MISP moduleedit

Deprecated in 7.14.0.

This module is deprecated. Use the Threat Intel module instead.

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

This is a filebeat module for reading threat intel information from the MISP platform (https://www.circl.lu/doc/misp/). It uses the httpjson input to access the MISP REST API interface.

The configuration in the config.yml file uses the following format:

  • var.api_key: specifies the API key to access MISP.
  • var.http_request_body: an object containing any parameter that needs to be sent to the search API. Default: limit: 1000
  • var.url: URL of the MISP REST API, e.g., "http://x.x.x.x/attributes/restSearch"

Read the quick start to learn how to configure and run modules.

Example dashboardedit

This module comes with a sample dashboard. For example:

kibana misp


For a description of each field in the module, see the exported fields section.