{ "name": "ti_custom", "title": "Custom Threat Intelligence", "version": "1.6.0", "release": "ga", "description": "Ingest threat intelligence data in STIX 2.1 format with Elastic Agent", "type": "integration", "download": "/epr/ti_custom/ti_custom-1.6.0.zip", "path": "/package/ti_custom/1.6.0", "icons": [ { "src": "/img/stix-logo.png", "path": "/package/ti_custom/1.6.0/img/stix-logo.png", "title": "STIX-TAXII logo", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.16.0 || ^9.0.0" } }, "owner": { "type": "elastic", "github": "elastic/security-service-integrations" }, "categories": [ "custom", "security", "threat_intel" ], "signature_path": "/epr/ti_custom/ti_custom-1.6.0.zip.sig", "format_version": "3.3.2", "readme": "/package/ti_custom/1.6.0/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/custom-ti-overview.png", "path": "/package/ti_custom/1.6.0/img/custom-ti-overview.png", "title": "Custom Threat Intelligence - IOCs Overview", "size": "1847x950", "type": "image/png" } ], "assets": [ "/package/ti_custom/1.6.0/LICENSE.txt", "/package/ti_custom/1.6.0/changelog.yml", "/package/ti_custom/1.6.0/manifest.yml", "/package/ti_custom/1.6.0/validation.yml", "/package/ti_custom/1.6.0/docs/README.md", "/package/ti_custom/1.6.0/img/custom-ti-overview.png", "/package/ti_custom/1.6.0/img/stix-logo.png", "/package/ti_custom/1.6.0/data_stream/indicator/lifecycle.yml", "/package/ti_custom/1.6.0/data_stream/indicator/manifest.yml", "/package/ti_custom/1.6.0/data_stream/indicator/sample_event.json", "/package/ti_custom/1.6.0/kibana/dashboard/ti_custom-e336dd7a-d5cb-4b7f-a6cd-85c45d0bd1ac.json", "/package/ti_custom/1.6.0/kibana/search/ti_custom-a06e63dc-01d3-4005-b24f-2fd46c3962b1.json", "/package/ti_custom/1.6.0/kibana/tag/ti_custom-fleet-pkg-ti_util-default.json", "/package/ti_custom/1.6.0/kibana/tag/ti_custom-ti_util-3e4bef62-18b5-4f4a-96fa-45b0ec39bd73.json", "/package/ti_custom/1.6.0/kibana/tag/ti_custom-ti_util-854dd9b5-b286-4329-84a7-1435fe04e3b7.json", "/package/ti_custom/1.6.0/data_stream/indicator/fields/base-fields.yml", "/package/ti_custom/1.6.0/data_stream/indicator/fields/beats.yml", "/package/ti_custom/1.6.0/data_stream/indicator/fields/ecs.yml", "/package/ti_custom/1.6.0/data_stream/indicator/fields/fields.yml", "/package/ti_custom/1.6.0/data_stream/indicator/fields/is-ioc-transform-source-true.yml", "/package/ti_custom/1.6.0/elasticsearch/transform/latest_ioc/manifest.yml", "/package/ti_custom/1.6.0/elasticsearch/transform/latest_ioc/transform.yml", "/package/ti_custom/1.6.0/data_stream/indicator/agent/stream/cel.yml.hbs", "/package/ti_custom/1.6.0/data_stream/indicator/agent/stream/filestream.yml.hbs", "/package/ti_custom/1.6.0/data_stream/indicator/elasticsearch/ilm/default_policy.json", "/package/ti_custom/1.6.0/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml", "/package/ti_custom/1.6.0/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-asn.yml", "/package/ti_custom/1.6.0/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-domain-name.yml", "/package/ti_custom/1.6.0/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-email.yml", "/package/ti_custom/1.6.0/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-file.yml", "/package/ti_custom/1.6.0/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-ip.yml", "/package/ti_custom/1.6.0/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-url.yml", "/package/ti_custom/1.6.0/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-windows-registry.yml", "/package/ti_custom/1.6.0/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-x509.yml", "/package/ti_custom/1.6.0/elasticsearch/transform/latest_ioc/fields/base-fields.yml", "/package/ti_custom/1.6.0/elasticsearch/transform/latest_ioc/fields/beats.yml", "/package/ti_custom/1.6.0/elasticsearch/transform/latest_ioc/fields/ecs.yml", "/package/ti_custom/1.6.0/elasticsearch/transform/latest_ioc/fields/fields.yml", "/package/ti_custom/1.6.0/elasticsearch/transform/latest_ioc/fields/is-ioc-transform-source-false.yml" ], "policy_templates": [ { "name": "ti_custom", "title": "Custom Threat Intelligence", "description": "Collect threat intelligence IOCs", "inputs": [ { "type": "cel", "title": "Collect STIX data via RESTful API", "description": "Collects threat intelligence IOCs in STIX 2.1 from a RESTful API (TAXII 2.1 or others)" }, { "type": "filestream", "title": "Collect STIX feeds via files", "description": "Collects threat intelligence IOCs in STIX 2.1 from file" } ], "multiple": true } ], "data_streams": [ { "type": "logs", "dataset": "ti_custom.indicator", "ilm_policy": "logs-ti_custom.indicator-default_policy", "title": "STIX 2.1 indicators", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "url", "type": "text", "title": "URL API endpoint", "description": "URL of the API endpoint to connect to in order to get the STIX data. In case of working with TAXII, the URL format should be as follows: https://{base_url}/{api-root}/collections/{id}/objects/\n", "multi": false, "required": true, "show_user": true }, { "name": "enable_taxii", "type": "bool", "title": "Enable TAXII 2.1", "description": "Enable this toggle when targeting an API compatible with the TAXII 2.1 protocol.