From c6a12bec9fbb202ff0b1776ccc6c8ac262f1c147 Mon Sep 17 00:00:00 2001 From: Philippe Oberti Date: Wed, 11 Sep 2024 02:26:41 +0200 Subject: [PATCH] [Security Solution] migrate Threat Intelligence Cypress tests into security_solution_cypress folder (#191162) --- .../plugins/threat_intelligence/kibana.jsonc | 7 +- .../threat_intelligence/block_list.cy.ts | 112 + .../threat_intelligence/cases.cy.ts | 138 + .../threat_intelligence/empty_page.cy.ts | 33 + .../threat_intelligence/indicators.cy.ts | 382 +++ .../threat_intelligence/query_bar.cy.ts | 193 ++ .../threat_intelligence/timeline.cy.ts | 123 + .../screens/threat_intelligence/blocklist.ts | 27 + .../screens/threat_intelligence/cases.ts | 33 + .../screens/threat_intelligence/common.ts | 17 + .../screens/threat_intelligence/empty_page.ts | 14 + .../screens/threat_intelligence/indicators.ts | 130 + .../screens/threat_intelligence/query_bar.ts | 15 + .../screens/threat_intelligence/timeline.ts | 31 + .../tasks/threat_intelligence/blocklist.ts | 41 + .../tasks/threat_intelligence/cases.ts | 74 + .../tasks/threat_intelligence/common.ts | 120 + .../tasks/threat_intelligence/indicators.ts | 62 + .../tasks/threat_intelligence/query_bar.ts | 115 + .../tasks/threat_intelligence/timeline.ts | 80 + .../ti_indicators_data_invalid/data.json | 1809 ++++++++++++ .../ti_indicators_data_invalid/mappings.json | 1599 ++++++++++ .../ti_indicators_data_multiple/data.json | 2567 +++++++++++++++++ .../ti_indicators_data_multiple/mappings.json | 1599 ++++++++++ .../ti_indicators_data_no_mappings/data.json | 171 ++ .../ti_indicators_data_single/data.json | 77 + .../ti_indicators_data_single/mappings.json | 1599 ++++++++++ .../pipelines/pipeline.ts | 12 + .../pipelines/ti_abusech_malware.ts | 212 ++ .../pipelines/ti_abusech_malware_bazaar.ts | 356 +++ .../pipelines/ti_abusech_url.ts | 151 + .../test/security_solution_cypress/runner.ts | 24 + 32 files changed, 11920 insertions(+), 3 deletions(-) create mode 100644 x-pack/test/security_solution_cypress/cypress/e2e/investigations/threat_intelligence/block_list.cy.ts create mode 100644 x-pack/test/security_solution_cypress/cypress/e2e/investigations/threat_intelligence/cases.cy.ts create mode 100644 x-pack/test/security_solution_cypress/cypress/e2e/investigations/threat_intelligence/empty_page.cy.ts create mode 100644 x-pack/test/security_solution_cypress/cypress/e2e/investigations/threat_intelligence/indicators.cy.ts create mode 100644 x-pack/test/security_solution_cypress/cypress/e2e/investigations/threat_intelligence/query_bar.cy.ts create mode 100644 x-pack/test/security_solution_cypress/cypress/e2e/investigations/threat_intelligence/timeline.cy.ts create mode 100644 x-pack/test/security_solution_cypress/cypress/screens/threat_intelligence/blocklist.ts create mode 100644 x-pack/test/security_solution_cypress/cypress/screens/threat_intelligence/cases.ts create mode 100644 x-pack/test/security_solution_cypress/cypress/screens/threat_intelligence/common.ts create mode 100644 x-pack/test/security_solution_cypress/cypress/screens/threat_intelligence/empty_page.ts create mode 100644 x-pack/test/security_solution_cypress/cypress/screens/threat_intelligence/indicators.ts create mode 100644 x-pack/test/security_solution_cypress/cypress/screens/threat_intelligence/query_bar.ts create mode 100644 x-pack/test/security_solution_cypress/cypress/screens/threat_intelligence/timeline.ts create mode 100644 x-pack/test/security_solution_cypress/cypress/tasks/threat_intelligence/blocklist.ts create mode 100644 x-pack/test/security_solution_cypress/cypress/tasks/threat_intelligence/cases.ts create mode 100644 x-pack/test/security_solution_cypress/cypress/tasks/threat_intelligence/common.ts create mode 100644 x-pack/test/security_solution_cypress/cypress/tasks/threat_intelligence/indicators.ts create mode 100644 x-pack/test/security_solution_cypress/cypress/tasks/threat_intelligence/query_bar.ts create mode 100644 x-pack/test/security_solution_cypress/cypress/tasks/threat_intelligence/timeline.ts create mode 100644 x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_invalid/data.json create mode 100644 x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_invalid/mappings.json create mode 100644 