Skip to content

Commit fc4df7f

Browse files
legoguy1000andrewkrohkcreddy
authored
[TI MISP] Add datastream for Attributes API endpoint (#4136)
* [TI MISP] Add datastream for Attributes API endpoint --------- Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co> Co-authored-by: kcreddy <krish.reddy91@gmail.com>
1 parent 89641ac commit fc4df7f

25 files changed

+3331
-930
lines changed

packages/ti_misp/_dev/build/docs/README.md

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,4 +13,12 @@ The filters themselves are based on the [MISP API documentation](https://www.cir
1313

1414
{{fields "threat"}}
1515

16-
{{event "threat"}}
16+
{{event "threat"}}
17+
18+
### Threat Attributes
19+
20+
The MISP integration configuration allows to set the polling interval, how far back it should look initially, and optionally any filters used to filter the results.
21+
This data stream uses the `/attributes/restSearch` API endpoint which returns more granular information regarding MISP attributes and additional information.
22+
23+
{{fields "threat_attributes"}}
24+

packages/ti_misp/_dev/deploy/docker/files/config.yml

Lines changed: 162 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -314,3 +314,165 @@ rules:
314314
{
315315
"response": []
316316
}
317+
- path: /attributes/restSearch
318+
methods: ["POST"]
319+
request_headers:
320+
Authorization: "test"
321+
Content-Type: application/json
322+
request_body: /^{"limit":"10","page":"1","returnFormat":"json","timestamp":/
323+
responses:
324+
- status_code: 200
325+
body: |-
326+
{
327+
"response": {
328+
"Attribute": [
329+
{
330+
"id": "1",
331+
"event_id": "1",
332+
"object_id": "0",
333+
"object_relation": null,
334+
"category": "External analysis",
335+
"type": "link",
336+
"to_ids": false,
337+
"uuid": "542e4cbd-ee78-4a57-bfb8-1fda950d210b",
338+
"timestamp": "1412320445",
339+
"distribution": "5",
340+
"sharing_group_id": "0",
341+
"comment": "",
342+
"deleted": false,
343+
"disable_correlation": false,
344+
"first_seen": null,
345+
"last_seen": null,
346+
"value": "http://labs.opendns.com/2014/10/02/opendns-and-bash/",
347+
"Event": {
348+
"org_id": "1",
349+
"distribution": "3",
350+
"id": "1",
351+
"info": "OSINT ShellShock scanning IPs from OpenDNS",
352+
"orgc_id": "2",
353+
"uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b"
354+
}
355+
},
356+
{
357+
"id": "2",
358+
"event_id": "1",
359+
"object_id": "0",
360+
"object_relation": null,
361+
"category": "External analysis",
362+
"type": "link",
363+
"to_ids": false,
364+
"uuid": "542e4cbe-d560-4e14-9157-1fda950d210b",
365+
"timestamp": "1412320446",
366+
"distribution": "5",
367+
"sharing_group_id": "0",
368+
"comment": "",
369+
"deleted": false,
370+
"disable_correlation": false,
371+
"first_seen": null,
372+
"last_seen": null,
373+
"value": "https://gist.github.com/andrewsmhay/de1cdc63d04c2bbf8c12",
374+
"Event": {
375+
"org_id": "1",
376+
"distribution": "3",
377+
"id": "1",
378+
"info": "OSINT ShellShock scanning IPs from OpenDNS",
379+
"orgc_id": "2",
380+
"uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b"
381+
}
382+
},
383+
{
384+
"id": "3",
385+
"event_id": "1",
386+
"object_id": "0",
387+
"object_relation": null,
388+
"category": "External analysis",
389+
"type": "link",
390+
"to_ids": false,
391+
"uuid": "542e4cbe-12a4-4345-b0a4-1fda950d210b",
392+
"timestamp": "1412320446",
393+
"distribution": "5",
394+
"sharing_group_id": "0",
395+
"comment": "",
396+
"deleted": false,
397+
"disable_correlation": false,
398+
"first_seen": null,
399+
"last_seen": null,
400+
"value": "https://gist.githubusercontent.com/andrewsmhay/de1cdc63d04c2bbf8c12/raw/f20402cf5a0c646c63c4521f60587703fe654443/iplist",
401+
"Event": {
402+
"org_id": "1",
403+
"distribution": "3",
404+
"id": "1",
405+
"info": "OSINT ShellShock scanning IPs from OpenDNS",
406+
"orgc_id": "2",
407+
"uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b"
408+
}
409+
},
410+
{
411+
"id": "4",
412+
"event_id": "1",
413+
"object_id": "0",
414+
"object_relation": null,
415+
"category": "External analysis",
416+
"type": "text",
417+
"to_ids": false,
418+
"uuid": "542e4ccc-b8fc-44af-959d-6ead950d210b",
419+
"timestamp": "1412320460",
420+
"distribution": "5",
421+
"sharing_group_id": "0",
422+
"comment": "",
423+
"deleted": false,
424+
"disable_correlation": false,
425+
"first_seen": null,
426+
"last_seen": null,
427+
"value": "Shellshock",
428+
"Event": {
429+
"org_id": "1",
430+
"distribution": "3",
431+
"id": "1",
432+
"info": "OSINT ShellShock scanning IPs from OpenDNS",
433+
"orgc_id": "2",
434+
"uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b"
435+
}
436+
},
437+
{
438+
"id": "5",
439+
"event_id": "1",
440+
"object_id": "0",
441+
"object_relation": null,
442+
"category": "External analysis",
443+
"type": "comment",
444+
"to_ids": false,
445+
"uuid": "542e4ce7-6120-41c0-8793-e90e950d210b",
446+
"timestamp": "1412320487",
447+
"distribution": "5",
448+
"sharing_group_id": "0",
449+
"comment": "",
450+
"deleted": false,
451+
"disable_correlation": false,
452+
"first_seen": null,
453+
"last_seen": null,
454+
"value": "Data encoded by David André",
455+
"Event": {
456+
"org_id": "1",
457+
"distribution": "3",
458+
"id": "1",
459+
"info": "OSINT ShellShock scanning IPs from OpenDNS",
460+
"orgc_id": "2",
461+
"uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b"
462+
}
463+
}
464+
]
465+
}
466+
}
467+
- path: /attributes/restSearch
468+
methods: ["POST"]
469+
request_headers:
470+
Authorization: "test"
471+
Content-Type: application/json
472+
request_body: /^{"limit":"10","page":"2","returnFormat":"json","timestamp":/
473+
responses:
474+
- status_code: 200
475+
body: |-
476+
{
477+
"response": []
478+
}

packages/ti_misp/changelog.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,9 @@
11
# newer versions go on top
2+
- version: "1.11.0"
3+
changes:
4+
- description: Add Attributes datastream
5+
type: enhancement
6+
link: https://github.com/elastic/integrations/pull/4136
27
- version: "1.10.1"
38
changes:
49
- description: Drop empty event sets.

0 commit comments

Comments
 (0)