.extension": "jpg",
+        "threatintel.indicator.url.full": "https://univirtek.com/viro/GSTGNE91B06L219W/1x1.jpg",
         "threatintel.indicator.url.original": "https://univirtek.com/viro/GSTGNE91B06L219W/1x1.jpg",
         "threatintel.indicator.url.path": "/viro/GSTGNE91B06L219W/1x1.jpg",
         "threatintel.indicator.url.scheme": "https"
@@ -3456,6 +3554,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "univirtek.com",
         "threatintel.indicator.url.extension": "jpg",
+        "threatintel.indicator.url.full": "https://univirtek.com/viro/03610140125/map.jpg",
         "threatintel.indicator.url.original": "https://univirtek.com/viro/03610140125/map.jpg",
         "threatintel.indicator.url.path": "/viro/03610140125/map.jpg",
         "threatintel.indicator.url.scheme": "https"
@@ -3490,6 +3589,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "belfetproduction.com",
         "threatintel.indicator.url.extension": "png",
+        "threatintel.indicator.url.full": "https://belfetproduction.com/bella/CRRLRD74E09A462T/blank.png",
         "threatintel.indicator.url.original": "https://belfetproduction.com/bella/CRRLRD74E09A462T/blank.png",
         "threatintel.indicator.url.path": "/bella/CRRLRD74E09A462T/blank.png",
         "threatintel.indicator.url.scheme": "https"
diff --git a/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml
index 239cbc608f5..963671c0cb0 100644
--- a/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml
@@ -65,7 +65,7 @@ processors:
     if: "ctx?.threatintel?.anomali?.valid_from != null"
 - grok:
     field: threatintel.anomali.pattern
-    patterns: 
+    patterns:
       - "^\\[%{DATA:_tmp.threattype}:value%{SPACE}=%{SPACE}'%{DATA:_tmp.threatvalue}'\\]"
 - rename:
     field: _tmp.threattype
@@ -82,11 +82,10 @@ processors:
     keep_original: true
     remove_if_successful: true
     if: ctx?.threatintel?.indicator?.type == 'url'
-- rename:
-    field: _tmp.threatvalue
-    target_field: threatintel.indicator.url.full
-    ignore_missing: true
-    if: ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.indicator?.url?.original == null
+- set:
+    field: threatintel.indicator.url.full
+    copy_from: threatintel.indicator.url.original
+    ignore_empty_value: true
 - rename:
     field: _tmp.threatvalue
     target_field: threatintel.indicator.email.address
diff --git a/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json
index d647be09675..1adbe043c7c 100644
--- a/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json
+++ b/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json
@@ -31,6 +31,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "chol.cc",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.original": "http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.path": "/Work6/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.scheme": "http"
@@ -67,6 +68,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "worldatdoor.in",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.original": "http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.path": "/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.scheme": "http"
@@ -102,6 +104,7 @@
         "threatintel.anomali.valid_from": "2020-01-22T02:58:57.570Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "f0387770.xsph.ru",
+        "threatintel.indicator.url.full": "http://f0387770.xsph.ru/login",
         "threatintel.indicator.url.original": "http://f0387770.xsph.ru/login",
         "threatintel.indicator.url.path": "/login",
         "threatintel.indicator.url.scheme": "http"
@@ -137,6 +140,7 @@
         "threatintel.anomali.valid_from": "2020-01-22T02:58:59.366Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "178.62.187.103",
+        "threatintel.indicator.url.full": "http://178.62.187.103/login",
         "threatintel.indicator.url.original": "http://178.62.187.103/login",
         "threatintel.indicator.url.path": "/login",
         "threatintel.indicator.url.scheme": "http"
@@ -173,6 +177,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "appareluea.com",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://appareluea.com/panel/admin.php",
         "threatintel.indicator.url.original": "http://appareluea.com/panel/admin.php",
         "threatintel.indicator.url.path": "/panel/admin.php",
         "threatintel.indicator.url.scheme": "http"
@@ -209,6 +214,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "nkpotu.xyz",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://nkpotu.xyz/Kpot3/login.php",
         "threatintel.indicator.url.original": "http://nkpotu.xyz/Kpot3/login.php",
         "threatintel.indicator.url.path": "/Kpot3/login.php",
         "threatintel.indicator.url.scheme": "http"
@@ -277,6 +283,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "ntrcgroup.com",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://ntrcgroup.com/nze/panel/admin.php",
         "threatintel.indicator.url.original": "http://ntrcgroup.com/nze/panel/admin.php",
         "threatintel.indicator.url.path": "/nze/panel/admin.php",
         "threatintel.indicator.url.scheme": "http"
@@ -313,6 +320,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "chol.cc",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.original": "http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.path": "/Work8/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.scheme": "http"
@@ -348,6 +356,7 @@
         "threatintel.anomali.valid_from": "2020-01-22T02:59:25.626Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "f0390764.xsph.ru",
+        "threatintel.indicator.url.full": "http://f0390764.xsph.ru/login",
         "threatintel.indicator.url.original": "http://f0390764.xsph.ru/login",
         "threatintel.indicator.url.path": "/login",
         "threatintel.indicator.url.scheme": "http"
@@ -416,6 +425,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "aglfreight.com.my",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php",
         "threatintel.indicator.url.original": "http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php",
         "threatintel.indicator.url.path": "/inc/js/jstree/biu/panel/admin.php",
         "threatintel.indicator.url.scheme": "http"
@@ -451,6 +461,7 @@
         "threatintel.anomali.valid_from": "2020-01-22T02:59:41.228Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "95.182.122.184",
+        "threatintel.indicator.url.full": "http://95.182.122.184/",
         "threatintel.indicator.url.original": "http://95.182.122.184/",
         "threatintel.indicator.url.path": "/",
         "threatintel.indicator.url.scheme": "http"
@@ -550,6 +561,7 @@
         "threatintel.anomali.valid_from": "2020-01-22T02:59:51.442Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "f0389246.xsph.ru",
+        "threatintel.indicator.url.full": "http://f0389246.xsph.ru/login",
         "threatintel.indicator.url.original": "http://f0389246.xsph.ru/login",
         "threatintel.indicator.url.path": "/login",
         "threatintel.indicator.url.scheme": "http"
@@ -586,6 +598,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "appareluea.com",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://appareluea.com/server/cp.php",