x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_multiple/data.json create mode 100644 x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_multiple/mappings.json create mode 100644 x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_no_mappings/data.json create mode 100644 x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_single/data.json create mode 100644 x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_single/mappings.json create mode 100644 x-pack/test/security_solution_cypress/pipelines/pipeline.ts create mode 100644 x-pack/test/security_solution_cypress/pipelines/ti_abusech_malware.ts create mode 100644 x-pack/test/security_solution_cypress/pipelines/ti_abusech_malware_bazaar.ts create mode 100644 x-pack/test/security_solution_cypress/pipelines/ti_abusech_url.ts diff --git a/x-pack/plugins/threat_intelligence/kibana.jsonc b/x-pack/plugins/threat_intelligence/kibana.jsonc index 3c750402438b2..35077b11facac 100644 --- a/x-pack/plugins/threat_intelligence/kibana.jsonc +++ b/x-pack/plugins/threat_intelligence/kibana.jsonc @@ -11,11 +11,12 @@ "cases", "data", "dataViews", + "inspector", + "kibanaReact", "kibanaUtils", "navigation", - "kibanaReact", - "triggersActionsUi", - "inspector" + "security", + "triggersActionsUi" ], "requiredBundles": [ "data", diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/investigations/threat_intelligence/block_list.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/investigations/threat_intelligence/block_list.cy.ts new file mode 100644 index 0000000000000..ec7c480400793 --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/e2e/investigations/threat_intelligence/block_list.cy.ts @@ -0,0 +1,112 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { visitWithTimeRange } from '../../../tasks/navigation'; +import { + closeFlyout, + navigateToThreatIntelligence, + openFlyout, + openFlyoutTakeAction, + openIndicatorsTableMoreActions, + waitForViewToBeLoaded, +} from '../../../tasks/threat_intelligence/common'; +import { + fillBlocklistForm, + openAddToBlockListFlyoutFromTable, + openAddToBlocklistFromFlyout, +} from '../../../tasks/threat_intelligence/blocklist'; +import { navigateToBlocklist } from '../../../tasks/threat_intelligence/common'; +import { login } from '../../../tasks/login'; +import { + BLOCK_LIST_VALUE_INPUT, + FLYOUT_ADD_TO_BLOCK_LIST_ITEM, + INDICATORS_TABLE_ADD_TO_BLOCK_LIST_BUTTON_ICON, + SAVED_BLOCK_LIST_DESCRIPTION, + SAVED_BLOCK_LIST_NAME, +} from '../../../screens/threat_intelligence/blocklist'; + +const URL = '/app/security/threat_intelligence/indicators'; + +const FIRST_BLOCK_LIST_NEW_NAME = 'first blocklist entry'; +const FIRST_BLOCK_LIST_NEW_DESCRIPTION = 'the first description'; +const SECOND_BLOCK_LIST_NEW_NAME = 'second blocklist entry'; +const SECOND_BLOCK_LIST_NEW_DESCRIPTION = 'the second description'; + +describe('Block list with invalid indicators', { tags: ['@ess'] }, () => { + before(() => cy.task('esArchiverLoad', { archiveName: 'ti_indicators_data_invalid' })); + + after(() => cy.task('esArchiverUnload', { archiveName: 'ti_indicators_data_invalid' })); + + beforeEach(() => { + login(); + visitWithTimeRange(URL); + waitForViewToBeLoaded(); + }); + + it('should disabled blocklist in the indicators table context menu item and flyout context menu items', () => { + openIndicatorsTableMoreActions(3); + cy.get(INDICATORS_TABLE_ADD_TO_BLOCK_LIST_BUTTON_ICON).should('be.disabled'); + + openFlyout(3); + openFlyoutTakeAction(); + cy.get(FLYOUT_ADD_TO_BLOCK_LIST_ITEM).should('be.disabled'); + }); +}); + +describe('Block list interactions', { tags: ['@ess'] }, () => { + before(() => cy.task('esArchiverLoad', { archiveName: 'ti_indicators_data_multiple' })); + + after(() => cy.task('esArchiverUnload', { archiveName: 'ti_indicators_data_multiple' })); + + beforeEach(() => { + login(); + visitWithTimeRange(URL); + waitForViewToBeLoaded(); + }); + + it('should add to block list from the indicators table and from flyout', () => { + // first indicator is a valid indicator for add to blocklist feature + const firstIndicatorId = 'd86e656455f985357df3063dff6637f7f3b95bb27d1769a6b88c7adecaf7763f'; + + cy.log('add to blocklist from the table more action