Maltiverse Integration

edit

Version

1.3.0 (View all)

Compatible Kibana version(s)

8.13.0 or higher

Supported Serverless project types
What’s this?

Security
Observability

Subscription level
What’s this?

Basic

Level of support
What’s this?

Partner

Maltiverse is a threat intelligence platform. It works as a broker for Threat intelligence sources that are aggregated from more than a hundred different Public, Private and Community sources. Once the data is ingested, the IoC Scoring Algorithm applies a qualitative classification to the IoC that changes. Finally this data can be queried in a Threat Intelligence feed that can be delivered to your Firewalls, SOAR, SIEM, EDR or any other technology.

This integration fetches Maltiverse Threat Intelligence feeds and add them into Elastic Threat Intelligence. It supports hostname, hash, ipv4 and url indicators.

In order to download feed you need to register and generate an API key on you profile page.

IoCs Expiration

edit

Since we want to retain only valuable information and avoid duplicated data, the Maltiverse Elastic integration forces the indicators to rotate into a custom index called: logs-ti_maltiverse_latest.indicator. Please, refer to this index in order to set alerts and so on.

How it works
edit

This is possible thanks to a transform rule installed along with the integration. The transform rule parses the data_stream content that is pulled from Maltiverse and only adds new indicators.

Both, the data_stream and the latest index have applied expiration through ILM and a retention policy in the transform respectively.

Logs

edit
Indicator
edit
Exported fields
Field Description Type

@timestamp

Event timestamp.

date

data_stream.dataset

Data stream dataset.

constant_keyword

data_stream.namespace

Data stream namespace.

constant_keyword

data_stream.type

Data stream type.

constant_keyword

event.dataset

Event dataset

constant_keyword

event.module

Event module

constant_keyword

input.type

Input type.

keyword

labels.is_ioc_transform_source

Indicates whether an IOC is in the raw source data stream, or the in latest destination index.

constant_keyword

maltiverse.address

registered address

keyword

maltiverse.address.address

Multi-field of maltiverse.address.

match_only_text

maltiverse.as_name

AS registered name

keyword

maltiverse.as_name.as_name

Multi-field of maltiverse.as_name.

match_only_text

maltiverse.asn_cidr

CIDR associated

keyword

maltiverse.asn_country_code

Country code asociated with ASN

keyword

maltiverse.asn_date

date when asn registered

date

maltiverse.asn_registry

ASN registry

keyword

maltiverse.blacklist.count

number of reports for the indicator

long

maltiverse.blacklist.description

what we saw

keyword

maltiverse.blacklist.description.description

Multi-field of maltiverse.blacklist.description.

match_only_text

maltiverse.blacklist.external_references

flattened

maltiverse.blacklist.first_seen

first sighting

date

maltiverse.blacklist.labels

keyword

maltiverse.blacklist.last_seen

last sighting

date

maltiverse.blacklist.source

reporter of the activity

keyword

maltiverse.cidr

CIDR associated

keyword

maltiverse.city

City

keyword

maltiverse.classification

Classification of the threat

keyword

maltiverse.country_code

Country code of the threat

keyword

maltiverse.creation_time

creation date

date

maltiverse.domain_consonants

long

maltiverse.domain_length

long

maltiverse.email

email address

keyword

maltiverse.entropy

double

maltiverse.feed

Origin of the IoC

keyword

maltiverse.hostname

keyword

maltiverse.ip_addr

IP address

ip

maltiverse.is_alive

boolean

maltiverse.is_cdn

boolean description tag

boolean

maltiverse.is_cnc

boolean description tag

boolean

maltiverse.is_distributing_malware

boolean description tag

boolean

maltiverse.is_hosting

boolean description tag

boolean

maltiverse.is_iot_threat

boolean description tag

boolean

maltiverse.is_known_attacker

boolean description tag

boolean

maltiverse.is_known_scanner

boolean description tag

boolean

maltiverse.is_mining_pool

boolean description tag

boolean

maltiverse.is_open_proxy

boolean description tag

boolean

maltiverse.is_phishing

boolean

maltiverse.is_sinkhole

boolean description tag

boolean

maltiverse.is_storing_phishing

boolean

maltiverse.is_tor_node

boolean description tag

boolean

maltiverse.is_vpn_node

boolean description tag

boolean

maltiverse.last_online_time

keyword

maltiverse.location

Longitude and latitude.

geo_point

maltiverse.modification_time

Last modification date

date

maltiverse.number_of_blacklisted_domains_resolving

Blacklisted domains resolving associated

long

maltiverse.number_of_domains_resolving

Domains resolving associated

long

maltiverse.number_of_offline_malicious_urls_allocated

URLs allocated

long

maltiverse.number_of_online_malicious_urls_allocated

URLs allocated

long

maltiverse.number_of_whitelisted_domains_resolving

Whitelisted domains resolving associated

long

maltiverse.postal_code

keyword

maltiverse.registrant_name

Registrant name

keyword

maltiverse.registrant_name.registrant_name

Multi-field of maltiverse.registrant_name.

match_only_text

maltiverse.resolved_ip

flattened

maltiverse.tag

Tags of the threat

keyword

maltiverse.type

Type of the threat

keyword

maltiverse.urlchecksum

keyword

threat.indicator.first_seen

The date and time when intelligence source first reported sighting this indicator.

date

threat.indicator.last_seen

The date and time when intelligence source last reported sighting this indicator.

date

threat.indicator.modified_at

The date and time when intelligence source last modified information for this indicator.

date

Example

An example event for indicator looks as following:

{
    "@timestamp": "2022-11-05T05:37:57.000Z",
    "agent": {
        "ephemeral_id": "c371b9d1-ae14-4272-9d73-3ef7bf7e46f9",
        "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "ti_maltiverse.indicator",
        "namespace": "34244",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "threat"
        ],
        "created": "2024-08-02T05:34:15.473Z",
        "dataset": "ti_maltiverse.indicator",
        "id": "NsHdp9tZZtzo6Kzlv6Z1TmPP47U=",
        "ingested": "2024-08-02T05:34:27Z",
        "kind": "enrichment",
        "original": "{\"blacklist\":{\"count\":1,\"description\":\"QakBot\",\"first_seen\":\"2022-11-03 06:23:53\",\"labels\":[\"malicious-activity\"],\"last_seen\":\"2022-11-05 05:37:57\",\"source\":\"ThreatFox Abuse.ch\"},\"classification\":\"malicious\",\"creation_time\":\"2022-11-03 06:23:53\",\"domain\":\"autooutletllc.com\",\"hostname\":\"autooutletllc.com\",\"is_alive\":false,\"is_cnc\":true,\"is_distributing_malware\":false,\"is_iot_threat\":false,\"is_phishing\":false,\"last_online_time\":\"2022-11-05 05:37:57\",\"modification_time\":\"2022-11-05 05:37:57\",\"tag\":[\"bb05\",\"iso\",\"qakbot\",\"qbot\",\"quakbot\",\"tr\",\"w19\",\"zip\",\"oakboat\",\"pinkslipbot\"],\"tld\":\"com\",\"type\":\"url\",\"url\":\"https://autooutletllc.com/spares.php\",\"urlchecksum\":\"4aa7a29969dc1dffa5cad5af6cb343b9a9b40ea9646fed619d4c8d6472629128\"}",
        "severity": 9,
        "type": [
            "indicator"
        ]
    },
    "input": {
        "type": "httpjson"
    },
    "maltiverse": {
        "blacklist": {
            "labels": [
                "malicious-activity"
            ]
        },
        "classification": "malicious",
        "creation_time": "2022-11-03T06:23:53.000Z",
        "feed": "test",
        "hostname": "autooutletllc.com",
        "is_alive": false,
        "is_cnc": true,
        "is_distributing_malware": false,
        "is_iot_threat": false,
        "is_phishing": false,
        "last_online_time": "2022-11-05T05:37:57.000Z",
        "modification_time": "2022-11-05T05:37:57.000Z",
        "type": "url",
        "urlchecksum": "4aa7a29969dc1dffa5cad5af6cb343b9a9b40ea9646fed619d4c8d6472629128"
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "ti_maltiverse-indicator",
        "bb05",
        "iso",
        "qakbot",
        "qbot",
        "quakbot",
        "tr",
        "w19",
        "zip",
        "oakboat",
        "pinkslipbot"
    ],
    "threat": {
        "feed": {
            "reference": "https://maltiverse.com/feed/test"
        },
        "indicator": {
            "confidence": "High",
            "description": "QakBot",
            "first_seen": "2022-11-03T06:23:53.000Z",
            "last_seen": "2022-11-05T05:37:57.000Z",
            "marking": {
                "tlp": "WHITE"
            },
            "provider": "ThreatFox Abuse.ch",
            "reference": "https://maltiverse.com/url/4aa7a29969dc1dffa5cad5af6cb343b9a9b40ea9646fed619d4c8d6472629128",
            "sightings": 1,
            "type": "url",
            "url": {
                "full": "https://autooutletllc.com/spares.php",
                "registered_domain": "autooutletllc.com",
                "top_level_domain": "com"
            }
        }
    }
}

Changelog

edit
Changelog
Version Details Kibana version(s)

1.3.0

Enhancement (View pull request)
Add "preserve_original_event" tag to documents with event.kind set to "pipeline_error".

1.2.5

Bug fix (View pull request)
Use triple-brace Mustache templating when referencing variables in ingest pipelines.

8.13.0 or higher

1.2.4

Bug fix (View pull request)
Use triple-brace Mustache templating when referencing variables in ingest pipelines.

8.13.0 or higher

1.2.3

Bug fix (View pull request)
Fix labels.is_ioc_transform_source values

8.13.0 or higher

1.2.2

Bug fix (View pull request)
Add missing fields in transform

8.13.0 or higher

1.2.1

Bug fix (View pull request)
Fix ECS date mapping on threat fields.

8.13.0 or higher

1.2.0

Enhancement (View pull request)
Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

8.13.0 or higher

1.1.1

Bug fix (View pull request)
Add missing fields for detection rules.

8.12.0 or higher

1.1.0

Enhancement (View pull request)
Set sensitive values as secret.

8.12.0 or higher

1.0.1

Enhancement (View pull request)
Changed owners

8.8.0 or higher

1.0.0

Enhancement (View pull request)
Release package as GA.

8.8.0 or higher

0.8.0

Enhancement (View pull request)
Limit request tracer log count to five.

0.7.0

Enhancement (View pull request)
ECS version updated to 8.11.0.

0.6.0

Enhancement (View pull request)
Improve event.original check to avoid errors if set.

0.5.0

Enhancement (View pull request)
Set partner owner type.

0.4.0

Bug fix (View pull request)
Move non-ECS fields out of root.

0.3.0

Enhancement (View pull request)
Add DLM policy. Add owner.type to package manifest. Update format_version to 3.0.0

Enhancement (View pull request)
Add tags.yml file so that integration’s dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.

0.2.1

Bug fix (View pull request)
Remove dotted YAML keys.

0.2.0

Enhancement (View pull request)
Add support for HTTP request trace logging.

0.1.0

Enhancement (View pull request)
initial implementation