         "threatintel.indicator.url.original": "http://appareluea.com/server/cp.php",
         "threatintel.indicator.url.path": "/server/cp.php",
         "threatintel.indicator.url.scheme": "http"
@@ -622,6 +635,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "nkpotu.xyz",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://nkpotu.xyz/Kpot2/login.php",
         "threatintel.indicator.url.original": "http://nkpotu.xyz/Kpot2/login.php",
         "threatintel.indicator.url.path": "/Kpot2/login.php",
         "threatintel.indicator.url.scheme": "http"
@@ -658,6 +672,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "chol.cc",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.original": "http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.path": "/Work5/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.scheme": "http"
@@ -694,6 +709,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "mecharnise.ir",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://mecharnise.ir/ca4/panel/admin.php",
         "threatintel.indicator.url.original": "http://mecharnise.ir/ca4/panel/admin.php",
         "threatintel.indicator.url.path": "/ca4/panel/admin.php",
         "threatintel.indicator.url.scheme": "http"
@@ -730,6 +746,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "chol.cc",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.original": "http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.path": "/Work4/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.scheme": "http"
@@ -766,6 +783,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "kironofer.com",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://kironofer.com/webpanel/login.php",
         "threatintel.indicator.url.original": "http://kironofer.com/webpanel/login.php",
         "threatintel.indicator.url.path": "/webpanel/login.php",
         "threatintel.indicator.url.scheme": "http"
@@ -802,6 +820,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "worldatdoor.in",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.original": "http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.path": "/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.scheme": "http"
@@ -838,6 +857,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "smartlinktelecom.top",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://smartlinktelecom.top/kings/panel/admin.php",
         "threatintel.indicator.url.original": "http://smartlinktelecom.top/kings/panel/admin.php",
         "threatintel.indicator.url.path": "/kings/panel/admin.php",
         "threatintel.indicator.url.scheme": "http"
@@ -874,6 +894,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "carirero.net",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://carirero.net/login.php",
         "threatintel.indicator.url.original": "http://carirero.net/login.php",
         "threatintel.indicator.url.path": "/login.php",
         "threatintel.indicator.url.scheme": "http"
@@ -941,6 +962,7 @@
         "threatintel.anomali.valid_from": "2020-01-22T03:00:57.729Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "tuu.nu",
+        "threatintel.indicator.url.full": "http://tuu.nu/login",
         "threatintel.indicator.url.original": "http://tuu.nu/login",
         "threatintel.indicator.url.path": "/login",
         "threatintel.indicator.url.scheme": "http"
@@ -977,6 +999,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "dulfix.com",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.original": "http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.path": "/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.scheme": "http"
@@ -1013,6 +1036,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "deliciasdvally.com.pe",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.original": "http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.path": "/includes/gter/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.scheme": "http"
@@ -1049,6 +1073,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "nkpotu.xyz",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://nkpotu.xyz/Kpot1/login.php",
         "threatintel.indicator.url.original": "http://nkpotu.xyz/Kpot1/login.php",
         "threatintel.indicator.url.path": "/Kpot1/login.php",
         "threatintel.indicator.url.scheme": "http"
@@ -1117,6 +1142,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "35.158.92.3",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://35.158.92.3/panel/admin.php",
         "threatintel.indicator.url.original": "http://35.158.92.3/panel/admin.php",
         "threatintel.indicator.url.path": "/panel/admin.php",
         "threatintel.indicator.url.scheme": "http"
@@ -1185,6 +1211,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "chol.cc",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.original": "http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.path": "/Work7/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.scheme": "http"
@@ -1220,6 +1247,7 @@
         "threatintel.anomali.valid_from": "2020-01-22T03:02:52.496Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "f0391600.xsph.ru",
+        "threatintel.indicator.url.full": "http://f0391600.xsph.ru/login",
         "threatintel.indicator.url.original": "http://f0391600.xsph.ru/login",
         "threatintel.indicator.url.path": "/login",
         "threatintel.indicator.url.scheme": "http"
@@ -1256,6 +1284,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "extraclick.space",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://extraclick.space/login.php",
         "threatintel.indicator.url.original": "http://extraclick.space/login.php",
         "threatintel.indicator.url.path": "/login.php",
         "threatintel.indicator.url.scheme": "http"
@@ -1292,6 +1321,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "petrogarmani.pw",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://petrogarmani.pw/login.php",
         "threatintel.indicator.url.original": "http://petrogarmani.pw/login.php",
         "threatintel.indicator.url.path": "/login.php",
         "threatintel.indicator.url.scheme": "http"
@@ -1328,6 +1358,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "worldatdoor.in",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://worldatdoor.in/mighty/32/panel/admin.php",
         "threatintel.indicator.url.original": "http://worldatdoor.in/mighty/32/panel/admin.php",
         "threatintel.indicator.url.path": "/mighty/32/panel/admin.php",
         "threatintel.indicator.url.scheme": "http"
@@ -1363,6 +1394,7 @@
         "threatintel.anomali.valid_from": "2020-01-22T03:04:32.717Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "zanlma.com",
+        "threatintel.indicator.url.full": "http://zanlma.com/login",
         "threatintel.indicator.url.original": "http://zanlma.com/login",
         "threatintel.indicator.url.path": "/login",
         "threatintel.indicator.url.scheme": "http"
@@ -1398,6 +1430,7 @@
         "threatintel.anomali.valid_from": "2020-01-22T03:04:56.858Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "f0369688.xsph.ru",
+        "threatintel.indicator.url.full": "http://f0369688.xsph.ru/login",