menu'); + + openIndicatorsTableMoreActions(); + openAddToBlockListFlyoutFromTable(); + + cy.get(BLOCK_LIST_VALUE_INPUT(firstIndicatorId)); + + fillBlocklistForm(FIRST_BLOCK_LIST_NEW_NAME, FIRST_BLOCK_LIST_NEW_DESCRIPTION); + navigateToBlocklist(); + + cy.get(SAVED_BLOCK_LIST_NAME).eq(0).should('have.text', FIRST_BLOCK_LIST_NEW_NAME); + cy.get(SAVED_BLOCK_LIST_DESCRIPTION) + .eq(0) + .should('have.text', FIRST_BLOCK_LIST_NEW_DESCRIPTION); + + navigateToThreatIntelligence(); + + // second indicator is a valid indicator for add to blocklist feature + const secondIndicatorId = 'd3e2cf87eabf84ef929aaf8dad1431b3387f5a26de8ffb7a0c3c2a13f973c0ab'; + + cy.log('add to blocklist from the flyout'); + + openFlyout(1); + openFlyoutTakeAction(); + openAddToBlocklistFromFlyout(); + + cy.get(BLOCK_LIST_VALUE_INPUT(secondIndicatorId)); + + fillBlocklistForm(SECOND_BLOCK_LIST_NEW_NAME, SECOND_BLOCK_LIST_NEW_DESCRIPTION); + closeFlyout(); + navigateToBlocklist(); + + cy.get(SAVED_BLOCK_LIST_NAME).eq(0).should('have.text', SECOND_BLOCK_LIST_NEW_NAME); + cy.get(SAVED_BLOCK_LIST_DESCRIPTION) + .eq(0) + .should('have.text', SECOND_BLOCK_LIST_NEW_DESCRIPTION); + }); +}); diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/investigations/threat_intelligence/cases.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/investigations/threat_intelligence/cases.cy.ts new file mode 100644 index 0000000000000..4efdd7151c7ec --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/e2e/investigations/threat_intelligence/cases.cy.ts @@ -0,0 +1,138 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { visitWithTimeRange } from '../../../tasks/navigation'; +import { + navigateToThreatIntelligence, + openFlyout, + openFlyoutTakeAction, + openIndicatorsTableMoreActions, + waitForViewToBeLoaded, +} from '../../../tasks/threat_intelligence/common'; +import { + createNewCaseFromTI, + navigateToCaseViaToaster, + openAddToExistingCaseFlyoutFromTable, + openAddToExistingCaseFromFlyout, + openAddToNewCaseFlyoutFromTable, + openAddToNewCaseFromFlyout, + selectExistingCase, +} from '../../../tasks/threat_intelligence/cases'; +import { + CASE_COMMENT_EXTERNAL_REFERENCE, + FLYOUT_ADD_TO_EXISTING_CASE_ITEM, + FLYOUT_ADD_TO_NEW_CASE_ITEM, + INDICATORS_TABLE_ADD_TO_EXISTING_CASE_BUTTON_ICON, + INDICATORS_TABLE_ADD_TO_NEW_CASE_BUTTON_ICON, +} from '../../../screens/threat_intelligence/cases'; +import { login } from '../../../tasks/login'; + +const URL = '/app/security/threat_intelligence/indicators'; + +describe('Cases with invalid indicators', { tags: ['@ess'] }, () => { + before(() => cy.task('esArchiverLoad', { archiveName: 'ti_indicators_data_invalid' })); + + after(() => cy.task('esArchiverUnload', { archiveName: 'ti_indicators_data_invalid' })); + + beforeEach(() => { + login(); + visitWithTimeRange(URL); + waitForViewToBeLoaded(); + }); + + it('should disable the indicators table context menu items and flyout context menu items', () => { + const documentsNumber = 22; + openIndicatorsTableMoreActions(documentsNumber - 1); + + cy.get(INDICATORS_TABLE_ADD_TO_EXISTING_CASE_BUTTON_ICON).should('be.disabled'); + cy.get(INDICATORS_TABLE_ADD_TO_NEW_CASE_BUTTON_ICON).should('be.disabled'); + + openFlyout(documentsNumber - 1); + openFlyoutTakeAction(); + + cy.get(FLYOUT_ADD_TO_EXISTING_CASE_ITEM).should('be.disabled'); + cy.get(FLYOUT_ADD_TO_NEW_CASE_ITEM).should('be.disabled'); + }); +}); + +describe('Cases interactions', { tags: ['@ess'] }, () => { + before(() => cy.task('esArchiverLoad', { archiveName: 'ti_indicators_data_single' })); + + after(() => cy.task('esArchiverUnload', { archiveName: 'ti_indicators_data_single' })); + + beforeEach(() => { + login(); + visitWithTimeRange(URL); + waitForViewToBeLoaded(); + }); + + it('should add to new case and to existing case from the indicators table and the flyout', () => { + cy.log('should add to new case when clicking on the button in the indicators table'); + + openIndicatorsTableMoreActions(); + openAddToNewCaseFlyoutFromTable(); + createNewCaseFromTI(); + navigateToCaseViaToaster(); + + cy.get(CASE_COMMENT_EXTERNAL_REFERENCE) + .should('exist') + .and('contain.text', 'added an indicator of compromise') + .and('contain.text', 'Indicator name') + .and('contain.text', 'Indicator type') + .and('contain.text', 'Feed name'); + + navigateToThreatIntelligence(); + + cy.log('should