packages/ti_misp/data_stream/threat/manifest.yml

type: logs
title: MISP
streams:
  - input: httpjson
    vars:
      - name: url
        type: text
        title: MISP URL
        multi: false
        required: true
        show_user: true
        default: https://mispserver.com
        description: The URL or hostname of the MISP instance.
      - name: api_token
        type: password
        title: MISP API Token
        multi: false
        required: true
        show_user: true
        description: The API token used to access the MISP instance.
      - name: initial_interval
        type: text
        title: Interval
        multi: false
        required: true
        show_user: true
        default: 120h
        description: How far back to look for indicators the first time the agent is started.
      - name: http_client_timeout
        type: text
        title: HTTP Client Timeout
        multi: false
        required: false
        show_user: false
        default: 30s
      - name: filters
        type: yaml
        title: MISP API Filters
        multi: false
        required: false
        show_user: false
        default: |
          #type:
          #  OR:
          #  - ip-src
          #  - ip-dst
          #tags:
          #  NOT:
          #  - tlp-red
        description: Filters documented at [MISP API Documentation](https://www.circl.lu/doc/misp/automation/#search) is supported.
      - name: proxy_url
        type: text
        title: Proxy URL
        multi: false
        required: false
        show_user: false
        description: URL to proxy connections in the form of http\[s\]://<user>:<password>@<server name/ip>:<port>
      - name: interval
        type: text
        title: Interval
        multi: false
        required: true
        show_user: true
        default: 10m
      - name: ssl
        type: yaml
        title: SSL
        multi: false
        required: false
        show_user: false
        default: |
          #verification_mode: none
      - name: tags
        type: text
        title: Tags
        multi: true
        required: true
        show_user: false
        default:
          - forwarded
          - misp-threat
      - name: preserve_original_event
        required: true
        show_user: true
        title: Preserve original event
        description: Preserves a raw copy of the original event, added to the field `event.original`
        type: bool
        multi: false
        default: false
      - name: processors
        type: yaml
        title: Processors
        multi: false
        required: false
        show_user: false
        description: >
          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.

      - name: enable_request_tracer
        type: bool
        title: Enable request tracing
        multi: false
        required: false
        show_user: false
        description: >
          The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.

    template_path: httpjson.yml.hbs
    title: MISP
    description: Collect indicators from the MISP API