         "threatintel.indicator.url.original": "http://f0369688.xsph.ru/login",
         "threatintel.indicator.url.path": "/login",
         "threatintel.indicator.url.scheme": "http"
@@ -1434,6 +1467,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "chol.cc",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.original": "http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.path": "/Work2/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.scheme": "http"
@@ -1502,6 +1536,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "softtouchcollars.com",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.original": "http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.path": "/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.scheme": "http"
@@ -1538,6 +1573,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "imobiliariatirol.com",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://imobiliariatirol.com/gh/panelnew/admin.php",
         "threatintel.indicator.url.original": "http://imobiliariatirol.com/gh/panelnew/admin.php",
         "threatintel.indicator.url.path": "/gh/panelnew/admin.php",
         "threatintel.indicator.url.scheme": "http"
@@ -1574,6 +1610,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "deliveryexpressworld.xyz",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.original": "http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.path": "/five/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.scheme": "http"
@@ -1609,6 +1646,7 @@
         "threatintel.anomali.valid_from": "2020-01-23T03:02:47.364Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "f0392261.xsph.ru",
+        "threatintel.indicator.url.full": "http://f0392261.xsph.ru/login",
         "threatintel.indicator.url.original": "http://f0392261.xsph.ru/login",
         "threatintel.indicator.url.path": "/login",
         "threatintel.indicator.url.scheme": "http"
@@ -1645,6 +1683,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "104.168.99.168",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://104.168.99.168/panel/panel/admin.php",
         "threatintel.indicator.url.original": "http://104.168.99.168/panel/panel/admin.php",
         "threatintel.indicator.url.path": "/panel/panel/admin.php",
         "threatintel.indicator.url.scheme": "http"
@@ -1681,6 +1720,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "f0387404.xsph.ru",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://f0387404.xsph.ru/panel/admin.php",
         "threatintel.indicator.url.original": "http://f0387404.xsph.ru/panel/admin.php",
         "threatintel.indicator.url.path": "/panel/admin.php",
         "threatintel.indicator.url.scheme": "http"
@@ -1717,6 +1757,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "a0386457.xsph.ru",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://a0386457.xsph.ru/panel/admin.php",
         "threatintel.indicator.url.original": "http://a0386457.xsph.ru/panel/admin.php",
         "threatintel.indicator.url.path": "/panel/admin.php",
         "threatintel.indicator.url.scheme": "http"
@@ -1753,6 +1794,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "defenseisrael.com",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://defenseisrael.com/dis/index.php",
         "threatintel.indicator.url.original": "http://defenseisrael.com/dis/index.php",
         "threatintel.indicator.url.path": "/dis/index.php",
         "threatintel.indicator.url.scheme": "http"
@@ -1820,6 +1862,7 @@
         "threatintel.anomali.valid_from": "2020-01-24T02:57:04.883Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "lbfb3f03.justinstalledpanel.com",
+        "threatintel.indicator.url.full": "http://lbfb3f03.justinstalledpanel.com/login",
         "threatintel.indicator.url.original": "http://lbfb3f03.justinstalledpanel.com/login",
         "threatintel.indicator.url.path": "/login",
         "threatintel.indicator.url.scheme": "http"
@@ -1856,6 +1899,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "byedtronchgroup.yt",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.original": "http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.path": "/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.scheme": "http"
@@ -1892,6 +1936,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "199.192.28.11",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://199.192.28.11/panel/admin.php",
         "threatintel.indicator.url.original": "http://199.192.28.11/panel/admin.php",
         "threatintel.indicator.url.path": "/panel/admin.php",
         "threatintel.indicator.url.scheme": "http"
@@ -1928,6 +1973,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "217.8.117.51",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://217.8.117.51/aW8bVds1/login.php",
         "threatintel.indicator.url.original": "http://217.8.117.51/aW8bVds1/login.php",
         "threatintel.indicator.url.path": "/aW8bVds1/login.php",
         "threatintel.indicator.url.scheme": "http"
@@ -1963,6 +2009,7 @@
         "threatintel.anomali.valid_from": "2020-01-24T02:57:32.929Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "lansome.site",
+        "threatintel.indicator.url.full": "http://lansome.site/login",
         "threatintel.indicator.url.original": "http://lansome.site/login",
         "threatintel.indicator.url.path": "/login",
         "threatintel.indicator.url.scheme": "http"
@@ -1999,6 +2046,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "iplusvietnam.com.vn",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.original": "http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.path": "/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.scheme": "http"
@@ -2035,6 +2083,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "leakaryadeen.com",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.original": "http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.path": "/parl/id345/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.scheme": "http"
@@ -2071,6 +2120,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "oaa-my.com",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.original": "http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.path": "/clap/five/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.scheme": "http"
@@ -2107,6 +2157,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "thaubenuocngam.com",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.original": "http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.path": "/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.scheme": "http"
@@ -2142,6 +2193,7 @@
         "threatintel.anomali.valid_from": "2020-01-24T02:58:32.126Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "suspiciousactivity.xyz",
+        "threatintel.indicator.url.full": "http://suspiciousactivity.xyz/login",
         "threatintel.indicator.url.original": "http://suspiciousactivity.xyz/login",
         "threatintel.indicator.url.path": "/login",
         "threatintel.indicator.url.scheme": "http"
@@ -2177,6 +2229,7 @@
         "threatintel.anomali.valid_from": "2020-01-24T02:58:37.603Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "217.8.117.8",