add to existing case when clicking on the button in the indicators table'); + + openIndicatorsTableMoreActions(); + openAddToExistingCaseFlyoutFromTable(); + selectExistingCase(); + navigateToCaseViaToaster(); + + cy.get(CASE_COMMENT_EXTERNAL_REFERENCE) + .should('exist') + .and('contain.text', 'added an indicator of compromise') + .and('contain.text', 'Indicator name') + .and('contain.text', 'Indicator type') + .and('contain.text', 'Feed name'); + + navigateToThreatIntelligence(); + + cy.log('should add to new case when clicking on the button in the indicators flyout'); + + openFlyout(0); + openFlyoutTakeAction(); + openAddToNewCaseFromFlyout(); + createNewCaseFromTI(); + + navigateToCaseViaToaster(); + cy.get(CASE_COMMENT_EXTERNAL_REFERENCE) + .should('exist') + .and('contain.text', 'added an indicator of compromise') + .and('contain.text', 'Indicator name') + .and('contain.text', 'Indicator type') + .and('contain.text', 'Feed name'); + + navigateToThreatIntelligence(); + + cy.log('should add to existing case when clicking on the button in the indicators flyout'); + + openFlyout(0); + openFlyoutTakeAction(); + openAddToExistingCaseFromFlyout(); + selectExistingCase(); + + navigateToCaseViaToaster(); + cy.get(CASE_COMMENT_EXTERNAL_REFERENCE) + .should('exist') + .and('contain.text', 'added an indicator of compromise') + .and('contain.text', 'Indicator name') + .and('contain.text', 'Indicator type') + .and('contain.text', 'Feed name'); + }); +}); diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/investigations/threat_intelligence/empty_page.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/investigations/threat_intelligence/empty_page.cy.ts new file mode 100644 index 0000000000000..1fc5c21e14af0 --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/e2e/investigations/threat_intelligence/empty_page.cy.ts @@ -0,0 +1,33 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { visitWithTimeRange } from '../../../tasks/navigation'; +import { login } from '../../../tasks/login'; +import { + EMPTY_PAGE_BODY, + EMPTY_PAGE_DOCS_LINK, + EMPTY_PAGE_INTEGRATIONS_LINK, +} from '../../../screens/threat_intelligence/empty_page'; + +const URL = '/app/security/threat_intelligence/'; + +describe('Empty Page', { tags: ['@ess'] }, () => { + beforeEach(() => { + login(); + visitWithTimeRange(URL); + }); + + it('should render the empty page with link to docs and integrations, and navigate to integrations page', () => { + cy.get(EMPTY_PAGE_BODY).should('be.visible'); + cy.get(EMPTY_PAGE_DOCS_LINK).should('be.visible'); + cy.get(EMPTY_PAGE_INTEGRATIONS_LINK).should('be.visible'); + + cy.get(EMPTY_PAGE_INTEGRATIONS_LINK).click(); + cy.url().should('include', '/app/integrations/browse/threat_intel'); + cy.get('h1').first().should('contain', 'Integrations'); + }); +}); diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/investigations/threat_intelligence/indicators.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/investigations/threat_intelligence/indicators.cy.ts new file mode 100644 index 0000000000000..03cf8e794c7ab --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/e2e/investigations/threat_intelligence/indicators.cy.ts @@ -0,0 +1,382 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { INDICATORS_TABLE_INVESTIGATE_IN_TIMELINE_BUTTON_ICON } from '../../../screens/threat_intelligence/timeline'; +import { + closeFlyout, + navigateToFlyoutJsonTab, + navigateToFlyoutTableTab, + openFlyout, + waitForViewToBeLoaded, +} from '../../../tasks/threat_intelligence/common'; +import { + clearQuery, + closeFieldBrowser, + enterQuery, + navigateToIndicatorsTablePage, + openFieldBrowser, + openInspector, +} from '../../../tasks/threat_intelligence/indicators'; +import { + ADD_INTEGRATIONS_BUTTON, + BREADCRUMBS, + DEFAULT_LAYOUT_TITLE, + EMPTY_STATE, + ENDING_BREADCRUMB, + FIELD_BROWSER, + FIELD_BROWSER_MODAL, + FIELD_SELECTOR, + FIELD_SELECTOR_INPUT, + FIELD_SELECTOR_LIST, + FIELD_SELECTOR_TOGGLE_BUTTON, + FILTERS_GLOBAL_CONTAINER, + FLYOUT_JSON, + FLYOUT_OVERVIEW_HIGH_LEVEL_BLOCK_ITEM, + FLYOUT_OVERVIEW_HIGHLIGHTED_FIELDS_TABLE, + FLYOUT_TABLE, + FLYOUT_TABS, + FLYOUT_TITLE, + INDICATOR_TYPE_CELL, + INDICATORS_TABLE, + INDICATORS_TABLE_FEED_NAME_CELL, + INDICATORS_TABLE_FEED_NAME_COLUMN_HEADER, + INDICATORS_TABLE_FIRST_SEEN_COLUMN_HEADER, + INDICATORS_TABLE_INDICATOR_LAST_SEEN_CELL, + INDICATORS_TABLE_INDICATOR_NAME_CELL, + INDICATORS_TABLE_INDICATOR_NAME_COLUMN_HEADER, + INDICATORS_TABLE_INDICATOR_TYPE_CELL, + INDICATORS_TABLE_INDICATOR_TYPE_COLUMN_HEADER, + INDICATORS_TABLE_LAST_SEEN_COLUMN_HEADER, + INDICATORS_TABLE_ROW_CELL, + INSPECTOR_BUTTON, + INSPECTOR_PANEL, + LEADING_BREADCRUMB, + QUERY_INPUT, + REFRESH_BUTTON, + TABLE_CONTROLS, + TIME_RANGE_PICKER, +} from '../../../screens/threat_intelligence/indicators'; +import { login } from '../../../tasks/login'; +import { visit, visitWithTimeRange } from '../../../tasks/navigation'; + +const URL = '/app/security/threat_intelligence/indicators'; +const URL_WITH_CONTRADICTORY_FILTERS = + '/app/security/threat_intelligence/indicators?indicators=(filterQuery:(language:kuery,query:%27%27),filters:!((%27$state%27:(store:appState),meta:(alias:!n,disabled:!f,index:%27%27,key:threat.indicator.type,negate:!f,params:(query:file),type:phrase),query:(match_phrase:(threat.indicator.type:file))),(%27$state%27:(store:appState),meta:(alias:!n,disabled:!f,index:%27%27,key:threat.indicator.type,negate:!f,params:(query:url),type:phrase),query:(match_phrase:(threat.indicator.type:url)))),timeRange:(from:now/d,to:now/d))'; + +describe('Single indicator', { tags: ['@ess'] }, () => { + before(() => cy.task('esArchiverLoad', { archiveName: 'ti_indicators_data_single' })); + + after(() => cy.task('esArchiverUnload', { archiveName: 'ti_indicators_data_single' })); + + describe('basic/simple url', () => { + beforeEach(() => { + login(); + visitWithTimeRange(URL); + waitForViewToBeLoaded(); + }); + + it('should render the basic page elements', () => { + cy.log('should show breadcrumb'); + + cy.get(BREADCRUMBS).should('be.visible'); + cy.get(LEADING_BREADCRUMB).should('have.text', 'Security'); + cy.get(ENDING_BREADCRUMB).should('have.text', 'Intelligence'); + + cy.log('should show title'); + + cy.get(DEFAULT_LAYOUT_TITLE).should('have.text', 'Indicators'); + + cy.log('should show table'); + + cy.get(INDICATORS_TABLE).should('exist'); + cy.get(INDICATORS_TABLE_INDICATOR_NAME_COLUMN_HEADER).should('exist'); + cy.get(INDICATORS_TABLE_INDICATOR_NAME_CELL).should( + 'contain.text', + 'd86e656455f985357df3063dff6637f7f3b95bb27d1769a6b88c7adecaf7763f' + ); + cy.get(INDICATORS_TABLE_INDICATOR_TYPE_COLUMN_HEADER).should('exist'); + cy.get(INDICATORS_TABLE_INDICATOR_TYPE_CELL).should('contain.text', 'file'); + cy.get(INDICATORS_TABLE_FEED_NAME_COLUMN_HEADER).should('exist'); + cy.get(INDICATORS_TABLE_FEED_NAME_CELL).should('contain.text', 'AbuseCH Malware'); + cy.get(INDICATORS_TABLE_FIRST_SEEN_COLUMN_HEADER).should('exist'); + cy.get(INDICATORS_TABLE_LAST_SEEN_COLUMN_HEADER).should('exist'); + cy.get(INDICATORS_TABLE_INDICATOR_LAST_SEEN_CELL).should('contain.text', '-'); + + cy.log('should show kql bar'); + + cy.get(FILTERS_GLOBAL_CONTAINER).should('exist'); + cy.get(`${FILTERS_GLOBAL_CONTAINER} ${TIME_RANGE_PICKER}`).should('exist'); + cy.get(`${FIELD_SELECTOR}`).should('exist'); + + cy.log('should show flyout'); + + openFlyout(); + + cy.get(FLYOUT_TITLE).should('contain', 'Indicator details'); + cy.get(FLYOUT_TABS).should('exist').children().should('have.length', 3); + cy.get(FLYOUT_TABS).should('exist'); + + closeFlyout(); + + cy.log('should render proper field browser modal'); + + openFieldBrowser(); + + cy.get(FIELD_BROWSER_MODAL).should('be.visible'); + + closeFieldBrowser(); + + cy.log('should render the inspector flyout when inspector button is clicked'); + + openInspector(); + + cy.get(INSPECTOR_PANEL).contains('Indicators search requests'); + }); + + it('should render flyout content', () => { + openFlyout(); + + cy.log('should show the high level blocks'); + + cy.get(FLYOUT_OVERVIEW_HIGH_LEVEL_BLOCK_ITEM) + .eq(0) + .should('contain.text', 'Feed') + .and('contain.text', 'AbuseCH Malware'); + cy.get(FLYOUT_OVERVIEW_HIGH_LEVEL_BLOCK_ITEM) + .eq(1) + .should('contain.text', 'Indicator type') + .and('contain.text', 'file'); + cy.get(FLYOUT_OVERVIEW_HIGH_LEVEL_BLOCK_ITEM) + .eq(2) + .should('contain.text', 'TLP Marking-') + .and('contain.text', '-'); + cy.get(FLYOUT_OVERVIEW_HIGH_LEVEL_BLOCK_ITEM) + .eq(3) + .should('contain.text', 