IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Logstash module MongoDB module »
Elastic Docs Filebeat Reference [7.5] Modules

MISP module

edit

MISP module

edit

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

This is a filebeat module for reading threat intel information from the MISP platform (https://www.circl.lu/doc/misp/). It uses the httpjson input to access the MISP REST API interface.

The configuration in the config.yml file uses the following format:

  • var.api_key: specifies the API key to access MISP.
  • var.json_objects_array: specifies the array object in MISP response, e.g., "response.Attribute".
  • var.url: URL of the MISP REST API, e.g., "http://x.x.x.x/attributes/restSearch"

Example dashboard

edit

This module comes with a sample dashboard. For example:

kibana misp

Fields

edit

For a description of each field in the module, see the exported fields section.

« Logstash module MongoDB module »