+        "threatintel.indicator.url.full": "http://217.8.117.8/login",
         "threatintel.indicator.url.original": "http://217.8.117.8/login",
         "threatintel.indicator.url.path": "/login",
         "threatintel.indicator.url.scheme": "http"
@@ -2212,6 +2265,7 @@
         "threatintel.anomali.valid_from": "2020-01-24T02:58:37.643Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "f0387550.xsph.ru",
+        "threatintel.indicator.url.full": "http://f0387550.xsph.ru/login",
         "threatintel.indicator.url.original": "http://f0387550.xsph.ru/login",
         "threatintel.indicator.url.path": "/login",
         "threatintel.indicator.url.scheme": "http"
@@ -2247,6 +2301,7 @@
         "threatintel.anomali.valid_from": "2020-01-24T02:58:39.465Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "lf4e4abf.justinstalledpanel.com",
+        "threatintel.indicator.url.full": "http://lf4e4abf.justinstalledpanel.com/login",
         "threatintel.indicator.url.original": "http://lf4e4abf.justinstalledpanel.com/login",
         "threatintel.indicator.url.path": "/login",
         "threatintel.indicator.url.scheme": "http"
@@ -2315,6 +2370,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "67.215.224.101",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://67.215.224.101/a1/panel/admin.php",
         "threatintel.indicator.url.original": "http://67.215.224.101/a1/panel/admin.php",
         "threatintel.indicator.url.path": "/a1/panel/admin.php",
         "threatintel.indicator.url.scheme": "http"
@@ -2382,6 +2438,7 @@
         "threatintel.anomali.valid_from": "2020-01-24T02:59:50.233Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "l60bdd58.justinstalledpanel.com",
+        "threatintel.indicator.url.full": "http://l60bdd58.justinstalledpanel.com/login",
         "threatintel.indicator.url.original": "http://l60bdd58.justinstalledpanel.com/login",
         "threatintel.indicator.url.path": "/login",
         "threatintel.indicator.url.scheme": "http"
@@ -2418,6 +2475,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "107.175.150.73",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://107.175.150.73/~giftioz/.azma/panel/admin.php",
         "threatintel.indicator.url.original": "http://107.175.150.73/~giftioz/.azma/panel/admin.php",
         "threatintel.indicator.url.path": "/~giftioz/.azma/panel/admin.php",
         "threatintel.indicator.url.scheme": "http"
@@ -2453,6 +2511,7 @@
         "threatintel.anomali.valid_from": "2020-01-24T02:59:52.536Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "5.188.60.52",
+        "threatintel.indicator.url.full": "http://5.188.60.52/login",
         "threatintel.indicator.url.original": "http://5.188.60.52/login",
         "threatintel.indicator.url.path": "/login",
         "threatintel.indicator.url.scheme": "http"
@@ -2488,6 +2547,7 @@
         "threatintel.anomali.valid_from": "2020-01-24T02:59:54.784Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "trotdeiman.ga",
+        "threatintel.indicator.url.full": "http://trotdeiman.ga/login",
         "threatintel.indicator.url.original": "http://trotdeiman.ga/login",
         "threatintel.indicator.url.path": "/login",
         "threatintel.indicator.url.scheme": "http"
@@ -2588,6 +2648,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "tavim.org",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://tavim.org/includes/firmino/admin.php",
         "threatintel.indicator.url.original": "http://tavim.org/includes/firmino/admin.php",
         "threatintel.indicator.url.path": "/includes/firmino/admin.php",
         "threatintel.indicator.url.scheme": "http"
@@ -2623,6 +2684,7 @@
         "threatintel.anomali.valid_from": "2020-01-24T03:00:10.928Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "onlinesecuritycenter.xyz",
+        "threatintel.indicator.url.full": "http://onlinesecuritycenter.xyz/login",
         "threatintel.indicator.url.original": "http://onlinesecuritycenter.xyz/login",
         "threatintel.indicator.url.path": "/login",
         "threatintel.indicator.url.scheme": "http"
@@ -2659,6 +2721,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "oaa-my.com",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.original": "http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.path": "/cutter/five/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.scheme": "http"
@@ -2694,6 +2757,7 @@
         "threatintel.anomali.valid_from": "2020-01-24T03:00:24.048Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "jumbajumbadun.fun",
+        "threatintel.indicator.url.full": "http://jumbajumbadun.fun/login",
         "threatintel.indicator.url.original": "http://jumbajumbadun.fun/login",
         "threatintel.indicator.url.path": "/login",
         "threatintel.indicator.url.scheme": "http"
@@ -2730,6 +2794,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "tavim.org",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://tavim.org/includes/salah/admin.php",
         "threatintel.indicator.url.original": "http://tavim.org/includes/salah/admin.php",
         "threatintel.indicator.url.path": "/includes/salah/admin.php",
         "threatintel.indicator.url.scheme": "http"
@@ -2765,6 +2830,7 @@
         "threatintel.anomali.valid_from": "2020-01-24T03:01:10.501Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "l0c23205.justinstalledpanel.com",
+        "threatintel.indicator.url.full": "http://l0c23205.justinstalledpanel.com/login",
         "threatintel.indicator.url.original": "http://l0c23205.justinstalledpanel.com/login",
         "threatintel.indicator.url.path": "/login",
         "threatintel.indicator.url.scheme": "http"
@@ -2800,6 +2866,7 @@
         "threatintel.anomali.valid_from": "2020-01-24T03:01:10.518Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "l535e9e5.justinstalledpanel.com",
+        "threatintel.indicator.url.full": "http://l535e9e5.justinstalledpanel.com/login",
         "threatintel.indicator.url.original": "http://l535e9e5.justinstalledpanel.com/login",
         "threatintel.indicator.url.path": "/login",
         "threatintel.indicator.url.scheme": "http"
@@ -2867,6 +2934,7 @@
         "threatintel.anomali.valid_from": "2020-01-25T02:57:12.699Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "46.161.27.57",
+        "threatintel.indicator.url.full": "http://46.161.27.57/northon/",
         "threatintel.indicator.url.original": "http://46.161.27.57/northon/",
         "threatintel.indicator.url.path": "/northon/",
         "threatintel.indicator.url.scheme": "http"
@@ -2902,6 +2970,7 @@
         "threatintel.anomali.valid_from": "2020-01-25T02:57:28.034Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "104.168.99.170",
+        "threatintel.indicator.url.full": "http://104.168.99.170/login",
         "threatintel.indicator.url.original": "http://104.168.99.170/login",
         "threatintel.indicator.url.path": "/login",
         "threatintel.indicator.url.scheme": "http"
@@ -2938,6 +3007,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "officelog.org",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://officelog.org/inc/js/jstree/scan/panel/admin.php",
