work in progress for mandiant threat intel integration, cisagov#358

dashboards/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json

@@ -329,9 +329,9 @@
       "updated_at": "2022-01-12T18:22:26.156Z",
       "version": "WzI0NCwxXQ==",
       "attributes": {
-        "visState": "{\"title\":\"Intel - Matched\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"threat.indicator.type\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type Matched\"}}],\"listeners\":{}}",
+        "visState": "{\"title\":\"Intel - Indicator Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"threat.indicator.type\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type Matched\"}}],\"listeners\":{}}",
         "description": "",
-        "title": "Intel - Matched",
+        "title": "Intel - Indicator Type",
         "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
         "version": 1,
         "kibanaSavedObjectMeta": {

logstash/pipelines/zeek/1300_zeek_normalize.conf

@@ -12,7 +12,7 @@ filter {
         id => "ruby_map_zeek_intel_confidence"
         code => "
           if (confNumVal = event.get('[zeek][intel][cif_confidence]').to_f) then
-            confStrVal = case value
+            confStrVal = case confNumVal
               when 0...3
                 'Low'
               when 3...7
@@ -22,7 +22,7 @@ filter {
               else
                 'None'
               end
-            event.set('[threat][indicator][confidence]', confStrVal)"
+            event.set('[threat][indicator][confidence]', confStrVal)
           end"
       }
     }
@@ -119,6 +119,15 @@ filter {
       mutate { id => "mutate_merge_zeek_intel_indicator_types_matched"
                merge => { "[threat][indicator][type]" => "[@metadata][intel_indicator_types_matched]" } }
     }
+    if ([threat][indicator][type]) {
+      ruby {
+        id => "ruby_threat_indicator_type_uniq"
+        path => "/usr/share/logstash/malcolm-ruby/make_unique_array.rb"
+        script_params => {
+          "field" => "[threat][indicator][type]"
+        }
+      }
+    }
 
     # zeek.intel.sources -> threat.indicator.provider
     if ([zeek][intel][sources]) {

logstash/pipelines/zeek/1400_zeek_convert.conf

@@ -473,7 +473,7 @@ filter {
         id => "date_zeek_intel_cif_firstseen"
         match => [ "[zeek][intel][cif_firstseen]", "UNIX" ]
         target => "[threat][indicator][first_seen]"
-        remove_field => [ "[zeek][intel][cif_firstseen]"
+        remove_field => [ "[zeek][intel][cif_firstseen]" ]
       }
     }
   }
@@ -486,7 +486,7 @@ filter {
         id => "date_zeek_intel_cif_lastseen"
         match => [ "[zeek][intel][cif_lastseen]", "UNIX" ]
         target => "[threat][indicator][last_seen]"
-        remove_field => [ "[zeek][intel][cif_lastseen]"
+        remove_field => [ "[zeek][intel][cif_lastseen]" ]
       }
     }
   }