Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Filebeat misp module #13805

Merged
merged 22 commits into from
Oct 15, 2019
Merged

Add Filebeat misp module #13805

merged 22 commits into from
Oct 15, 2019
+2,176 −0

Conversation

alakahakai
Copy link

Add Filebeat misp module to take threat intel from the MISP platform.

@alakahakai alakahakai requested a review from a team as a code owner September 26, 2019 04:35
houndci-bot
houndci-bot reviewed Sep 26, 2019
View reviewed changes
@elastic elastic deleted a comment from houndci-bot Sep 26, 2019
@alakahakai alakahakai added the in progress Pull request is currently in progress. label Sep 26, 2019
@alakahakai alakahakai removed the in progress Pull request is currently in progress. label Sep 26, 2019
@alakahakai
Copy link
Author

jenkins, test this

@alakahakai alakahakai requested a review from a team September 28, 2019 03:58
@cwurm
Copy link
Contributor

cwurm commented Sep 30, 2019

I have yet to take a closer look, but in the pipeline, I think it would make sense to put the indicator in its separate field as well. E.g. put all IPs into a threat.threat_indicator.ip field. That way, it would be very easy to get a list of all known bad IPs, search for specific IPs, or build visualizations/dashboards on top of the data. We could have a field per indicator type (value of the type field coming from MISP).

webmat
webmat reviewed Sep 30, 2019
View reviewed changes
Copy link
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This importer be good to have, and I'm happy to see this happening at the same time as ECS is working on the "threat" field set :-)

This is just a first cursory review. Noticed a few small things, see the comments.

One big no-no, however: please nest the fields under misp., as this hasn't been normalized vs other sources of IOCs, and will conflict (or at least confuse people) vs the upcoming support for "threat" in ECS.

x-pack/filebeat/module/misp/threat/_meta/fields.yml
This defines the organizational level at which this Intrusion Set typically works.
Open Vocab - attack-resource-level-ov

- name: primary_motivation
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about using nesting, in order to keep all motivation levels grouped, within an event?

  • .motivation.primary
  • .motivation.secondary
  • .motivation.personal

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure whether this is a good idea, since the existing fields are compliant to the STIX spec, hence potentially interoperable with other vendors.

@webmat webmat mentioned this pull request Sep 30, 2019
Merged
alakahakai
alakahakai commented Sep 30, 2019
View reviewed changes
Copy link
Author

@alakahakai alakahakai left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have yet to take a closer look, but in the pipeline, I think it would make sense to put the indicator in its separate field as well. E.g. put all IPs into a threat.threat_indicator.ip field. That way, it would be very easy to get a list of all known bad IPs, search for specific IPs, or build visualizations/dashboards on top of the data. We could have a field per indicator type (value of the type field coming from MISP).

Sounds good to me. I can add a few additional fields. But it will not be threat.threat_indicator.ip, it will be source.ip or detination.ip.

@cwurm
Copy link
Contributor

cwurm commented Oct 1, 2019
edited
Loading

I have yet to take a closer look, but in the pipeline, I think it would make sense to put the indicator in its separate field as well. E.g. put all IPs into a threat.threat_indicator.ip field. That way, it would be very easy to get a list of all known bad IPs, search for specific IPs, or build visualizations/dashboards on top of the data. We could have a field per indicator type (value of the type field coming from MISP).

Sounds good to me. I can add a few additional fields. But it will not be threat.threat_indicator.ip, it will be source.ip or detination.ip.

Why? If the indicator is an IP ("this IP is known bad"), shouldn't all such IPs be in the same field?

@alakahakai
Copy link
Author

alakahakai commented Oct 1, 2019
edited
Loading

I have yet to take a closer look, but in the pipeline, I think it would make sense to put the indicator in its separate field as well. E.g. put all IPs into a threat.threat_indicator.ip field. That way, it would be very easy to get a list of all known bad IPs, search for specific IPs, or build visualizations/dashboards on top of the data. We could have a field per indicator type (value of the type field coming from MISP).

Sounds good to me. I can add a few additional fields. But it will not be threat.threat_indicator.ip, it will be source.ip or detination.ip.

Why? If the indicator is an IP ("this IP is known bad"), shouldn't all such IPs be in the same field?

In most cases, both source and destination fields will be populated. But certain threat intel indicators might only have source populated, e.g., DOS attacks, etc. Using source.ip and destination.ip also makes query easier since they use the same fields as the normal events.

@cwurm
Copy link
Contributor

cwurm commented Oct 2, 2019

In most cases, both source and destination fields will be populated. But certain threat intel indicators might only have source populated, e.g., DOS attacks, etc. Using source.ip and destination.ip also makes query easier since they use the same fields as the normal events.

Makes sense. If a threat IP is not source/destination specific, would you populate both?

@alakahakai
Copy link
Author

In most cases, both source and destination fields will be populated. But certain threat intel indicators might only have source populated, e.g., DOS attacks, etc. Using source.ip and destination.ip also makes query easier since they use the same fields as the normal events.

Makes sense. If a threat IP is not source/destination specific, would you populate both?

Yes. Whether it is src or dest or both is specified in the original intel record, and it determines how the fields are populated

@randomuserid
Copy link

What kinds of IOC records are we seeing with a source and destination IP? Most of the time they are IPs, domains, file hashes, mutexes, or other names

@tsg tsg added the Team:SIEM label Oct 7, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@alakahakai
Copy link
Author

jenkins, test this

andrewkroh
andrewkroh reviewed Oct 9, 2019
View reviewed changes
@alakahakai
Copy link
Author

jenkins, test this

andrewkroh
andrewkroh approved these changes Oct 15, 2019
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. There's just small issue (I think) with the formatting of the docs. That could even be corrected in a follow up.

filebeat/docs/modules/misp.asciidoc
This is a filebeat module for reading threat intel information from the MISP platform (https://www.circl.lu/doc/misp/). It uses the httpjson input to access the MISP REST API interface.

The configuration in the config.yml file uses the following format:
var.api_key: specifies the API key to access MISP.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there's a bit of a formatting issue with the config example.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean the indent before var.api.key? It is done on purpose. Maybe not the best way to do it?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I mean the indentation. I don’t think this is what you we’re going for.

78AC7DBC-CEED-4090-A7D6-222523E4EA88

@elastic elastic deleted a comment Oct 15, 2019
@alakahakai alakahakai merged commit a05a98f into elastic:master Oct 15, 2019
@urso urso added the v7.5.0 label Oct 22, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@webmat webmat

@andrewkroh andrewkroh

@houndci-bot houndci-bot

Assignees
No one assigned
Labels
Filebeat Filebeat module review v7.5.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
9 participants
@alakahakai @cwurm @randomuserid @elasticmachine @webmat @andrewkroh @houndci-bot @urso @tsg