         "threatintel.indicator.url.original": "http://officelog.org/inc/js/jstree/scan/panel/admin.php",
         "threatintel.indicator.url.path": "/inc/js/jstree/scan/panel/admin.php",
         "threatintel.indicator.url.scheme": "http"
@@ -2973,6 +3043,7 @@
         "threatintel.anomali.valid_from": "2020-01-25T02:57:38.214Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "f0391587.xsph.ru",
+        "threatintel.indicator.url.full": "http://f0391587.xsph.ru/login",
         "threatintel.indicator.url.original": "http://f0391587.xsph.ru/login",
         "threatintel.indicator.url.path": "/login",
         "threatintel.indicator.url.scheme": "http"
@@ -3008,6 +3079,7 @@
         "threatintel.anomali.valid_from": "2020-01-25T02:57:47.281Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "46.161.27.57",
+        "threatintel.indicator.url.full": "http://46.161.27.57:8080/northon/",
         "threatintel.indicator.url.original": "http://46.161.27.57:8080/northon/",
         "threatintel.indicator.url.path": "/northon/",
         "threatintel.indicator.url.port": 8080,
@@ -3044,6 +3116,7 @@
         "threatintel.anomali.valid_from": "2020-01-25T02:57:51.296Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "f0393086.xsph.ru",
+        "threatintel.indicator.url.full": "http://f0393086.xsph.ru/login",
         "threatintel.indicator.url.original": "http://f0393086.xsph.ru/login",
         "threatintel.indicator.url.path": "/login",
         "threatintel.indicator.url.scheme": "http"
@@ -3080,6 +3153,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "insuncos.com",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://insuncos.com/files1/panel/admin.php",
         "threatintel.indicator.url.original": "http://insuncos.com/files1/panel/admin.php",
         "threatintel.indicator.url.path": "/files1/panel/admin.php",
         "threatintel.indicator.url.scheme": "http"
@@ -3115,6 +3189,7 @@
         "threatintel.anomali.valid_from": "2020-01-25T02:57:56.044Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "tg-h.ru",
+        "threatintel.indicator.url.full": "http://tg-h.ru/login",
         "threatintel.indicator.url.original": "http://tg-h.ru/login",
         "threatintel.indicator.url.path": "/login",
         "threatintel.indicator.url.scheme": "http"
@@ -3151,6 +3226,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "wusetwo.xyz",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.original": "http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.path": "/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.scheme": "http"
@@ -3186,6 +3262,7 @@
         "threatintel.anomali.valid_from": "2020-01-25T02:58:20.420Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "185.234.217.36",
+        "threatintel.indicator.url.full": "http://185.234.217.36/northon/",
         "threatintel.indicator.url.original": "http://185.234.217.36/northon/",
         "threatintel.indicator.url.path": "/northon/",
         "threatintel.indicator.url.scheme": "http"
@@ -3222,6 +3299,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "topik07.mcdir.ru",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://topik07.mcdir.ru/papka/admin.php",
         "threatintel.indicator.url.original": "http://topik07.mcdir.ru/papka/admin.php",
         "threatintel.indicator.url.path": "/papka/admin.php",
         "threatintel.indicator.url.scheme": "http"
@@ -3258,6 +3336,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "insuncos.com",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://insuncos.com/files2/panel/admin.php",
         "threatintel.indicator.url.original": "http://insuncos.com/files2/panel/admin.php",
         "threatintel.indicator.url.path": "/files2/panel/admin.php",
         "threatintel.indicator.url.scheme": "http"
@@ -3293,6 +3372,7 @@
         "threatintel.anomali.valid_from": "2020-01-25T02:58:49.056Z",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "185.234.218.68",
+        "threatintel.indicator.url.full": "http://185.234.218.68/kaspersky/",
         "threatintel.indicator.url.original": "http://185.234.218.68/kaspersky/",
         "threatintel.indicator.url.path": "/kaspersky/",
         "threatintel.indicator.url.scheme": "http"
@@ -3329,6 +3409,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "officelog.org",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://officelog.org/inc/js/jstree/mh/panel/admin.php",
         "threatintel.indicator.url.original": "http://officelog.org/inc/js/jstree/mh/panel/admin.php",
         "threatintel.indicator.url.path": "/inc/js/jstree/mh/panel/admin.php",
         "threatintel.indicator.url.scheme": "http"
@@ -3365,6 +3446,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "officelog.org",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://officelog.org/inc/js/jstree/ch/panel/admin.php",
         "threatintel.indicator.url.original": "http://officelog.org/inc/js/jstree/ch/panel/admin.php",
         "threatintel.indicator.url.path": "/inc/js/jstree/ch/panel/admin.php",
         "threatintel.indicator.url.scheme": "http"
@@ -3401,6 +3483,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "officelog.org",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://officelog.org/inc/js/jstree/dar/panel/admin.php",
         "threatintel.indicator.url.original": "http://officelog.org/inc/js/jstree/dar/panel/admin.php",
         "threatintel.indicator.url.path": "/inc/js/jstree/dar/panel/admin.php",
         "threatintel.indicator.url.scheme": "http"
@@ -3437,6 +3520,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "oaa-my.com",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.original": "http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.path": "/cage/five/PvqDq929BSx_A_D_M1n_a.php",
         "threatintel.indicator.url.scheme": "http"
@@ -3505,6 +3589,7 @@
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "insuncos.com",
         "threatintel.indicator.url.extension": "php",
+        "threatintel.indicator.url.full": "http://insuncos.com/files3/panel/admin.php",
         "threatintel.indicator.url.original": "http://insuncos.com/files3/panel/admin.php",
         "threatintel.indicator.url.path": "/files3/panel/admin.php",
         "threatintel.indicator.url.scheme": "http"
diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml
index 6d4658c0504..75854beaecc 100644
--- a/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml
@@ -263,6 +263,11 @@ processors:
           field: error.message
           value: 'Cannot parse url field `{{{ json.url }}}`: {{{ _ingest.on_failure_message }}}'
 
+- set:
+    field: threatintel.indicator.url.full
+    copy_from: threatintel.indicator.url.original
+    ignore_empty_value: true
+
 - rename:
     field: json.country
     target_field: threatintel.indicator.geo.country_iso_code
diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/test/generated.log-expected.json b/x-pack/filebeat/module/threatintel/anomalithreatstream/test/generated.log-expected.json
index feab4d23952..fa19350c1b2 100644
--- a/x-pack/filebeat/module/threatintel/anomalithreatstream/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/test/generated.log-expected.json
@@ -380,6 +380,7 @@
