Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add attack_pattern_kql field to MISP threat indicators #14470

Merged
merged 4 commits into from
Nov 15, 2019
Merged

Add attack_pattern_kql field to MISP threat indicators #14470

merged 4 commits into from
Nov 15, 2019

Conversation

alakahakai
Copy link

Add attack_pattern_kql field to MISP threat indicators, so that detection engine can use it as threat indicator rules.

@alakahakai alakahakai requested a review from a team as a code owner November 11, 2019 22:26
@alakahakai alakahakai added in progress Pull request is currently in progress. Filebeat Filebeat module Team:SIEM labels Nov 11, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@alakahakai alakahakai requested a review from a team November 12, 2019 15:53
@alakahakai alakahakai added review and removed in progress Pull request is currently in progress. labels Nov 12, 2019
andrewkroh
andrewkroh reviewed Nov 13, 2019
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice idea

x-pack/filebeat/module/misp/threat/config/pipeline.js Outdated Show resolved Hide resolved
x-pack/filebeat/module/misp/threat/config/pipeline.js Outdated Show resolved Hide resolved
x-pack/filebeat/module/misp/threat/config/pipeline.js Outdated Show resolved Hide resolved
x-pack/filebeat/module/misp/threat/config/pipeline.js
evt.Put("source.ip", ip);
break;
case "link":
attackPattern = '[' + 'url.full = ' + '\'' + v + '\'' + ']';
attackPattern = '[' + 'url:full = ' + '\'' + v + '\'' + ']';
attackPatternKQL = 'url.full: ' + '"' + v + '"';
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You might also want to search the http.request.referrer URL?

Copy link
Author

@alakahakai alakahakai Nov 13, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The http record, that has the referrer URL as the url.full field, should have already matched the query. So this might not be needed. Otherwise, we will have duplicates.

x-pack/filebeat/module/misp/threat/config/pipeline.js Show resolved Hide resolved
@alakahakai
Copy link
Author

Just a note: For the "AND" query, I will keep the relevant fields set; but for "OR" query, I will not set the fields since it will be taken as "AND".

@alakahakai alakahakai requested review from andrewkroh and removed request for a team and FrankHassanabad November 13, 2019 23:27
@alakahakai
Copy link
Author

jenkins, test this

@alakahakai alakahakai merged commit 5459169 into elastic:master Nov 15, 2019
alakahakai pushed a commit that referenced this pull request Nov 21, 2019
Backport 14470 7.x (#14596)
f70675e 
* Add attack_pattern_kql field to MISP threat indicators (#14470)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees
No one assigned
Labels
Filebeat Filebeat module review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alakahakai @elasticmachine @andrewkroh