{ "name": "ti_misp", "title": "MISP", "version": "1.41.4", "release": "ga", "description": "Ingest threat intelligence indicators from MISP platform with Elastic Agent.", "type": "integration", "download": "/epr/ti_misp/ti_misp-1.41.4.zip", "path": "/package/ti_misp/1.41.4", "icons": [ { "src": "/img/misp.svg", "path": "/package/ti_misp/1.41.4/img/misp.svg", "title": "MISP", "size": "216x216", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.13.0 || ^9.0.0" } }, "owner": { "type": "elastic", "github": "elastic/security-service-integrations" }, "categories": [ "security", "threat_intel" ], "signature_path": "/epr/ti_misp/ti_misp-1.41.4.zip.sig", "format_version": "3.0.2", "readme": "/package/ti_misp/1.41.4/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/ti_misp-threat_attributes_overview.png", "path": "/package/ti_misp/1.41.4/img/ti_misp-threat_attributes_overview.png", "title": "MISP Threat Attributes Overview", "size": "600x600", "type": "image/png" }, { "src": "/img/ti_misp-threat_overview.png", "path": "/package/ti_misp/1.41.4/img/ti_misp-threat_overview.png", "title": "MISP Threat Overview", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/ti_misp/1.41.4/LICENSE.txt", "/package/ti_misp/1.41.4/changelog.yml", "/package/ti_misp/1.41.4/manifest.yml", "/package/ti_misp/1.41.4/validation.yml", "/package/ti_misp/1.41.4/docs/README.md", "/package/ti_misp/1.41.4/img/misp.svg", "/package/ti_misp/1.41.4/img/ti_misp-threat_attributes_overview.png", "/package/ti_misp/1.41.4/img/ti_misp-threat_overview.png", "/package/ti_misp/1.41.4/kibana/tags.yml", "/package/ti_misp/1.41.4/data_stream/threat/manifest.yml", "/package/ti_misp/1.41.4/data_stream/threat/sample_event.json", "/package/ti_misp/1.41.4/data_stream/threat_attributes/lifecycle.yml", "/package/ti_misp/1.41.4/data_stream/threat_attributes/manifest.yml", "/package/ti_misp/1.41.4/data_stream/threat_attributes/sample_event.json", "/package/ti_misp/1.41.4/kibana/dashboard/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877.json", "/package/ti_misp/1.41.4/kibana/dashboard/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877.json", "/package/ti_misp/1.41.4/kibana/dashboard/ti_misp-563e7c80-9287-11ee-bd41-139b6277f2bf.json", "/package/ti_misp/1.41.4/kibana/dashboard/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json", "/package/ti_misp/1.41.4/kibana/dashboard/ti_misp-8c76f2f0-9287-11ee-bd41-139b6277f2bf.json", "/package/ti_misp/1.41.4/kibana/dashboard/ti_misp-add1e0f0-9286-11ee-bd41-139b6277f2bf.json", "/package/ti_misp/1.41.4/kibana/tag/ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json", "/package/ti_misp/1.41.4/data_stream/threat/fields/agent.yml", "/package/ti_misp/1.41.4/data_stream/threat/fields/base-fields.yml", "/package/ti_misp/1.41.4/data_stream/threat/fields/beats.yml", "/package/ti_misp/1.41.4/data_stream/threat/fields/ecs.yml", "/package/ti_misp/1.41.4/data_stream/threat/fields/fields.yml", "/package/ti_misp/1.41.4/data_stream/threat_attributes/fields/agent.yml", "/package/ti_misp/1.41.4/data_stream/threat_attributes/fields/base-fields.yml", "/package/ti_misp/1.41.4/data_stream/threat_attributes/fields/beats.yml", "/package/ti_misp/1.41.4/data_stream/threat_attributes/fields/ecs.yml", "/package/ti_misp/1.41.4/data_stream/threat_attributes/fields/fields.yml", "/package/ti_misp/1.41.4/data_stream/threat_attributes/fields/is-ioc-transform-source-true.yml", "/package/ti_misp/1.41.4/elasticsearch/transform/latest_ioc/manifest.yml", "/package/ti_misp/1.41.4/elasticsearch/transform/latest_ioc/transform.yml", "/package/ti_misp/1.41.4/data_stream/threat/agent/stream/httpjson.yml.hbs", "/package/ti_misp/1.41.4/data_stream/threat/elasticsearch/ingest_pipeline/default.yml", "/package/ti_misp/1.41.4/data_stream/threat_attributes/agent/stream/httpjson.yml.hbs", "/package/ti_misp/1.41.4/data_stream/threat_attributes/elasticsearch/ilm/default_policy.json", "/package/ti_misp/1.41.4/data_stream/threat_attributes/elasticsearch/ingest_pipeline/default.yml", "/package/ti_misp/1.41.4/elasticsearch/transform/latest_ioc/fields/agent.yml", "/package/ti_misp/1.41.4/elasticsearch/transform/latest_ioc/fields/base-fields.yml", "/package/ti_misp/1.41.4/elasticsearch/transform/latest_ioc/fields/beats.yml", "/package/ti_misp/1.41.4/elasticsearch/transform/latest_ioc/fields/ecs.yml", "/package/ti_misp/1.41.4/elasticsearch/transform/latest_ioc/fields/fields.yml", "/package/ti_misp/1.41.4/elasticsearch/transform/latest_ioc/fields/is-ioc-transform-source-false.yml" ], "policy_templates": [ { "name": "ti_misp", "title": "MISP", "description": "Ingest threat intelligence indicators from MISP platform with Elastic Agent.", "inputs": [ { "type": "httpjson", "title": "Ingest threat intelligence indicators from MISP platform with Elastic Agent.", "description": "Ingest threat intelligence indicators from MISP platform with Elastic Agent." } ], "multiple": true } ], "data_streams": [ { "type": "logs", "dataset": "ti_misp.threat", "title": "MISP", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "url", "type": "text", "title": "MISP URL", "description": "The URL or hostname of the MISP instance.", "multi": false, "required": true, "show_user": true, "default": "https://mispserver.com" }, { "name": "api_token", "type": "password", "title": "MISP API Token", "description": "The API token used to access the MISP instance.", "multi": false, "required": true, "show_user": true }, { "name": "limit", "type": "text", "title": "Events Limit", "description": "Configures how many events are returned for each API request.", "multi": false, "required": true, "show_user": true, "default": 10 }, { "name": "initial_interval", "type": "text", "title": "Initial interval", "description": "How far back to look for indicators the first time the agent is started. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "120h" }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.", "multi": false, "required": false, "show_user": false, "default": "30s" }, { "name": "http_request_rate_limit", "type": "text", "title": "HTTP Request Rate limit", "description": "The maximum per endpoint request rate, in requests per second (e.g. 0.5 reqs/sec for 30 reqs/min). Controlling the rate limit may help with the processing of large responses from the MISP API.", "multi": false, "required": false, "show_user": false, "default": 1 }, { "name": "filters", "type": "yaml", "title": "MISP API Filters", "description": "Filters documented at [MISP API Documentation](https://www.circl.lu/doc/misp/automation/#search) is supported.", "multi": false, "required": false, "show_user": false, "default": "#type:\n# OR:\n# - ip-src\n# - ip-dst\n#tags:\n# NOT:\n# - tlp-red\n" }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http\\[s\\]://:@:", "multi": false, "required": false, "show_user": false }, { "name": "interval", "type": "text", "title": "Interval", "description": "Interval at which the logs will be pulled. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "10m" }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#verification_mode: none\n" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "misp-threat" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "MISP", "description": "Collect indicators from the MISP API", "enabled": true, "ingestion_method": "API" } ], "package": "ti_misp", "path": "threat" }, { "type": "logs", "dataset": "ti_misp.threat_attributes", "title": "MISP", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "url", "type": "text", "title": "MISP URL", "description": "The URL or hostname of the MISP instance.", "multi": false, "required": true, "show_user": true, "default": "https://mispserver.com" }, { "name": "api_token", "type": "password", "title": "MISP API Token", "description": "The API token used to access the MISP instance.", "multi": false, "required": true, "show_user": true }, { "name": "limit", "type": "text", "title": "Attributes Limit", "description": "Configures how many attributes are returned for each API request.", "multi": false, "required": true, "show_user": true, "default": 10 }, { "name": "initial_interval", "type": "text", "title": "Initial interval", "description": "How far back to look for indicators the first time the agent is started. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "120h" }, { "name": "daily_refetch", "type": "bool", "title": "Enable Daily Refetch", "description": "When enabled, the integration performs a daily full refetch of all attributes from the MISP API (every 24 hours), ignoring the cursor and re-fetching from Initial Interval. This ensures decay scores are updated and attributes marked as decayed by MISP's decay models are removed from destination indices.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "ioc_expiration_duration", "type": "text", "title": "IOC Expiration Duration", "description": "Enforces all IOCs to expire after this duration. This setting applies to ALL ingested attributes (not just orphaned IOCs) and serves as a fail-safe expiration for \"orphaned\" IOCs that never expire. Use [Elasticsearch time units](https://www.elastic.co/guide/en/elasticsearch/reference/current/api-conventions.html#time-units) in days, hours, or minutes (e.g 10d).", "multi": false, "required": true, "show_user": true, "default": "90d" }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.", "multi": false, "required": false, "show_user": false, "default": "30s" }, { "name": "http_request_rate_limit", "type": "text", "title": "HTTP Request Rate limit", "description": "The maximum per endpoint request rate, in requests per second (e.g. 0.5 reqs/sec for 30 reqs/min). Controlling the rate limit may help with the processing of large responses from the MISP API.", "multi": false, "required": false, "show_user": false, "default": 1 }, { "name": "filters", "type": "yaml", "title": "MISP API Filters", "description": "Filters documented at [MISP API Documentation](https://www.circl.lu/doc/misp/automation/#search) is supported.", "multi": false, "required": false, "show_user": false, "default": "#type:\n# OR:\n# - ip-src\n# - ip-dst\n#tags:\n# NOT:\n# - tlp-red\n#decayingModel: 2\n" }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http\\[s\\]://:@:", "multi": false, "required": false, "show_user": false }, { "name": "interval", "type": "text", "title": "Interval", "description": "Interval at which the logs will be pulled. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "10m" }, { "name": "enforce_warning_list", "type": "bool", "title": "Enforce Warning List", "description": "Allows filtering on events with [MISP Warning lists](https://www.circl.lu/doc/misp/warninglists/#misp-warning-lists-introduction-the-dilemma-of-false-positive). Commonly used to filter out possible false positives.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "# verification_mode: none\n" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "misp-threat_attributes" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "MISP", "description": "Collect indicators from the MISP Attributes API", "enabled": true, "ingestion_method": "API" } ], "package": "ti_misp", "path": "threat_attributes" } ] }