         "threatintel.indicator.provider": "Default Organization",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "ax1a6o38z.example.org",
+        "threatintel.indicator.url.full": "https://ax1a6o38z.example.org/enec3i/f1n8fv?4shpqq9=fbo9osx8p",
         "threatintel.indicator.url.original": "https://ax1a6o38z.example.org/enec3i/f1n8fv?4shpqq9=fbo9osx8p",
         "threatintel.indicator.url.path": "/enec3i/f1n8fv",
         "threatintel.indicator.url.query": "4shpqq9=fbo9osx8p",
@@ -426,6 +427,7 @@
         "threatintel.indicator.provider": "Default Organization",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "beko3.example.com",
+        "threatintel.indicator.url.full": "https://beko3.example.com/vkelnz/jdz6zf-ga?g39fu=88309ge",
         "threatintel.indicator.url.original": "https://beko3.example.com/vkelnz/jdz6zf-ga?g39fu=88309ge",
         "threatintel.indicator.url.path": "/vkelnz/jdz6zf-ga",
         "threatintel.indicator.url.query": "g39fu=88309ge",
@@ -550,6 +552,7 @@
         "threatintel.indicator.provider": "Default Organization",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "sevs82.example.com",
+        "threatintel.indicator.url.full": "http://sevs82.example.com/c5-d/hdajog?4rs78hl=wvwi",
         "threatintel.indicator.url.original": "http://sevs82.example.com/c5-d/hdajog?4rs78hl=wvwi",
         "threatintel.indicator.url.path": "/c5-d/hdajog",
         "threatintel.indicator.url.query": "4rs78hl=wvwi",
@@ -989,6 +992,7 @@
         "threatintel.indicator.provider": "Default Organization",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "faahk3drf.example.net",
+        "threatintel.indicator.url.full": "http://faahk3drf.example.net/julf98x5/0g1t8f?cbffxs2qv=vwgz",
         "threatintel.indicator.url.original": "http://faahk3drf.example.net/julf98x5/0g1t8f?cbffxs2qv=vwgz",
         "threatintel.indicator.url.path": "/julf98x5/0g1t8f",
         "threatintel.indicator.url.query": "cbffxs2qv=vwgz",
@@ -1191,6 +1195,7 @@
         "threatintel.indicator.provider": "Default Organization",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "p9okf0.example.org",
+        "threatintel.indicator.url.full": "http://p9okf0.example.org/jyb3n8f/f55vfyt48?s2n=0t2d",
         "threatintel.indicator.url.original": "http://p9okf0.example.org/jyb3n8f/f55vfyt48?s2n=0t2d",
         "threatintel.indicator.url.path": "/jyb3n8f/f55vfyt48",
         "threatintel.indicator.url.query": "s2n=0t2d",
@@ -1236,6 +1241,7 @@
         "threatintel.indicator.provider": "Default Organization",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "fxkeo24m.example.com",
+        "threatintel.indicator.url.full": "https://fxkeo24m.example.com/y75tg7sw/jnnu9xmc?apus=ob1hnba4",
         "threatintel.indicator.url.original": "https://fxkeo24m.example.com/y75tg7sw/jnnu9xmc?apus=ob1hnba4",
         "threatintel.indicator.url.path": "/y75tg7sw/jnnu9xmc",
         "threatintel.indicator.url.query": "apus=ob1hnba4",
@@ -1596,6 +1602,7 @@
         "threatintel.indicator.provider": "Default Organization",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "ke4ffyj5.example.com",
+        "threatintel.indicator.url.full": "http://ke4ffyj5.example.com/t-9ikyrtt/ai91?s6u=3y1",
         "threatintel.indicator.url.original": "http://ke4ffyj5.example.com/t-9ikyrtt/ai91?s6u=3y1",
         "threatintel.indicator.url.path": "/t-9ikyrtt/ai91",
         "threatintel.indicator.url.query": "s6u=3y1",
@@ -1757,6 +1764,7 @@
         "threatintel.indicator.provider": "Default Organization",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "rl27d.example.net",
+        "threatintel.indicator.url.full": "https://rl27d.example.net/ko6/4rtt?b12=o4mgzz2kk",
         "threatintel.indicator.url.original": "https://rl27d.example.net/ko6/4rtt?b12=o4mgzz2kk",
         "threatintel.indicator.url.path": "/ko6/4rtt",
         "threatintel.indicator.url.query": "b12=o4mgzz2kk",
@@ -1841,6 +1849,7 @@
         "threatintel.indicator.provider": "Default Organization",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "6ygk0y.example.com",
+        "threatintel.indicator.url.full": "http://6ygk0y.example.com/t520/4twe?ql4bhkpop=yfpkef",
         "threatintel.indicator.url.original": "http://6ygk0y.example.com/t520/4twe?ql4bhkpop=yfpkef",
         "threatintel.indicator.url.path": "/t520/4twe",
         "threatintel.indicator.url.query": "ql4bhkpop=yfpkef",
@@ -1885,6 +1894,7 @@
         "threatintel.indicator.provider": "Default Organization",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "rcsr9o.example.net",
+        "threatintel.indicator.url.full": "http://rcsr9o.example.net/e6f/08b?8d2y=d-42fr-",
         "threatintel.indicator.url.original": "http://rcsr9o.example.net/e6f/08b?8d2y=d-42fr-",
         "threatintel.indicator.url.path": "/e6f/08b",
         "threatintel.indicator.url.query": "8d2y=d-42fr-",
@@ -2089,6 +2099,7 @@
         "threatintel.indicator.provider": "Default Organization",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "cc7d.example.com",
+        "threatintel.indicator.url.full": "https://cc7d.example.com/kxxwobg/hd6omn?tr8=essb",
         "threatintel.indicator.url.original": "https://cc7d.example.com/kxxwobg/hd6omn?tr8=essb",
         "threatintel.indicator.url.path": "/kxxwobg/hd6omn",
         "threatintel.indicator.url.query": "tr8=essb",
@@ -2252,6 +2263,7 @@
         "threatintel.indicator.provider": "Default Organization",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "v9aqrp81q.example.net",
+        "threatintel.indicator.url.full": "http://v9aqrp81q.example.net/psuj4bs/rvp?qufy=ymryh",
         "threatintel.indicator.url.original": "http://v9aqrp81q.example.net/psuj4bs/rvp?qufy=ymryh",
         "threatintel.indicator.url.path": "/psuj4bs/rvp",
         "threatintel.indicator.url.query": "qufy=ymryh",
@@ -2491,6 +2503,7 @@
         "threatintel.indicator.provider": "Default Organization",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "o4kqv8b8.example.net",
+        "threatintel.indicator.url.full": "https://o4kqv8b8.example.net/gm4d-9gt/v2iqt?x65ry67ao=skta9rp",
         "threatintel.indicator.url.original": "https://o4kqv8b8.example.net/gm4d-9gt/v2iqt?x65ry67ao=skta9rp",
         "threatintel.indicator.url.path": "/gm4d-9gt/v2iqt",
         "threatintel.indicator.url.query": "x65ry67ao=skta9rp",
@@ -2811,6 +2824,7 @@
         "threatintel.indicator.provider": "Default Organization",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "91p0p.example.com",
+        "threatintel.indicator.url.full": "https://91p0p.example.com/easx3j6iy/xvnchuoa?dvkljl=h21",
         "threatintel.indicator.url.original": "https://91p0p.example.com/easx3j6iy/xvnchuoa?dvkljl=h21",
         "threatintel.indicator.url.path": "/easx3j6iy/xvnchuoa",
         "threatintel.indicator.url.query": "dvkljl=h21",
@@ -2970,6 +2984,7 @@
         "threatintel.indicator.provider": "Default Organization",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "lzr6.example.org",
+        "threatintel.indicator.url.full": "https://lzr6.example.org/a7og/4vpv?e7k5=wun",
         "threatintel.indicator.url.original": "https://lzr6.example.org/a7og/4vpv?e7k5=wun",
         "threatintel.indicator.url.path": "/a7og/4vpv",