'Confidence') + .and('contain.text', '-'); + + cy.log('should show the highlighted fields table'); + + cy.get(FLYOUT_OVERVIEW_HIGHLIGHTED_FIELDS_TABLE) + .should('contain.text', 'threat.indicator.file.hash.md5') + .and('contain.text', 'a7f997be65f62fdbe5ec076f0fe207f7'); + cy.get(FLYOUT_OVERVIEW_HIGHLIGHTED_FIELDS_TABLE) + .should('contain.text', 'threat.indicator.file.type') + .and('contain.text', 'zip'); + + cy.log('should render the table tab correctly'); + + navigateToFlyoutTableTab(); + + cy.get(FLYOUT_TABLE).should('contain.text', 'threat.indicator.type'); + cy.get(FLYOUT_TABLE) + .should('contain.text', '@timestamp') + .and('contain.text', 'Jun 2, 2022 @ 13:29:47.677'); + cy.get(FLYOUT_TABLE) + .should('contain.text', 'threat.indicator.file.type') + .and('contain.text', 'zip'); + + cy.log('should render the json tab correctly'); + + navigateToFlyoutJsonTab(); + + cy.get(FLYOUT_JSON).should('contain.text', 'threat.indicator.type'); + cy.get(FLYOUT_JSON).should('contain.text', '"@timestamp": "2022-06-02T13:29:47.677Z",'); + }); + }); + + describe('No items match search criteria', () => { + beforeEach(() => { + login(); + cy.visit(URL_WITH_CONTRADICTORY_FILTERS); + }); + + it('should handle no match search criteria', () => { + cy.log('not display the table when contradictory filters are set'); + + cy.get(FLYOUT_TABLE).should('not.exist'); + cy.get(EMPTY_STATE).should('exist').and('contain.text', 'No results'); + + cy.log('have the default selected field, then update when user selects'); + + const threatFeedName = 'threat.feed.name'; + cy.get(`${FIELD_SELECTOR_INPUT}`).should('have.value', threatFeedName); + + const timestamp: string = '@timestamp'; + cy.get(`${FIELD_SELECTOR_TOGGLE_BUTTON}`).should('exist').click(); + cy.get(`${FIELD_SELECTOR_LIST}`).should('exist').contains(timestamp); + }); + }); + + describe('Field browser', () => { + beforeEach(() => { + login(); + visitWithTimeRange(URL); + waitForViewToBeLoaded(); + }); + + it('should render proper modal window', () => { + cy.get('[data-test-subj="tiIndicatorsTable"]').within(() => { + cy.get(FIELD_BROWSER).last().click(); + }); + + cy.get(FIELD_BROWSER_MODAL).should('be.visible'); + }); + }); + + describe('Request inspector', () => { + beforeEach(() => { + login(); + visitWithTimeRange(URL); + waitForViewToBeLoaded(); + }); + + it('when inspector button is clicked it should render the inspector flyout', () => { + cy.get(INSPECTOR_BUTTON).last().click(); + + cy.get(INSPECTOR_PANEL).contains('Indicators search requests'); + }); + }); + + describe('Add integrations', () => { + beforeEach(() => { + login(); + visit(URL); + }); + + it('when the global header add integrations button is clicked it should navigate to the Integrations page with Threat Intelligence category selected', () => { + cy.get(ADD_INTEGRATIONS_BUTTON).click(); + + cy.url().should('include', 'threat_intel'); + }); + }); +}); + +describe('Multiple indicators', { tags: ['@ess'] }, () => { + before(() => cy.task('esArchiverLoad', { archiveName: 'ti_indicators_data_multiple' })); + + after(() => cy.task('esArchiverUnload', { archiveName: 'ti_indicators_data_multiple' })); + + describe('Indicator page search', () => { + beforeEach(() => { + login(); + visitWithTimeRange(URL); + waitForViewToBeLoaded(); + }); + + it('should handle all search actions', () => { + cy.log('should narrow the results to url indicators when respective KQL search is executed'); + + enterQuery('threat.indicator.type: "url"{enter}'); + + // Check if query results are narrowed after search + cy.get(INDICATOR_TYPE_CELL).should('not.contain.text', 'file'); + + clearQuery(); + enterQuery('threat.indicator.type: "file"{enter}'); + + cy.get(INDICATOR_TYPE_CELL).should('not.contain.text', 'url'); + + clearQuery(); + + cy.log('should go to the 2nd page'); + + navigateToIndicatorsTablePage(1); + + cy.get(TABLE_CONTROLS).should('contain.text', 'Showing 26-26 of'); + + cy.log('should go to page 1 when search input is cleared'); + + cy.get(QUERY_INPUT).should('exist').focus(); + cy.get(QUERY_INPUT).clear(); + cy.get(QUERY_INPUT).type('{enter}'); + cy.get(TABLE_CONTROLS).should('contain.text', 'Showing 1-25 of'); + + cy.log('should reload the data when refresh button is