HEX

Warning: set_time_limit() [function.set-time-limit]: Cannot set time limit - prohibited by configuration in /home/u547966/brikov.ru/www/wp-content/plugins/admin-menu-editor/menu-editor.php on line 745
Server: Apache
System: Linux 4.19.0-0.bpo.9-amd64 x86_64 at red40
User: u547966 (5490)
PHP: 5.3.29-mh2
Disabled: syslog, dl, popen, proc_open, proc_nice, proc_get_status, proc_close, proc_terminate, posix_mkfifo, chown, chgrp, accelerator_reset, opcache_reset, accelerator_get_status, opcache_get_status, pcntl_alarm, pcntl_fork, pcntl_waitpid, pcntl_wait, pcntl_wifexited, pcntl_wifstopped, pcntl_wifsignaled, pcntl_wifcontinued, pcntl_wexitstatus, pcntl_wtermsig, pcntl_wstopsig, pcntl_signal, pcntl_signal_dispatch, pcntl_get_last_error, pcntl_strerror, pcntl_sigprocmask, pcntl_sigwaitinfo, pcntl_sigtimedwait, pcntl_exec, pcntl_getpriority, pcntl_setpriority
$ pwd: /usr/share/filebeat/module/threatintel/otx/ingest/
Upload Files
File: //usr/share/filebeat/module/threatintel/otx/ingest/pipeline.yml
---
description: Pipeline for parsing Abuse.ch URL Threat Intel
processors:
  ####################
  # Event ECS fields #
  ####################
  - set:
      field: event.ingested
      value: "{{_ingest.timestamp}}"
  - set:
      field: event.kind
      value: enrichment
  - set:
      field: event.category
      value: threat
  - set:
      field: event.type
      value: indicator

  ######################
  # General ECS fields #
  ######################
  - rename:
      field: message
      target_field: event.original
      ignore_missing: true
  - json:
      field: event.original
      target_field: otx
  - fingerprint:
      fields:
        - otx.id
      target_field: "_id"

  #####################
  # Threat ECS Fields #
  #####################
  - set:
      field: threat.feed.name
      value: "[Filebeat] Alienvault OTX"
  - set:
      field: threat.feed.dashboard_id
      value: "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f"
  ## File indicator operations
  - set:
      field: threat.indicator.type
      value: file
      if: "ctx.otx?.type.startsWith('FileHash') || ctx.otx?.type == 'filepath'"
  - rename:
      field: otx.indicator
      target_field: threat.indicator.file.hash.md5
      ignore_missing: true
      if: "ctx.otx?.type == 'FileHash-MD5'"
  - rename:
      field: otx.indicator
      target_field: threat.indicator.file.hash.sha1
      ignore_missing: true
      if: "ctx.otx?.type == 'FileHash-SHA1'"
  - rename:
      field: otx.indicator
      target_field: threat.indicator.file.hash.sha256
      ignore_missing: true
      if: "ctx.otx?.type == 'FileHash-SHA256'"
  - rename:
      field: otx.indicator
      target_field: threat.indicator.file.hash.pehash
      ignore_missing: true
      if: "ctx.otx?.type == 'FileHash-PEHASH'"
  - rename:
      field: otx.indicator
      target_field: threat.indicator.file.hash.imphash
      ignore_missing: true
      if: "ctx.otx?.type == 'FileHash-IMPHASH'"

  ## IP indicator operations
  - set:
      field: threat.indicator.type
      value: ipv4-addr
      if: ctx.otx?.type == 'IPv4'
  - set:
      field: threat.indicator.type
      value: ipv6-addr
      if: ctx.otx?.type == 'IPv6'
  - rename:
      field: otx.indicator
      target_field: threat.indicator.ip
      ignore_missing: true
      if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat?.indicator?.type)"

  ## URL indicator operations
  - set:
      field: threat.indicator.type
      value: url
      if: "ctx.threat?.indicator?.type == null && ['URL', 'URI'].contains(ctx.otx?.type)"
  - uri_parts:
      field: otx.indicator
      target_field: threat.indicator.url
      keep_original: true
      remove_if_successful: true
      if: ctx.threat?.indicator?.type == 'url'
  - set:
      field: threat.indicator.url.full
      value: "{{{threat.indicator.url.original}}}"
      ignore_empty_value: true
      if: "ctx.otx?.type == 'URL'"

  ## Email indicator operations
  - set:
      field: threat.indicator.type
      value: email-addr
      if: ctx.otx?.type == 'email'
  - rename:
      field: otx.indicator
      target_field: threat.indicator.email.address
      ignore_missing: true
      if: "ctx.threat?.indicator?.type == 'email-addr'"

  ## Domain indicator operations
  - set:
      field: threat.indicator.type
      value: domain-name
      if: "ctx.threat?.indicator?.type == null && ['domain', 'hostname'].contains(ctx.otx?.type)"
  - rename:
      field: otx.indicator
      target_field: threat.indicator.url.domain
      ignore_missing: true
      if: "ctx.threat?.indicator?.type == 'domain-name' && ctx.threat?.indicator?.url?.domain == null"

  ######################
  # Cleanup processors #
  ######################
  - remove:
      field: event.original
      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
      ignore_failure: true
      ignore_missing: true
  - set:
      field: threat.indicator.type
      value: unknown
      if: ctx.threat?.indicator?.type == null
  - script:
      lang: painless
      if: ctx.otx != null
      source: |
        void handleMap(Map map) {
          for (def x : map.values()) {
            if (x instanceof Map) {
                handleMap(x);
            } else if (x instanceof List) {
                handleList(x);
            }
          }
        map.values().removeIf(v -> v == null);
        }
        void handleList(List list) {
          for (def x : list) {
              if (x instanceof Map) {
                  handleMap(x);
              } else if (x instanceof List) {
                  handleList(x);
              }
          }
        }
        handleMap(ctx);
  - remove:
      field:
        - otx.content
      ignore_missing: true
      if: ctx.otx?.content == ""
  - remove:
      field:
        - otx.type
        - otx.id
        - message
      ignore_missing: true
      if: ctx.threat?.indicator?.type != null
on_failure:
  - set:
      field: error.message
      value: "{{ _ingest.on_failure_message }}"
@ Telegram