\n", "multi": false, "required": true, "show_user": true, "default": true }, { "name": "ioc_expiration_duration", "type": "text", "title": "IOC Expiration Duration", "description": "Indicator is expired after this duration since its last seen timestamp. Use [Elasticsearch time units](https://www.elastic.co/guide/en/elasticsearch/reference/current/api-conventions.html#time-units) in days, hours, or minutes (e.g 10d). Default `90d`.\n", "multi": false, "required": true, "show_user": true, "default": "90d" }, { "name": "restrict_stix", "type": "bool", "title": "Restrict STIX 2.1 format", "description": "When this toggle is enabled, indicators that don't follow the STIX 2.1 standard format will be dropped. Disabling it allows data that don't follow STIX 2.1 to be ingested and processed by the ingest pipeline.\n", "multi": false, "required": false, "show_user": false, "default": true }, { "name": "api_key", "type": "password", "title": "API Key", "description": "API key that the API server may require for token authorization.\n", "multi": false, "required": false, "show_user": false }, { "name": "key_type", "type": "text", "title": "API Key Type", "description": "The authentication key type for token authorization. If it is not provided, Bearer authorization is used. An example alternative would be \"Token\".\n", "multi": false, "required": false, "show_user": false }, { "name": "username", "type": "text", "title": "Basic Auth Username", "description": "The user to authenticate with in Basic HTTP authentication.\n", "multi": false, "required": false, "show_user": false }, { "name": "password", "type": "password", "title": "Basic Auth Password", "description": "The password to authenticate with in Basic HTTP authentication.\n", "multi": false, "required": false, "show_user": false }, { "name": "oauth2", "type": "yaml", "title": "OAuth2 Configuration", "description": "i.e. client.id, client.secret, token_url and [other OAuth2 options](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_auth_oauth2_enabled).\n", "multi": false, "required": false, "show_user": false, "default": "#client.id: 12345678901234567890abcdef\n#client.secret: abcdef12345678901234567890\n#token_url: http://example.com/oauth2/token\n" }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" }, { "name": "accept_header", "type": "text", "title": "Accept header value", "description": "The Accept header is used by HTTP Requests to specify which Content-Types are acceptable in response. All TAXII requests must include a media range in the Accept header. More information can be found in the [TAXII specification](https://docs.oasis-open.org/cti/taxii/v2.1/csprd02/taxii-v2.1-csprd02.html#_Toc16526016). This option only applies when `Enable TAXII 2.1` is enabled.\n", "multi": false, "required": true, "show_user": false, "default": "application/taxii+json;version=2.1" }, { "name": "content_header", "type": "text", "title": "Content-Type header value", "description": "The Content-Type header is used by HTTP to identify the format of HTTP Requests and HTTP Responses. More information can be found in the [TAXII specification](https://docs.oasis-open.org/cti/taxii/v2.1/csprd02/taxii-v2.1-csprd02.html#_Toc16526016). This option only applies when `Enable TAXII 2.1` is enabled.\n", "multi": false, "required": false, "show_user": false, "default": "application/taxii+json;version=2.1" }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.\n", "multi": false, "required": false, "show_user": false }, { "name": "program", "type": "textarea", "title": "The CEL program to be run for each polling.", "description": "Program is the CEL program that is executed each polling period to get and transform the API data. More information can be found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_execution). For APIs that don't follow the TAXII protocol, generate this program in convenience to match API requirements. Pay special attention to headers, parameters, pagination, body formatting and error handling specific to the target API.\n", "multi": false, "required": false, "show_user": false, "default": "# // Fetch the agent's public IP every minute and note when the last request was made.\n# // It does not use the Resource URL configuration value.\n# bytes(get(\"https://api.ipify.org/?format=json\").Body).as(body, {\n# \"events\": [body.decode_json().with({\n# \"last_requested_at\": has(state.cursor) && has(state.cursor.last_requested_at) ?\n# state.cursor.last_requested_at\n# :\n# now\n# })],\n# \"cursor\": {\"last_requested_at\": now}\n# })\n" }, { "name": "state", "type": "yaml", "title": "Initial CEL evaluation state", "description": "State is the initial state to be provided to the program. If it has a cursor field, that field will be overwritten by any stored cursor, but will be available if no stored cursor exists. More information can be found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#input-state-cel).