Copy tag names from MISP data into events (#21664) (#22331)

andrewkroh · hungnguyen-elastic · web-flow · commit aa23e12ae899 · 2020-11-02T09:54:23.000-05:00
For each tag in the MISP data copy the name attribute into the `tags` array. (cherry picked from commit 1933672) Co-authored-by: hungnguyen-elastic <70958189+hungnguyen-elastic@users.noreply.github.com>
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -730,6 +730,7 @@ field. You can revert this change by configuring tags for the module and omittin
 - Add max_number_of_messages config into s3 input. {pull}21993[21993]
 - Update Okta documentation for new stateful restarts. {pull}22091[22091]
 - Add SSL option to checkpoint module {pull}19560[19560]
+- Copy tag names from MISP data into events. {pull}21664[21664]
 
 *Heartbeat*
 
diff --git a/x-pack/filebeat/module/misp/threat/config/pipeline.js b/x-pack/filebeat/module/misp/threat/config/pipeline.js
@@ -37,6 +37,19 @@ var threat = (function () {
         ignore_missing: true,
     });
 
+    // Copy tag names from MISP event to tags field.
+    var copyTags = function (evt) {
+        var mispTags = evt.Get("json.Tag");
+        if (!mispTags) {
+            return;
+        }
+        mispTags.forEach(function (tag) {
+            if (tag.name) {
+                evt.AppendTo("tags", tag.name);
+            }
+        });
+    };
+
     var setAttackPattern = function (evt) {
         var indicator_type = evt.Get("json.type");
         var attackPattern;
@@ -202,6 +215,7 @@ var threat = (function () {
         .Add(setThreatFeedField)
         .Add(convertFields)
         .Add(setAttackPattern)
+        .Add(copyTags)
         .Build();
 
     return {
diff --git a/x-pack/filebeat/module/misp/threat/test/misp-test.json.log b/x-pack/filebeat/module/misp/threat/test/misp-test.json.log
@@ -2,3 +2,4 @@
 {"id":"2","event_id":"2","object_id":"0","object_relation":null,"category":"Payload delivery","type":"md5","to_ids":true,"uuid":"5d159be2-d4b4-4d97-9e14-406a02de0b81","timestamp":"1490878466","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"value":"89357a1b2e32f2b9bddff94b8136810b","Event":{"org_id":"1","distribution":"3","id":"1","info":"OSINT - OSX/Linker: New Mac malware attempts zero-day Gatekeeper bypass","orgc_id":"2","uuid":"5d159be2-d4b4-4d97-9e14-406a02de0b81"}}
 {"id":"3","event_id":"3","object_id":"0","object_relation":null,"category":"Payload delivery","type":"filename","to_ids":true,"uuid":"5d159be2-d4b4-4d97-9e14-406a02de0b81","timestamp":"1490878466","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"value":"f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de","Event":{"org_id":"1","distribution":"3","id":"1","info":"OSINT - OSX/Linker: New Mac malware attempts zero-day Gatekeeper bypass","orgc_id":"2","uuid":"5d159be2-d4b4-4d97-9e14-406a02de0b81"}}
 {"id":"4","event_id":"4","object_id":"0","object_relation":null,"category":"Bad Domain","type":"domain","to_ids":true,"uuid":"563b3ea6-b26c-401f-a68b-4d84950d210b","timestamp":"1490878466","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"value":"f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de","Event":{"org_id":"4","distribution":"3","id":"4","info":"OSINT Expansion on Systematic cyber attacks against Israeli and Palestinian targets going on for a year by Norman","orgc_id":"2","uuid":"563b3ea6-b26c-401f-a68b-4d84950d210b"}}
+{"Galaxy":[],"ShadowAttribute":[],"Tag":[{"colour":"#eb2323","exportable":true,"hide_tag":false,"id":"966","local":0,"name":"critical-ioc-quarantine","numerical_value":null,"user_id":"1"}],"category":"Network activity","comment":"","deleted":false,"disable_correlation":false,"distribution":"5","event_id":"693","first_seen":null,"id":"170814","last_seen":null,"object_id":"0","object_relation":null,"sharing_group_id":"0","timestamp":"1602078120","to_ids":false,"type":"url","uuid":"83078f8c-3d38-4fec-87a1-8be22a0be0a6","value":"endgame.hungmnguyen.us"}
diff --git a/x-pack/filebeat/module/misp/threat/test/misp-test.json.log-expected.json b/x-pack/filebeat/module/misp/threat/test/misp-test.json.log-expected.json
@@ -105,5 +105,26 @@
         "rule.id": "4",
         "rule.uuid": "563b3ea6-b26c-401f-a68b-4d84950d210b",
         "service.type": "misp"
+    },
+    {
+        "@timestamp": "2020-10-07T13:42:00.000Z",
+        "event.category": "threat-intel",
+        "event.dataset": "misp.threat",
+        "event.id": "83078f8c-3d38-4fec-87a1-8be22a0be0a6",
+        "event.kind": "event",
+        "event.module": "misp",
+        "event.type": "indicator",
+        "fileset.name": "threat",
+        "input.type": "log",
+        "log.offset": 2149,
+        "message": "endgame.hungmnguyen.us",
+        "misp.threat_indicator.attack_pattern": "[url:full = 'endgame.hungmnguyen.us']",
+        "misp.threat_indicator.attack_pattern_kql": "url.full: \"endgame.hungmnguyen.us\"",
+        "misp.threat_indicator.feed": "misp",
+        "misp.threat_indicator.type": "url",
+        "rule.category": "Network activity",
+        "service.type": "misp",
+        "tags": "critical-ioc-quarantine",
+        "url.full": "endgame.hungmnguyen.us"
     }
 ]
