File: //usr/share/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml
---
description: Pipeline for parsing Abuse.ch URL Threat Intel
processors:
####################
# Event ECS fields #
####################
- set:
field: event.ingested
value: "{{_ingest.timestamp}}"
- set:
field: event.kind
value: enrichment
- set:
field: event.category
value: threat
- set:
field: event.type
value: indicator
######################
# General ECS fields #
######################
- rename:
field: message
target_field: event.original
ignore_missing: true
- json:
field: event.original
target_field: abusech.malware
- fingerprint:
fields:
- abusech.malware.md5_hash
- abusech.malware.sha256_hash
target_field: "_id"
#####################
# Threat ECS Fields #
#####################
- set:
field: threat.feed.name
value: "[Filebeat] AbuseCH Malware"
- set:
field: threat.feed.dashboard_id
value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f"
- date:
field: abusech.malware.firstseen
target_field: threat.indicator.first_seen
formats:
- "yyyy-MM-dd HH:mm:ss z"
- "yyyy-MM-dd HH:mm:ss Z"
- "yyyy-MM-dd HH:mm:ss"
if: "ctx.abusech?.malware?.firstseen != null"
- set:
field: threat.indicator.type
value: file
- rename:
field: abusech.malware.file_size
target_field: threat.indicator.file.size
ignore_missing: true
- rename:
field: abusech.malware.file_type
target_field: threat.indicator.file.type
ignore_missing: true
# This includes a direct link to malicious files, we do not want them to appear in Kibana
# in case they are accidently clicked.
- remove:
field: abusech.malware.urlhaus_download
ignore_missing: true
- convert:
field: threat.indicator.file.size
type: long
ignore_missing: true
- convert:
field: abusech.malware.virustotal.percent
type: float
ignore_missing: true
- rename:
field: abusech.malware.md5_hash
target_field: threat.indicator.file.hash.md5
ignore_missing: true
- rename:
field: abusech.malware.sha256_hash
target_field: threat.indicator.file.hash.sha256
ignore_missing: true
- rename:
field: abusech.malware.imphash
target_field: threat.indicator.file.pe.imphash
ignore_missing: true
- rename:
field: abusech.malware.ssdeep
target_field: threat.indicator.file.hash.ssdeep
ignore_missing: true
- rename:
field: abusech.malware.tlsh
target_field: threat.indicator.file.hash.tlsh
ignore_missing: true
- append:
field: related.hash
value: "{{{threat.indicator.file.hash.md5}}}"
if: ctx?.threat?.indicator?.file?.hash?.md5 != null
- append:
field: related.hash
value: "{{{threat.indicator.file.hash.sha256}}}"
if: ctx?.threat?.indicator?.file?.hash?.sha256 != null
- append:
field: related.hash
value: "{{{threat.indicator.file.hash.ssdeep}}}"
if: ctx?.threat?.indicator?.file?.hash?.ssdeep != null
- append:
field: related.hash
value: "{{{threat.indicator.file.pe.imphash}}}"
if: ctx?.threat?.indicator?.file?.pe?.imphash != null
- append:
field: related.hash
value: "{{{threat.indicator.file.hash.tlsh}}}"
if: ctx?.threat?.indicator?.file?.hash?.tlsh != null
######################
# Cleanup processors #
######################
- set:
field: threat.indicator.type
value: unknown
if: ctx?.threat?.indicator?.type == null
- script:
lang: painless
if: ctx?.abusech != null
source: |
void handleMap(Map map) {
for (def x : map.values()) {
if (x instanceof Map) {
handleMap(x);
} else if (x instanceof List) {
handleList(x);
}
}
map.values().removeIf(v -> v == null);
}
void handleList(List list) {
for (def x : list) {
if (x instanceof Map) {
handleMap(x);
} else if (x instanceof List) {
handleList(x);
}
}
}
handleMap(ctx);
- remove:
field: event.original
if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
ignore_failure: true
ignore_missing: true
- remove:
field:
- abusech.malware.firstseen
- message
ignore_missing: true
on_failure:
- set:
field: error.message
value: "{{ _ingest.on_failure_message }}"