File: //usr/share/filebeat/module/threatintel/malwarebazaar/ingest/pipeline.yml
---
description: Pipeline for parsing Abuse.ch URL Threat Intel
processors:
####################
# Event ECS fields #
####################
- set:
field: event.ingested
value: "{{_ingest.timestamp}}"
- set:
field: event.kind
value: enrichment
- set:
field: event.category
value: threat
- set:
field: event.type
value: indicator
######################
# General ECS fields #
######################
- rename:
field: message
target_field: event.original
ignore_missing: true
- json:
field: event.original
target_field: abusech.malwarebazaar
- fingerprint:
fields:
- abusech.malwarebazaar.md5_hash
- abusech.malwarebazaar.sha256_hash
target_field: "_id"
#####################
# Threat ECS Fields #
#####################
- set:
field: threat.feed.name
value: "[Filebeat] AbuseCH MalwareBazaar"
- set:
field: threat.feed.dashboard_id
value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f"
- date:
field: abusech.malwarebazaar.first_seen
target_field: threat.indicator.first_seen
formats:
- "yyyy-MM-dd HH:mm:ss z"
- "yyyy-MM-dd HH:mm:ss Z"
- "yyyy-MM-dd HH:mm:ss"
if: "ctx.abusech?.malwarebazaar?.first_seen != null"
- date:
field: abusech.malwarebazaar.last_seen
target_field: threat.indicator.last_seen
formats:
- "yyyy-MM-dd HH:mm:ss z"
- "yyyy-MM-dd HH:mm:ss Z"
- "yyyy-MM-dd HH:mm:ss"
if: "ctx.abusech?.malwarebazaar?.last_seen != null"
- set:
field: threat.indicator.type
value: file
- rename:
field: abusech.malwarebazaar.file_name
target_field: threat.indicator.file.name
ignore_missing: true
- rename:
field: abusech.malwarebazaar.file_type_mime
target_field: threat.indicator.file.mime_type
ignore_missing: true
- rename:
field: abusech.malwarebazaar.reporter
target_field: threat.indicator.provider
ignore_missing: true
- rename:
field: abusech.malwarebazaar.origin_country
target_field: threat.indicator.geo.country_iso_code
ignore_missing: true
- rename:
field: abusech.malwarebazaar.signature
target_field: threat.software.alias
ignore_missing: true
- foreach:
field: abusech.malwarebazaar.code_sign
ignore_missing: true
processor:
append:
field: threat.indicator.file.x509.subject.common_name
value: "{{{_ingest._value.subject_cn}}}"
- foreach:
field: abusech.malwarebazaar.code_sign
ignore_missing: true
processor:
append:
field: threat.indicator.file.x509.issuer.common_name
value: "{{{_ingest._value.issuer_cn}}}"
- foreach:
field: abusech.malwarebazaar.code_sign
ignore_missing: true
processor:
append:
field: threat.indicator.file.x509.public_key_algorithm
value: "{{{_ingest._value.algorithm}}}"
- foreach:
field: abusech.malwarebazaar.code_sign
ignore_missing: true
processor:
append:
field: threat.indicator.file.x509.not_before
value: "{{{_ingest._value.valid_from}}}"
- foreach:
field: abusech.malwarebazaar.code_sign
ignore_missing: true
processor:
append:
field: threat.indicator.file.x509.not_after
value: "{{{_ingest._value.valid_to}}}"
- foreach:
field: abusech.malwarebazaar.code_sign
ignore_missing: true
processor:
append:
field: threat.indicator.file.x509.serial_number
value: "{{{_ingest._value.serial_number}}}"
- rename:
field: abusech.malwarebazaar.file_size
target_field: threat.indicator.file.size
ignore_missing: true
- rename:
field: abusech.malwarebazaar.file_type
target_field: threat.indicator.file.extension
ignore_missing: true
- rename:
field: abusech.malwarebazaar.md5_hash
target_field: threat.indicator.file.hash.md5
ignore_missing: true
- rename:
field: abusech.malwarebazaar.sha256_hash
target_field: threat.indicator.file.hash.sha256
ignore_missing: true
- rename:
field: abusech.malwarebazaar.sha1_hash
target_field: threat.indicator.file.hash.sha1
ignore_missing: true
- rename:
field: abusech.malwarebazaar.sha3_384_hash
target_field: threat.indicator.file.hash.sha384
ignore_missing: true
- rename:
field: abusech.malwarebazaar.imphash
target_field: threat.indicator.file.pe.imphash
ignore_missing: true
- rename:
field: abusech.malwarebazaar.ssdeep
target_field: threat.indicator.file.hash.ssdeep
ignore_missing: true
- rename:
field: abusech.malwarebazaar.tlsh
target_field: threat.indicator.file.hash.tlsh
ignore_missing: true
- rename:
field: abusech.malwarebazaar.telfhash
target_field: threat.indicator.file.elf.telfhash
ignore_missing: true
- append:
field: related.hash
value: "{{ threat.indicator.file.hash.md5 }}"
if: ctx?.threat?.indicator?.file?.hash?.md5 != null
- append:
field: related.hash
value: "{{ threat.indicator.file.hash.sha256 }}"
if: ctx?.threat?.indicator?.file?.hash?.sha256 != null
- append:
field: related.hash
value: "{{ threat.indicator.file.hash.ssdeep }}"
if: ctx?.threat?.indicator?.file?.hash?.ssdeep != null
- append:
field: related.hash
value: "{{ threat.indicator.file.pe.imphash }}"
if: ctx?.threat?.indicator?.file?.pe?.imphash != null
- append:
field: related.hash
value: "{{ threat.indicator.file.elf.telfhash }}"
if: ctx?.threat?.indicator?.file?.elf?.telfhash != null
- append:
field: related.hash
value: "{{ threat.indicator.file.hash.tlsh }}"
if: ctx?.threat?.indicator?.file?.hash?.tlsh != null
- convert:
field: threat.indicator.file.size
type: long
ignore_missing: true
- convert:
field: abusech.malwarebazaar.intelligence.downloads
type: long
ignore_missing: true
- convert:
field: abusech.malwarebazaar.intelligence.uploads
type: long
ignore_missing: true
######################
# Cleanup processors #
######################
- set:
field: threat.indicator.type
value: unknown
if: ctx?.threat?.indicator?.type == null
- script:
lang: painless
if: ctx?.abusech != null
source: |
void handleMap(Map map) {
for (def x : map.values()) {
if (x instanceof Map) {
handleMap(x);
} else if (x instanceof List) {
handleList(x);
}
}
map.values().removeIf(v -> v == null);
}
void handleList(List list) {
for (def x : list) {
if (x instanceof Map) {
handleMap(x);
} else if (x instanceof List) {
handleList(x);
}
}
}
handleMap(ctx);
- remove:
field: event.original
if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
ignore_failure: true
ignore_missing: true
- remove:
field:
- abusech.malwarebazaar.first_seen
- abusech.malwarebazaar.last_seen
- message
ignore_missing: true
on_failure:
- set:
field: error.message
value: "{{ _ingest.on_failure_message }}"