         "threatintel.indicator.url.query": "e7k5=wun",
@@ -3130,6 +3145,7 @@
         "threatintel.indicator.provider": "Default Organization",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "932.example.com",
+        "threatintel.indicator.url.full": "http://932.example.com/1xmdjyom/tf3inx1?s6zgr=ajgw",
         "threatintel.indicator.url.original": "http://932.example.com/1xmdjyom/tf3inx1?s6zgr=ajgw",
         "threatintel.indicator.url.path": "/1xmdjyom/tf3inx1",
         "threatintel.indicator.url.query": "s6zgr=ajgw",
@@ -3258,6 +3274,7 @@
         "threatintel.indicator.provider": "Default Organization",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "0te9x75e.example.net",
+        "threatintel.indicator.url.full": "https://0te9x75e.example.net/y2cbl5ov5/u-s9?vhppw120=bt0ze0du3",
         "threatintel.indicator.url.original": "https://0te9x75e.example.net/y2cbl5ov5/u-s9?vhppw120=bt0ze0du3",
         "threatintel.indicator.url.path": "/y2cbl5ov5/u-s9",
         "threatintel.indicator.url.query": "vhppw120=bt0ze0du3",
@@ -3304,6 +3321,7 @@
         "threatintel.indicator.provider": "Default Organization",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "b7qdtnl8f.example.org",
+        "threatintel.indicator.url.full": "http://b7qdtnl8f.example.org/z2a-tx3ip/7cv?9a67ct3mb=ijse",
         "threatintel.indicator.url.original": "http://b7qdtnl8f.example.org/z2a-tx3ip/7cv?9a67ct3mb=ijse",
         "threatintel.indicator.url.path": "/z2a-tx3ip/7cv",
         "threatintel.indicator.url.query": "9a67ct3mb=ijse",
@@ -3434,6 +3452,7 @@
         "threatintel.indicator.provider": "Default Organization",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "tfva.example.org",
+        "threatintel.indicator.url.full": "https://tfva.example.org/iih3qkj/b04g7?dwosh0qmt=wi9ao",
         "threatintel.indicator.url.original": "https://tfva.example.org/iih3qkj/b04g7?dwosh0qmt=wi9ao",
         "threatintel.indicator.url.path": "/iih3qkj/b04g7",
         "threatintel.indicator.url.query": "dwosh0qmt=wi9ao",
@@ -3480,6 +3499,7 @@
         "threatintel.indicator.provider": "Default Organization",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "erg2.example.com",
+        "threatintel.indicator.url.full": "https://erg2.example.com/4ys/vywa93c?7oru=evpi",
         "threatintel.indicator.url.original": "https://erg2.example.com/4ys/vywa93c?7oru=evpi",
         "threatintel.indicator.url.path": "/4ys/vywa93c",
         "threatintel.indicator.url.query": "7oru=evpi",
@@ -3531,6 +3551,7 @@
         "threatintel.indicator.provider": "Default Organization",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "0elz6c.example.com",
+        "threatintel.indicator.url.full": "https://0elz6c.example.com/3nhx/cadsn6?kfcj94=gnl",
         "threatintel.indicator.url.original": "https://0elz6c.example.com/3nhx/cadsn6?kfcj94=gnl",
         "threatintel.indicator.url.path": "/3nhx/cadsn6",
         "threatintel.indicator.url.query": "kfcj94=gnl",
@@ -3577,6 +3598,7 @@
         "threatintel.indicator.provider": "Default Organization",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "6i0-utr.example.com",
+        "threatintel.indicator.url.full": "https://6i0-utr.example.com/hsv/50qcugwt?xcl=ofr",
         "threatintel.indicator.url.original": "https://6i0-utr.example.com/hsv/50qcugwt?xcl=ofr",
         "threatintel.indicator.url.path": "/hsv/50qcugwt",
         "threatintel.indicator.url.query": "xcl=ofr",
@@ -3714,6 +3736,7 @@
         "threatintel.indicator.provider": "Default Organization",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "e5el.example.net",
+        "threatintel.indicator.url.full": "http://e5el.example.net/rncer/fky?8tc53bbz=1pd-6w5",
         "threatintel.indicator.url.original": "http://e5el.example.net/rncer/fky?8tc53bbz=1pd-6w5",
         "threatintel.indicator.url.path": "/rncer/fky",
         "threatintel.indicator.url.query": "8tc53bbz=1pd-6w5",
@@ -3758,6 +3781,7 @@
         "threatintel.indicator.provider": "Default Organization",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "eryz36i.example.net",
+        "threatintel.indicator.url.full": "http://eryz36i.example.net/9a86hdj/zti5r9fx?ahz=l7dsg01qo",
         "threatintel.indicator.url.original": "http://eryz36i.example.net/9a86hdj/zti5r9fx?ahz=l7dsg01qo",
         "threatintel.indicator.url.path": "/9a86hdj/zti5r9fx",
         "threatintel.indicator.url.query": "ahz=l7dsg01qo",
@@ -3804,6 +3828,7 @@
         "threatintel.indicator.provider": "Default Organization",
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "i-pb.example.com",
+        "threatintel.indicator.url.full": "http://i-pb.example.com/pjmy3/w0tgzb?noe1pr9=eiwcfihd",
         "threatintel.indicator.url.original": "http://i-pb.example.com/pjmy3/w0tgzb?noe1pr9=eiwcfihd",
         "threatintel.indicator.url.path": "/pjmy3/w0tgzb",
         "threatintel.indicator.url.query": "noe1pr9=eiwcfihd",
diff --git a/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml
index 14868f968d3..365b63d9397 100644
--- a/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml
@@ -110,13 +110,13 @@ processors:
     if: "ctx?.threatintel?.indicator?.type == 'file' && ctx?.threatintel?.misp?.attribute?.type == 'filename'"
 - grok:
     field: threatintel.misp.attribute.type
-    patterns: 
+    patterns:
       - "%{WORD}\\|%{WORD:_tmp.hashtype}"
     ignore_missing: true
     if: ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|')
 - grok:
     field: threatintel.misp.attribute.value
-    patterns: 
+    patterns:
       - "%{DATA:threatintel.indicator.file.name}\\|%{GREEDYDATA:_tmp.hashvalue}"
     ignore_missing: true
     if: ctx?.threatintel?.misp?.attribute?.type.startsWith('filename|')
@@ -136,11 +136,12 @@ processors:
     keep_original: true
     remove_if_successful: true
     if: ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.misp?.attribute?.type != 'uri'
-- rename:
-    field: threatintel.misp.attribute.value
-    target_field: threatintel.indicator.url.full
-    ignore_missing: true
-    if: "ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.indicator?.url?.original == null && ctx?.threatintel?.misp?.attribute?.type != 'uri'"
+
+- set:
+    field: threatintel.indicator.url.full
+    copy_from: threatintel.indicator.url.original
+    ignore_empty_value: true
+    if: "ctx?.threatintel?.indicator?.type == 'url' && ctx?.threatintel?.misp?.attribute?.type != 'uri'"
 
 ## Regkey indicator operations
 - set:
@@ -154,7 +155,7 @@ processors:
     if: "ctx?.threatintel?.indicator?.type == 'windows-registry-key' && ctx?.threatintel?.misp?.attribute?.type == 'regkey'"
 - grok:
     field: threatintel.misp.attribute.value
-    patterns: 
+    patterns:
       - "%{DATA:threatintel.indicator.registry.key}\\|%{DATA:threatintel.indicator.registry.value}"
     ignore_missing: true
     if: "ctx?.threatintel?.misp?.attribute?.type == 'regkey|value'"
@@ -192,13 +193,13 @@ processors:
     if: "ctx?.threatintel?.indicator?.type == 'ipv4-addr' && ctx?.threatintel?.misp?.attribute?.type != 'domain|ip' && !['ip-src|port', 'ip-dst|port'].contains(ctx?.threatintel?.misp?.attribute?.type)"
 - grok:
