Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add proxy_url support to threatintel module's malwarebazaar fileset #28533

Merged
merged 3 commits into from
Oct 20, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -774,6 +774,7 @@ for a few releases. Please use other tools provided by Elastic to fetch data fro
- Add support for secondary object attribute handling in ThreatIntel MISP module {pull}28124[28124]
- Add `base64Decode` and `base64DecodeNoPad` functions to `httpsjon` templates. {pull}28385[28385]
- Add latency config option for aws-cloudwatch input. {pull}28509[28509]
- Added proxy support to threatintel/malwarebazaar. {pull}28533[28533]

*Heartbeat*

Expand Down
24 changes: 24 additions & 0 deletions filebeat/docs/modules/threatintel.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,10 @@ The URL of the API endpoint to connect with.

How often the API is polled for updated information.

*`var.proxy_url`*::

Optional URL to use as HTTP proxy.

Abuse.ch URL Threat Intel is mapped to the following ECS fields.

[options="header"]
Expand Down Expand Up @@ -104,6 +108,10 @@ The URL of the API endpoint to connect with.

How often the API is polled for updated information.

*`var.proxy_url`*::

Optional URL to use as HTTP proxy.

Abuse.ch Malware Threat Intel is mapped to the following ECS fields.

[options="header"]
Expand Down Expand Up @@ -144,6 +152,10 @@ The URL of the API endpoint to connect with.

How often the API is polled for updated information.

*`var.proxy_url`*::

Optional URL to use as HTTP proxy.

Malware Bazaar Threat Intel is mapped to the following ECS fields.

[options="header"]
Expand Down Expand Up @@ -234,6 +246,10 @@ from the last response as the filter when retrieving new events.
List of filters to apply when retrieving new events from the MISP server, this
field is optional and defaults to all events.

*`var.proxy_url`*::

Optional URL to use as HTTP proxy.

MISP Threat Intel is mapped to the following ECS fields.

[options="header"]
Expand Down Expand Up @@ -310,6 +326,10 @@ possible types to filter on can be found in the
https://cybersecurity.att.com/documentation/usm-appliance/otx/about-otx.htm[AlientVault
OTX documentation].

*`var.proxy_url`*::

Optional URL to use as HTTP proxy.


OTX Threat Intel is mapped to the following ECS fields.

Expand Down Expand Up @@ -391,6 +411,10 @@ possible types to filter on can be found on the
https://oasis-open.github.io/cti-documentation/stix/intro.html#stix-21-objects[Stix
2.1 Object types] page.

*`var.proxy_url`*::

Optional URL to use as HTTP proxy.

Anomali Threat Intel is mapped to the following ECS fields.

[options="header"]
Expand Down
24 changes: 24 additions & 0 deletions x-pack/filebeat/module/threatintel/_meta/docs.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,10 @@ The URL of the API endpoint to connect with.

How often the API is polled for updated information.

*`var.proxy_url`*::

Optional URL to use as HTTP proxy.

Abuse.ch URL Threat Intel is mapped to the following ECS fields.

[options="header"]
Expand Down Expand Up @@ -99,6 +103,10 @@ The URL of the API endpoint to connect with.

How often the API is polled for updated information.

*`var.proxy_url`*::

Optional URL to use as HTTP proxy.

Abuse.ch Malware Threat Intel is mapped to the following ECS fields.

[options="header"]
Expand Down Expand Up @@ -139,6 +147,10 @@ The URL of the API endpoint to connect with.

How often the API is polled for updated information.

*`var.proxy_url`*::

Optional URL to use as HTTP proxy.

Malware Bazaar Threat Intel is mapped to the following ECS fields.

[options="header"]
Expand Down Expand Up @@ -229,6 +241,10 @@ from the last response as the filter when retrieving new events.
List of filters to apply when retrieving new events from the MISP server, this
field is optional and defaults to all events.

*`var.proxy_url`*::

Optional URL to use as HTTP proxy.

MISP Threat Intel is mapped to the following ECS fields.

[options="header"]
Expand Down Expand Up @@ -305,6 +321,10 @@ possible types to filter on can be found in the
https://cybersecurity.att.com/documentation/usm-appliance/otx/about-otx.htm[AlientVault
OTX documentation].

*`var.proxy_url`*::

Optional URL to use as HTTP proxy.


OTX Threat Intel is mapped to the following ECS fields.

Expand Down Expand Up @@ -386,6 +406,10 @@ possible types to filter on can be found on the
https://oasis-open.github.io/cti-documentation/stix/intro.html#stix-21-objects[Stix
2.1 Object types] page.

*`var.proxy_url`*::

Optional URL to use as HTTP proxy.

Anomali Threat Intel is mapped to the following ECS fields.

[options="header"]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ request.method: POST

request.ssl: {{ .ssl | tojson }}
{{ end }}
{{ if .proxy_url }}
request.proxy_url: {{ .proxy_url }}
{{ end }}
request.url: {{ .url }}
#request.encode_as: application/x-www-form-encoded

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ var:
- name: ssl
- name: tags
default: [threatintel-malwarebazaar, forwarded]
- name: proxy_url

ingest_pipeline:
- ingest/pipeline.yml
Expand Down