[Filebeat] Fix MISP filters documentation (elastic#31434)

The documentation for the Threat Intel MISP module shows the `var.filters` option as a list when it should be a dictionary. Co-authored-by: Denis Rechkunov <denis.rechkunov@elastic.co>
andrewkroh · Apr 28, 2022 · c64ba6c · c64ba6c
1 parent 9eca3a2
commit c64ba6c
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 8 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -63,6 +63,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...main[Check the HEAD dif
 - google_workspace: Fix pagination to prevent skipped events when more than one page is present. {pull}31372[31372]
 - sophos.xg: Update module to handle new log fields. {issue}31038[31038] {pull}31388[31388]
 - cisco: Fix umbrella dns logs populating destination.ip instead of source.nat.ip. {pull}31454[31454]
+- Fix MISP documentation for `var.filters` config option. {pull}31434[31434]
 
 *Heartbeat*
 

diff --git a/filebeat/docs/modules/threatintel.asciidoc b/filebeat/docs/modules/threatintel.asciidoc
@@ -221,8 +221,8 @@ reference the MISP fields located on the MISP server itself.
     var.url: https://SERVER/events/restSearch
     var.api_token: xVfaM3DSt8QEwO2J1ix00V4ZHJs14nq5GMsHcK6Z
     var.filters:
-      - type: ["md5", "sha256", "url", "ip-src"]
-      - threat_level: 4
+      type: ["md5", "sha256", "url", "ip-src"]
+      threat_level: 4
     var.first_interval: 24h
     var.interval: 60m
 ----
@@ -245,8 +245,8 @@ from the last response as the filter when retrieving new events.
 
 *`var.filters`*::
 
-List of filters to apply when retrieving new events from the MISP server, this
-field is optional and defaults to all events.
+Dictionary of filters to apply when retrieving new events from the MISP server, this
+field is optional and defaults to all events. A list of available options is located at https://www.circl.lu/doc/misp/automation/#search
 
 *`var.proxy_url`*::
 

diff --git a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc
@@ -214,8 +214,8 @@ reference the MISP fields located on the MISP server itself.
     var.url: https://SERVER/events/restSearch
     var.api_token: xVfaM3DSt8QEwO2J1ix00V4ZHJs14nq5GMsHcK6Z
     var.filters:
-      - type: ["md5", "sha256", "url", "ip-src"]
-      - threat_level: 4
+      type: ["md5", "sha256", "url", "ip-src"]
+      threat_level: 4
     var.first_interval: 24h
     var.interval: 60m
 ----
@@ -238,8 +238,8 @@ from the last response as the filter when retrieving new events.
 
 *`var.filters`*::
 
-List of filters to apply when retrieving new events from the MISP server, this
-field is optional and defaults to all events.
+Dictionary of filters to apply when retrieving new events from the MISP server, this
+field is optional and defaults to all events. A list of available options is located at https://www.circl.lu/doc/misp/automation/#search
 
 *`var.proxy_url`*::