Add Kibana Dashboard for Filebeat MISP module (elastic#14147)

* Add Kibana Dashboard for MISP module

CHANGELOG.next.asciidoc

@@ -359,6 +359,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add ELB fileset to AWS module. {pull}14020[14020]
 - Add module for MISP (Malware Information Sharing Platform). {pull}13805[13805]
 - Add `source.bytes` and `source.packets` for uni-directional netflow events. {pull}14111[14111]
+- Add Kibana Dashboard for MISP module. {pull}14147[14147]
 
 *Heartbeat*
 - Add non-privileged icmp on linux and darwin(mac). {pull}13795[13795] {issue}11498[11498]

filebeat/docs/modules/misp.asciidoc

@@ -15,11 +15,22 @@ beta[]
 This is a filebeat module for reading threat intel information from the MISP platform (https://www.circl.lu/doc/misp/). It uses the httpjson input to access the MISP REST API interface.
 
 The configuration in the config.yml file uses the following format:
-    var.api_key: specifies the API key to access MISP.
-    var.json_objects_array: specifies the array object in MISP response, e.g., "response.Attribute".
-    var.url: URI of the MISP REST API, e.g., "http://x.x.x.x/attributes/restSearch"
 
+ * var.api_key: specifies the API key to access MISP.
+ * var.json_objects_array: specifies the array object in MISP response, e.g., "response.Attribute".
+ * var.url: URI of the MISP REST API, e.g., "http://x.x.x.x/attributes/restSearch"
 
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard. For example:
+
+[role="screenshot"]
+image::./images/kibana-misp.png[]
+
+:has-dashboards!:
+
+:modulename!:
 
 
 [float]

x-pack/filebeat/filebeat.reference.yml

@@ -409,11 +409,6 @@ filebeat.modules:
   threat:
     enabled: true
 
-    # MISP Configuration
-    var.api_key: "XXXXXXXXXXXXXX" # API key for MISP
-    var.json_objects_array: "response.Attribute"
-    var.url: "http://X.X.X.X/attributes/restSearch" # X.X.X.X is the IP address of the MISP server
-
 #------------------------------- Mongodb Module -------------------------------
 #- module: mongodb
   # Logs

x-pack/filebeat/module/misp/README.md

@@ -0,0 +1,27 @@
+# MISP module
+
+## Caveats
+
+* Module is to be considered _beta_.
+
+## How to try the module from distribution install
+
+You should already have MISP installed and running. Information about the MISP platform can be found here: https://www.circl.lu/doc/misp.
+
+```
+./filebeat setup --modules=misp -e --dashboards
+```
+
+Enable the MISP module
+
+```
+./filebeat modules enable misp
+```
+
+Start Filebeat
+
+```
+./filebeat -e
+```
+
+You can see the MISP Overview dashboard and the imported threat indicators in Kibana.

x-pack/filebeat/module/misp/_meta/config.yml

@@ -1,8 +1,3 @@
 - module: misp
   threat:
     enabled: true
-
-    # MISP Configuration
-    var.api_key: "XXXXXXXXXXXXXX" # API key for MISP
-    var.json_objects_array: "response.Attribute"
-    var.url: "http://X.X.X.X/attributes/restSearch" # X.X.X.X is the IP address of the MISP server

x-pack/filebeat/module/misp/_meta/docs.asciidoc

@@ -10,8 +10,19 @@ beta[]
 This is a filebeat module for reading threat intel information from the MISP platform (https://www.circl.lu/doc/misp/). It uses the httpjson input to access the MISP REST API interface.
 
 The configuration in the config.yml file uses the following format:
-    var.api_key: specifies the API key to access MISP.
-    var.json_objects_array: specifies the array object in MISP response, e.g., "response.Attribute".
-    var.url: URI of the MISP REST API, e.g., "http://x.x.x.x/attributes/restSearch"
 
+ * var.api_key: specifies the API key to access MISP.
+ * var.json_objects_array: specifies the array object in MISP response, e.g., "response.Attribute".
+ * var.url: URI of the MISP REST API, e.g., "http://x.x.x.x/attributes/restSearch"
 
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard. For example:
+
+[role="screenshot"]
+image::./images/kibana-misp.png[]
+
+:has-dashboards!:
+
+:modulename!: