MISP moduleedit

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

This is a filebeat module for reading threat intel information from the MISP platform (https://www.circl.lu/doc/misp/). It uses the httpjson input to access the MISP REST API interface.

The configuration in the config.yml file uses the following format:

  • var.api_key: specifies the API key to access MISP.
  • var.json_objects_array: specifies the array object in MISP response, e.g., "response.Attribute".
  • var.url: URI of the MISP REST API, e.g., "http://x.x.x.x/attributes/restSearch"

Example dashboardedit

This module comes with a sample dashboard. For example:

kibana misp

Fieldsedit

For a description of each field in the module, see the exported fields section.