File: //usr/share/filebeat/module/misp/threat/config/input.yml
{{ if eq .input "httpjson" }}
type: httpjson
interval: {{ .interval }}
request.method: POST
request.ssl: {{ .ssl | tojson }}
{{ if .proxy_url }}
request.proxy_url: {{ .proxy_url }}
{{ end }}
request.url: {{ .url }}
request.timeout: {{ .http_client_timeout }}
request.body: {{ .http_request_body | tojson }}
request.body.returnFormat: json
request.transforms:
- set:
target: header.Authorization
value: {{.api_key}}
- set:
target: body.timestamp
value: "[[.cursor.timestamp]]"
response.split:
target: body.response.Attribute
response.request_body_on_pagination: true
response.pagination:
- set:
target: body.page
value: "[[add .last_response.page 1]]"
cursor:
timestamp:
value: "[[.last_event.timestamp]]"
{{ else if eq .input "file" }}
type: log
paths:
{{ range $i, $path := .paths }}
- {{$path}}
{{ end }}
exclude_files: [".gz$"]
{{ end }}
processors:
- script:
lang: javascript
id: misp_script
file: ${path.home}/module/misp/threat/config/pipeline.js
- timestamp:
field: json.timestamp
layouts:
- UNIX
- drop_fields:
fields: [json]
- add_fields:
target: ''
fields:
ecs.version: 1.12.0