Filebeat threat intel modules

[EchoGangster]

Has anyone tried or been successful implementing Filebeat threat intel modules?

https://www.elastic.co/guide/en/beats/filebeat/7.16/filebeat-module-threatintel.html

https://docs.securityonion.net/en/2.3/filebeat.html - Explains how to use modules which has been supported since 2.360. Attempted to modify the manager.sls file and filebeat would not start afterwards.

[weslambert]

Which fileset are you trying to use for the threat intel module? How have you defined the module settings in the pillar? Have you tried turning debug logging on for Filebeat and checking for clues there? I will be publishing a guide soon to help demonstrate how this can be implemented, as there are other steps that are required to use it effectively.

…

On Mon, Mar 7, 2022 at 3:06 PM EchoGangster ***@***.***> wrote: Has anyone tried or been successful implementing Filebeat threat intel modules? https://www.elastic.co/guide/en/beats/filebeat/7.16/filebeat-module-threatintel.html https://docs.securityonion.net/en/2.3/filebeat.html - Explains how to use modules which has been supported since 2.360. Attempted to modify the manager.sls file and filebeat would not start afterwards. — Reply to this email directly, view it on GitHub <#7448>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEAM3KH3GYJYKITHGCM6HN3U6ZOTLANCNFSM5QEKAWYQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.*** com>

-- https://twitter.com/therealwlambert https://securityonion.net/

[weslambert]

You might try enabling Filebeat debug logging to get some more insight into the issue. It seems like GH has mangled the formatted from what you've pasted. Could you also try formatting via the code block functionality to give a better idea of what it actually looks like in the pillar?

[john-mathew-itt]

Which fileset are you trying to use for the threat intel module? How have you defined the module settings in the pillar? Have you tried turning debug logging on for Filebeat and checking for clues there? I will be publishing a guide soon to help demonstrate how this can be implemented, as there are other steps that are required to use it effectively.
…
On Mon, Mar 7, 2022 at 3:06 PM EchoGangster @.> wrote: Has anyone tried or been successful implementing Filebeat threat intel modules? https://www.elastic.co/guide/en/beats/filebeat/7.16/filebeat-module-threatintel.html https://docs.securityonion.net/en/2.3/filebeat.html - Explains how to use modules which has been supported since 2.360. Attempted to modify the manager.sls file and filebeat would not start afterwards. — Reply to this email directly, view it on GitHub <#7448>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEAM3KH3GYJYKITHGCM6HN3U6ZOTLANCNFSM5QEKAWYQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you are subscribed to this thread.Message ID: @. com>
-- https://twitter.com/therealwlambert https://securityonion.net/

Hi @weslambert, really looking forward to this guide on Threat Intel module in Filebeat. Did you get a chance to work on this?

[weslambert]

I did. Expect to see something very soon 😉

[weslambert]

@john-mathew-itt , here's a link to a post I put together:
https://glue.ghost.io/leveraging-threat-intel-for-event-enrichment-in-security-onion/

[john-mathew-itt]

Thanks @weslambert this is some really cool stuff.

[macleodit]

Has anyone tried or been successful implementing Filebeat threat intel modules?

https://www.elastic.co/guide/en/beats/filebeat/7.16/filebeat-module-threatintel.html

https://docs.securityonion.net/en/2.3/filebeat.html - Explains how to use modules which has been supported since 2.360. Attempted to modify the manager.sls file and filebeat would not start afterwards.

filebeat:
  third_party_filebeat:
    modules:
      threatintel:
        abuseurl:
          enabled: true
          var.input: httpjson
          var.url: https://urlhaus-api.abuse.ch/v1/urls/recent/
          var.interval: 60m
        abusemalware:
          enabled: true
          var.input: httpjson
          var.url: https://urlhaus-api.abuse.ch/v1/payloads/recent/
          var.interval: 60m
        malwarebazaar:
          enabled: true
          var.input: httpjson
          var.url: https://mb-api.abuse.ch/api/v1/
          var.interval: 10m

My issue ended up being because I had tabs in my yaml instead of spaces which, is required. If you put the above directly below the "elasticsearch:"'s section, save, then reboot it should work. (I usually reboot because I never remember which parts need to be so-*-restart ed along with filebeat).

Note, my dashboard under Security -> Overview still says "No threat intel data available to display....You need to enable the filebeat threatintel module in order to view data from different sources.". However, it actually is working because on the "Security Onion - Home" Dashboard homepage under "Security Onion - Dataset" I can see the "threatintel.abuseurl" column count populating.

I don't have a fix yet for the no intel data available yet.

[Bxg7]

Hi @john-mathew-itt & @macleodit & @weslambert - thanks for these instructions! Its working in my setup.
But now how to proceed?

How do you guys setup elastalert / sigma / playbook rules that make use of this Threatintel data? Can you please point me in the right direction? The only thing i have found is geared more towards Elastic SIEM which is a bit different. Many thanks :)

[EchoGangster]

Looks like the update yesterday wiped away the inputs in the manager.sls file I had put a few weeks ago.

[john-mathew-itt]

Hi @john-mathew-itt & @macleodit & @weslambert - thanks for these instructions! Its working in my setup. But now how to proceed? How do you guys setup elastalert / sigma / playbook rules that make use of this Threatintel data? Can you please point me in the right direction? The only thing i have found is geared more towards Elastic SIEM which is a bit different. Many thanks :)

I have followed @weslambert excellent guide here at https://glue.ghost.io/leveraging-threat-intel-for-event-enrichment-in-security-onion/. This creates alerts when an event matches threat intel data. Although I would love to see somebody implement a Playbook approach to reporting alerts.

[Bxg7]

Many thanks @john-mathew-itt for the link :)

[weslambert]

Hi @john-mathew-itt & @macleodit & @weslambert - thanks for these instructions! Its working in my setup. But now how to proceed? How do you guys setup elastalert / sigma / playbook rules that make use of this Threatintel data? Can you please point me in the right direction? The only thing i have found is geared more towards Elastic SIEM which is a bit different. Many thanks :)

I have followed @weslambert excellent guide here at https://glue.ghost.io/leveraging-threat-intel-for-event-enrichment-in-security-onion/. This creates alerts when an event matches threat intel data. Although I would love to see somebody implement a Playbook approach to reporting alerts.

You should also be able to alert on the match field/properties you define during the setup with Playbook, along with other values, instead of having alerts created within the pipeline.