     field: threatintel.misp.attribute.value
-    patterns: 
+    patterns:
       - "%{DATA:threatintel.indicator.domain}\\|%{IP:threatintel.indicator.ip}"
     ignore_missing: true
     if: ctx.threatintel?.misp?.attribute?.type == 'domain|ip'
 - grok:
     field: threatintel.misp.attribute.value
-    patterns: 
+    patterns:
       - "%{IP:threatintel.indicator.ip}\\|%{NUMBER:threatintel.indicator.port}"
     ignore_missing: true
     if: "['ip-src|port', 'ip-dst|port'].contains(ctx.threatintel?.misp?.attribute?.type)"
@@ -245,7 +246,7 @@ processors:
            .filter(t -> t.startsWith('tlp:'))
            .map(t -> t.replace('tlp:', ''))
            .collect(Collectors.toList());
-        
+
         ctx.tags = tags;
         ctx.threatintel.indicator.marking = [ 'tlp': tlpTags ];
 
diff --git a/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json
index 06d0b79dc22..45edea74815 100644
--- a/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json
+++ b/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json
@@ -138,6 +138,7 @@
         "threatintel.indicator.scanner_stats": 2,
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "www.virustotal.com",
+        "threatintel.indicator.url.full": "https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/",
         "threatintel.indicator.url.original": "https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/",
         "threatintel.indicator.url.path": "/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/",
         "threatintel.indicator.url.scheme": "https",
@@ -527,6 +528,7 @@
         "threatintel.indicator.scanner_stats": 0,
         "threatintel.indicator.type": "url",
         "threatintel.indicator.url.domain": "get.adobe.com",
+        "threatintel.indicator.url.full": "http://get.adobe.com/stats/AbfFcBebD/?q=",
         "threatintel.indicator.url.original": "http://get.adobe.com/stats/AbfFcBebD/?q=",
         "threatintel.indicator.url.path": "/stats/AbfFcBebD/",
         "threatintel.indicator.url.query": "q=",
diff --git a/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml
index a4a16035111..234d01bae62 100644
--- a/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml
@@ -85,16 +85,11 @@ processors:
     keep_original: true
     remove_if_successful: true
     if: ctx?.threatintel?.indicator?.type == 'url'
-- rename:
-    field: threatintel.otx.indicator
-    target_field: threatintel.indicator.url.full
-    ignore_missing: true
-    if: "ctx?.threatintel?.otx?.type == 'URL' && ctx?.threatintel?.indicator?.url?.original == null"
-- rename:
-    field: threatintel.otx.indicator
-    target_field: threatintel.indicator.url.path
-    ignore_missing: true
-    if: "ctx?.threatintel?.otx?.type == 'URI'"
+- set:
+    field: threatintel.indicator.url.full
+    copy_from: threatintel.indicator.url.original
+    ignore_empty_value: true
+    if: "ctx?.threatintel?.otx?.type == 'URL'"
 
 ## Email indicator operations
 - set:
diff --git a/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log b/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log
index cec2590a82b..22ed47e12f4 100644
--- a/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log
+++ b/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log
@@ -78,3 +78,6 @@
 {"indicator":"36.89.106.69","description":null,"title":null,"content":"","type":"IPv4","id":2189036446}
 {"indicator":"96.9.73.73","description":null,"title":null,"content":"","type":"IPv4","id":2190596263}
 {"indicator":"10ec3571596c30b9993b89f12d29d23c","description":"MD5 of 9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6","title":"xor_0x20_xord_javascript","content":"","type":"FileHash-MD5","id":2192837907}
+{"id":73,"indicator":"http://www.playboysplus.com","type":"URL","title":null,"description":null,"content":""}
+{"id":74,"indicator":"http://join.playboysplus.com/signup/","type":"URL","title":null,"description":null,"content":""}
+{"id":970,"indicator":"http://api.vk.com/method/wall.get?count=1&owner_id=-81972386","type":"URL","title":null,"description":null,"content":""}
diff --git a/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json
index 0b8ce8ddb19..8a8564626d5 100644
--- a/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json
+++ b/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json
@@ -1409,5 +1409,70 @@
         "threatintel.indicator.type": "file",
         "threatintel.otx.description": "MD5 of 9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6",
         "threatintel.otx.title": "xor_0x20_xord_javascript"
+    },
+    {
+        "event.category": "threat",
+        "event.dataset": "threatintel.otx",
+        "event.kind": "enrichment",
+        "event.module": "threatintel",
+        "event.type": "indicator",
+        "fileset.name": "otx",
+        "input.type": "log",
+        "log.offset": 12786,
+        "service.type": "threatintel",
+        "tags": [
+            "forwarded",
+            "threatintel-otx"
+        ],
+        "threatintel.indicator.type": "url",
+        "threatintel.indicator.url.domain": "www.playboysplus.com",
+        "threatintel.indicator.url.full": "http://www.playboysplus.com",
+        "threatintel.indicator.url.original": "http://www.playboysplus.com",
+        "threatintel.indicator.url.path": "",
+        "threatintel.indicator.url.scheme": "http"
+    },
+    {
+        "event.category": "threat",
+        "event.dataset": "threatintel.otx",
+        "event.kind": "enrichment",
+        "event.module": "threatintel",
+        "event.type": "indicator",
+        "fileset.name": "otx",
+        "input.type": "log",
+        "log.offset": 12896,
+        "service.type": "threatintel",
+        "tags": [
+            "forwarded",
+            "threatintel-otx"
+        ],
+        "threatintel.indicator.type": "url",
+        "threatintel.indicator.url.domain": "join.playboysplus.com",
+        "threatintel.indicator.url.full": "http://join.playboysplus.com/signup/",
+        "threatintel.indicator.url.original": "http://join.playboysplus.com/signup/",
+        "threatintel.indicator.url.path": "/signup/",
+        "threatintel.indicator.url.scheme": "http"
+    },
+    {
+        "event.category": "threat",
+        "event.dataset": "threatintel.otx",
+        "event.kind": "enrichment",
+        "event.module": "threatintel",
+        "event.type": "indicator",
+        "fileset.name": "otx",
+        "input.type": "log",
+        "log.offset": 13015,
+        "service.type": "threatintel",
+        "tags": [
+            "forwarded",
+            "threatintel-otx"
+        ],
+        "threatintel.indicator.type": "url",
+        "threatintel.indicator.url.domain": "api.vk.com",
+        "threatintel.indicator.url.extension": "get",
+        "threatintel.indicator.url.full": "http://api.vk.com/method/wall.get?count=1&owner_id=-81972386",
+        "threatintel.indicator.url.original": "http://api.vk.com/method/wall.get?count=1&owner_id=-81972386",
+        "threatintel.indicator.url.path": "/method/wall.get",
+        "threatintel.indicator.url.query": "count=1&owner_id=-81972386",
+        "threatintel.indicator.url.scheme": "http"
     }
 ]
\ No newline at end of file