elastic
diff --git a/‎blog/mozin-about/README.MD‎
Lines changed: 28 additions & 0 deletions b/‎blog/mozin-about/README.MD‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎blog/mozin-about/collection.sh‎
Lines changed: 42 additions & 0 deletions b/‎blog/mozin-about/collection.sh‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎blog/mozin-about/index-settings.json‎
Lines changed: 159 additions & 0 deletions b/‎blog/mozin-about/index-settings.json‎
Lines changed: 159 additions & 0 deletions
@@ -0,0 +1,28 @@
+# Mozi'n About
+
+## Abstract
+The Mozi botnet is an ongoing malware campaign targeting unsecured and vulnerable networking devices. This post will showcase the analyst journey of collecting, analyzing, and operationalizing threat data from the Mozi botnet.
+
+## URL
+https://www.elastic.co/blog/[tbd]
+
+## Usage
+
+To load the sample data, you need a local instance of Elasticsearch and Kibana. If you are using anything beyond a default local deployment, you'll need to modify `collection.sh` to match your deployment.
+
+```
+git clone https://github.com/elastic/examples
+cd examples/blog/mozin-about
+sh clollection.sh
+```
+Log into your Kibana instance to explore the data in the `indicators` Index Pattern.
+
+## Artifacts
+Artifacts and code snippets from the blog post.
+
+| Artifact | Description | Note |
+| - | - | - |
+| [Mozi Collection Script](./collection.sh) | Script to collect Mozi samples and send to Elasticsearch | 
+| [Ingest Node Pipeline](./ingest-node-pipeline.json) | ThreatFox Ingest Node Pipeline |
+| [Index Settings](./index-settings.json) | Settings for the Indicators index |
+| [YARA Signature](./mozi-obfuscation-technique.yara) | Mozi obfuscation technique YARA signature | 
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+# Collect Mozi sample data
+curl -X POST https://threatfox-api.abuse.ch/api/v1/ -d '{ "query": "taginfo", "tag": "Mozi", "limit": 1000 }' > mozi-raw.json
+
+# Local Elasticsearch & Kibana
+ES_HOST='http://elastic:password@localhost:9200'
+KBN_HOST='http://elastic:password@localhost:5601'
+
+# Elastic Cloud
+# ES_HOST='https://elastic:changeme@abcdef0123456789abcdef0123456789.us-central1.gcp.cloud.es.io:9243'
+# KBN_HOST='https://elastic:changeme@0123456789abcdef01234567890abcdef.us-central1.gcp.cloud.es.io:9243'
+
+# Create the Threat Fox Ingest Pipeline
+curl -XPUT ${ES_HOST}/_ingest/pipeline/threatfox-enrichment -H 'Content-Type: application/json' -d@ingest-node-pipeline.json
+
+# Creates a new index called 'indicators' with the given settings
+curl -XPUT ${ES_HOST}/indicators -H 'Content-Type: application/json' -d@index-settings.json
+
+# Ingests raw data from the cURL response of Threat Fox in the file listed, then does a bulk upload to ES
+cat mozi-raw.json | jq -c -r '.data[]' | \
+while read line; do
+    echo '{"index":{}}';
+    echo $line;
+done | \
+curl --silent -XPOST \
+    -H 'Content-Type: application/x-ndjson' \
+    --data-binary \
+    @- \
+    ${ES_HOST}/indicators/_doc/_bulk
+
+# Create Kibana index pattern
+curl -XPOST -H 'kbn-xsrf: true' -H 'Content-Type: application/json' \
+     ${KBN_HOST}/api/index_patterns/index_pattern -d'
+{
+    "override": false,
+    "refresh_fields": true,
+    "index_pattern": {
+        "title": "indicators*",
+        "timeFieldName": "event.ingested"
+    }
+}'
@@ -0,0 +1,159 @@
+{
+  "settings": {
+    "number_of_shards": 1,
+    "default_pipeline": "threatfox-enrichment"
+  },
+  "mappings": {
+    "properties": {
+      "event": {
+        "properties": {
+          "category": {
+            "type": "keyword"
+          },
+          "id": {
+            "type": "keyword"
+          },
+          "ingested": {
+            "type": "date"
+          },
+          "kind": {
+            "type": "keyword"
+          },
+          "provider": {
+            "type": "keyword"
+          },
+          "reference": {
+            "type": "keyword"
+          },
+          "type": {
+            "type": "keyword"
+          }
+        }
+      },
+      "file": {
+        "properties": {
+          "hash": {
+            "properties": {
+              "sha256": {
+                "type": "keyword"
+              }
+            }
+          }
+        }
+      },
+      "related": {
+        "properties": {
+          "hash": {
+            "type": "keyword"
+          },
+          "ip": {
+            "type": "ip"
+          }
+        }
+      },
+      "tags": {
+        "type": "keyword"
+      },
+      "threat": {
+        "properties": {
+          "indicator": {
+            "properties": {
+              "confidence": {
+                "type": "long"
+              },
+              "description": {
+                "type": "text"
+              },
+              "first_seen": {
+                "type": "date"
+              },
+              "last_seen": {
+                "type": "date"
+              },
+              "geo": {
+                "properties": {
+                  "city_name": {
+                    "type": "keyword",
+                    "ignore_above": 1024
+                  },
+                  "continent_name": {
+                    "type": "keyword",
+                    "ignore_above": 1024
+                  },
+                  "country_iso_code": {
+                    "type": "keyword",
+                    "ignore_above": 1024
+                  },
+                  "country_name": {
+                    "type": "keyword",
+                    "ignore_above": 1024
+                  },
+                  "location": {
+                    "type": "geo_point"
+                  },
+                  "name": {
+                    "type": "keyword",
+                    "ignore_above": 1024
+                  },
+                  "region_iso_code": {
+                    "type": "keyword",
+                    "ignore_above": 1024
+                  },
+                  "region_name": {
+                    "type": "keyword",
+                    "ignore_above": 1024
+                  },
+                  "timezone": {
+                    "type": "keyword",
+                    "ignore_above": 1024
+                  },
+                  "asn": {
+                    "type": "long"
+                  },
+                  "organization_name": {
+                    "type": "text",
+                    "fields": {
+                      "keyword": {
+                        "type": "keyword",
+                        "ignore_above": 256
+                      }
+                    }
+                  }
+                }
+              },
+              "ip": {
+                "type": "ip"
+              },
+              "port": {
+                "type": "long"
+              },
+              "type": {
+                "type": "keyword"
+              }
+            }
+          },
+          "software": {
+            "properties": {
+              "name": {
+                "type": "keyword"
+              },
+              "reference": {
+                "type": "keyword"
+              },
+              "type": {
+                "type": "keyword"
+              }
+            }
+          },
+          "threatfox": {
+            "properties": {
+              "malware_printable": {
+                "type": "keyword"
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}