\n", "multi": false, "required": false, "show_user": false }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the configured API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to look for indicators the first time the agent is started. Supported units for this parameter are h/m/s.", "multi": false, "required": false, "show_user": true }, { "name": "limit", "type": "integer", "title": "Limit", "description": "The maximum number of objects to return in each API response. It must be a positive number.", "multi": false, "required": false, "show_user": false }, { "name": "max_executions", "type": "integer", "title": "Maximum Pages Per Interval", "description": "The maximum number of pages that can be collected during each polling interval. Increase this if the integration goes into a degraded state with the message \"exceeding maximum number of CEL executions\". It must be a positive integer.", "multi": false, "required": false, "show_user": false, "default": 1000 }, { "name": "feed_name", "type": "text", "title": "Feed name", "description": "Name of the STIX feed to ingest. Used as metadata to enrich events.", "multi": false, "required": false, "show_user": false }, { "name": "feed_reference", "type": "text", "title": "Feed reference", "description": "Link reference to the source of the data. Used as metadata to enrich events.", "multi": false, "required": false, "show_user": false }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": false, "show_user": false, "default": "60s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.\n", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "ti_custom-indicator" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "pipeline", "type": "text", "title": "Ingest Pipeline", "description": "The Ingest Node pipeline ID to be used by the integration. Include an ingest pipeline when ingesting IOCs that don't follow the STIX 2.1 standard.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Collects threat intelligence IOCs", "description": "Collects STIX 2.1 data via CEL input", "enabled": false, "ingestion_method": "API" }, { "input": "filestream", "vars": [ { "name": "paths", "type": "text", "title": "Paths", "description": "A list of glob-based paths that will be crawled and fetched.", "multi": true, "required": true, "show_user": true }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "ti_custom-indicator" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "ioc_expiration_duration", "type": "text", "title": "IOC Expiration Duration", "description": "Indicator is expired after this duration since its last seen timestamp. Use [Elasticsearch time units](https://www.elastic.co/guide/en/elasticsearch/reference/current/api-conventions.html#time-units) in days, hours, or minutes (e.g 10d). Default `90d`.\"\n", "multi": false, "required": true, "show_user": true, "default": "90d" }, { "name": "restrict_stix", "type": "bool", "title": "Restrict STIX 2.1 format", "description": "When this toggle is enabled, indicators that don't follow the STIX 2.1 standard format will be dropped. Disabling it allows data that don't follow STIX 2.1 to be ingested and processed by the ingest pipeline.\n", "multi": false, "required": false, "show_user": false, "default": true }, { "name": "feed_name", "type": "text", "title": "Feed name", "description": "Name of the STIX feed to ingest. Used as metadata to enrich events.", "multi": false, "required": false, "show_user": false }, { "name": "feed_reference", "type": "text", "title": "Feed reference", "description": "Link reference to the source of the data. Used as metadata to enrich events.", "multi": false, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "harvester_limit", "type": "integer", "title": "Harvester Limit", "description": "Limits the number of files that are ingested in parallel. More details [here](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-filestream.html#filebeat-input-filestream-harvester-limit).", "multi": false, "required": false, "show_user": false, "default": 0 }, { "name": "close.on_state_change.inactive", "type": "text", "title": "File Handle Closure Duration", "description": "The duration after which the file handle is closed if the file has not been updated. More details [here](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-filestream.html#filebeat-input-filestream-close-inactive).", "multi": false, "required": false, "show_user": false, "default": "5m" }, { "name": "parsers", "type": "yaml", "title": "Parsers", "description": "This option expects a list of parsers that the payload has to go through. For more information, see [Parsers](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-filestream.html#_parsers).\n", "multi": false, "required": false, "show_user": false, "default": "# For cases when indicators are multiline JSON objects\n# - multiline:\n# pattern: '^\\{'\n# negate: true\n# match: after\n" }, { "name": "pipeline", "type": "text", "title": "Ingest Pipeline", "description": "The Ingest Node pipeline ID to be used by the integration. Include an ingest pipeline when ingesting IOCs that don't follow the STIX 2.1 standard.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "filestream.yml.hbs", "title": "STIX feeds from file", "description": "Collect STIX feeds via Filestream input.", "enabled": false, "ingestion_method": "File" } ], "package": "ti_custom", "path": "indicator" } ] }