pressed'); + + cy.intercept(/bsearch/).as('search'); + cy.get(REFRESH_BUTTON).should('exist').click(); + cy.wait('@search'); + }); + }); +}); + +describe('Invalid Indicators', { tags: ['@ess'] }, () => { + before(() => cy.task('esArchiverLoad', { archiveName: 'ti_indicators_data_invalid' })); + + after(() => cy.task('esArchiverUnload', { archiveName: 'ti_indicators_data_invalid' })); + + describe('verify the grid loads even with missing fields', () => { + beforeEach(() => { + login(); + visitWithTimeRange(URL); + waitForViewToBeLoaded(); + }); + + it('should display data grid despite the missing fields', () => { + cy.get(INDICATORS_TABLE).should('exist'); + + // there are 19 documents in the x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_invalid/data.json + const documentsNumber = 22; + cy.get(INDICATORS_TABLE_ROW_CELL).should('have.length.gte', documentsNumber); + + // the last 3 documents have no hash so the investigate in timeline button isn't rendered + cy.get(INDICATORS_TABLE_INVESTIGATE_IN_TIMELINE_BUTTON_ICON).should( + 'have.length', + documentsNumber - 4 + ); + + // we should have 21 documents plus the header + cy.get(INDICATORS_TABLE_INDICATOR_NAME_CELL).should('have.length', documentsNumber + 1); + + // this entry has no hash to we show - in the Indicator Name column + cy.get(INDICATORS_TABLE_INDICATOR_NAME_CELL) + .eq(documentsNumber - 3) + .should('contain.text', '-'); + + // this entry is missing the file key entirely + cy.get(INDICATORS_TABLE_INDICATOR_NAME_CELL) + .eq(documentsNumber - 2) + .should('contain.text', '-'); + + // this entry is missing the type field + cy.get(INDICATORS_TABLE_INDICATOR_NAME_CELL) + .eq(documentsNumber - 1) + .should('contain.text', '-'); + cy.get(INDICATORS_TABLE_INDICATOR_TYPE_CELL) + .eq(documentsNumber - 1) + .should('contain.text', '-'); + + // this entry is missing the type field + cy.get(INDICATORS_TABLE_INDICATOR_NAME_CELL).last().should('contain.text', '-'); + cy.get(INDICATORS_TABLE_INDICATOR_TYPE_CELL).last().should('contain.text', '-'); + }); + }); +}); + +describe('Missing mappings', { tags: ['@ess'] }, () => { + before(() => cy.task('esArchiverLoad', { archiveName: 'ti_indicators_data_no_mappings' })); + + after(() => cy.task('esArchiverUnload', { archiveName: 'ti_indicators_data_no_mappings' })); + + describe('verify the grid loads even with missing mappings and missing fields', () => { + beforeEach(() => { + login(); + visitWithTimeRange(URL); + waitForViewToBeLoaded(); + }); + + it('should display data grid despite the missing mappings and missing fields', () => { + // there are 2 documents in the x-pack/test/threat_intelligence_cypress/es_archives/threat_intelligence/missing_mappings_indicators_data/data.json + const documentsNumber = 2; + cy.get(INDICATORS_TABLE_ROW_CELL).should('have.length.gte', documentsNumber); + + // we should have 2 documents plus the header + cy.get(INDICATORS_TABLE_INDICATOR_NAME_CELL).should('have.length', documentsNumber + 1); + }); + }); +}); diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/investigations/threat_intelligence/query_bar.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/investigations/threat_intelligence/query_bar.cy.ts new file mode 100644 index 0000000000000..a7cefa41bc678 --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/e2e/investigations/threat_intelligence/query_bar.cy.ts @@ -0,0 +1,193 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { visitWithTimeRange } from '../../../tasks/navigation'; +import { + closeFlyout, + navigateToFlyoutTableTab, + openFlyout, + waitForViewToBeLoaded, + waitForViewToBeUpdated, +} from '../../../tasks/threat_intelligence/common'; +import { + clearKQLBar, + filterInFromBarChartLegend, + filterInFromFlyoutBlockItem, + filterInFromFlyoutOverviewTable, + filterInFromFlyoutTableTab, + filterInFromTableCell, + filterOutFromBarChartLegend, + filterOutFromFlyoutBlockItem, + filterOutFromFlyoutOverviewTable, + filterOutFromFlyoutTableTab, + filterOutFromTableCell, +} from '../../../tasks/threat_intelligence/query_bar'; +import { INDICATOR_TYPE_CELL } from '../../../screens/threat_intelligence/indicators'; +import { KQL_FILTER } from '../../../screens/threat_intelligence/query_bar'; +import { login } from '../../../tasks/login'; + +const URL = '/app/security/threat_intelligence/indicators'; + +describe('Indicators query bar interaction', { tags: ['@ess'] }, () => { + before(() => cy.task('esArchiverLoad', { archiveName: 'ti_indicators_data_multiple' })); + + after(() => cy.task('esArchiverUnload', { archiveName: 'ti_indicators_data_multiple' })); + + beforeEach(() => { + login(); + visitWithTimeRange(URL); + waitForViewToBeLoaded(); + }); + + it('should add filter to kql', () => { + cy.log('filter in values when clicking in the barchart legend'); + + waitForViewToBeUpdated(); + + cy.get(INDICATOR_TYPE_CELL).its('length').should('be.gte', 0); + + filterInFromBarChartLegend(); + waitForViewToBeUpdated(); + + cy.get(KQL_FILTER).should('exist'); + cy.get(INDICATOR_TYPE_CELL).its('length').should('be.gte', 0); + + clearKQLBar(); + waitForViewToBeUpdated(); + + cy.log('filter out values when clicking in the barchart legend'); + + cy.get(INDICATOR_TYPE_CELL).its('length').should('be.gte', 0); + + filterOutFromBarChartLegend(); + waitForViewToBeUpdated(); + + cy.get(KQL_FILTER).should('exist'); + cy.get(INDICATOR_TYPE_CELL).its('length').should('be.gte', 0); + + clearKQLBar(); + waitForViewToBeUpdated(); + + cy.log('filter in values when clicking in an indicators table cell'); + + cy.get(INDICATOR_TYPE_CELL).its('length').should('be.gte', 0); + + filterInFromTableCell(); + waitForViewToBeUpdated(); + + cy.get(KQL_FILTER).should('exist'); + cy.get(INDICATOR_TYPE_CELL).its('length').should('be.gte', 0); + + clearKQLBar(); + waitForViewToBeUpdated(); + + cy.log('filter out and out values when clicking in an indicators table cell'); + + waitForViewToBeUpdated(); + cy.get(INDICATOR_TYPE_CELL).its('length').should('be.gte', 0); + + filterOutFromTableCell(); + waitForViewToBeUpdated(); + + cy.get(KQL_FILTER).should('exist'); + cy.get(INDICATOR_TYPE_CELL).its('length').should('be.gte', 0); + + clearKQLBar(); + waitForViewToBeUpdated(); + + cy.log('filter in values when clicking in an indicators flyout overview tab block'); + + cy.get(INDICATOR_TYPE_CELL).its('length').should('be.gte', 0); + + openFlyout(); + filterInFromFlyoutBlockItem(); + closeFlyout(); + waitForViewToBeUpdated(); + + cy.get(KQL_FILTER).should('exist'); + cy.get(INDICATOR_TYPE_CELL).its('length').should('be.gte', 0); + + clearKQLBar(); + waitForViewToBeUpdated(); + + cy.log('filter out values when clicking in an indicators flyout overview block'); + + cy.get(INDICATOR_TYPE_CELL).its('length').should('be.gte', 0); + + openFlyout(); + filterOutFromFlyoutBlockItem(); + closeFlyout(); + waitForViewToBeUpdated(); + + cy.get(KQL_FILTER).should('exist'); + cy.get(INDICATOR_TYPE_CELL).its('length').should('be.gte', 0); + + clearKQLBar(); + waitForViewToBeUpdated(); + + cy.log('filter in values when clicking in an indicators flyout overview tab table row'); + + cy.get(INDICATOR_TYPE_CELL).its('length').should('be.gte', 0); + + openFlyout(); + filterInFromFlyoutOverviewTable(); + closeFlyout(); + waitForViewToBeUpdated(); + + cy.get(KQL_FILTER).should('exist'); + cy.get(INDICATOR_TYPE_CELL).its('length').should('be.gte', 0); + + clearKQLBar(); + waitForViewToBeUpdated(); + + cy.log('filter out values when clicking in an indicators flyout overview tab row'); + + cy.get(INDICATOR_TYPE_CELL).its('length').should('be.gte', 0); + + openFlyout(); + filterOutFromFlyoutOverviewTable(); + closeFlyout(); + waitForViewToBeUpdated(); + + cy.get(KQL_FILTER).should('exist'); + cy.get(INDICATOR_TYPE_CELL).its('length').should('be.gte', 0); + + clearKQLBar(); + waitForViewToBeUpdated(); + + cy.log('filter in values when clicking in an indicators flyout table tab action column'); + + cy.get(INDICATOR_TYPE_CELL).its('length').should('be.gte', 0); + + openFlyout(); + navigateToFlyoutTableTab(); + filterInFromFlyoutTableTab(); + closeFlyout(); + waitForViewToBeUpdated(); + + cy.get(KQL_FILTER).should('exist'); + cy.get(INDICATOR_TYPE_CELL).its('length').should('be.gte', 0); + + clearKQLBar(); + waitForViewToBeUpdated(); + + cy.log('filter out values when clicking in an indicators flyout table tab action column'); + + cy.get(INDICATOR_TYPE_CELL).its('length').should('be.gte', 0); + + openFlyout(); + navigateToFlyoutTableTab(); + filterOutFromFlyoutTableTab(); + closeFlyout(); + waitForViewToBeUpdated(); + + cy.get(KQL_FILTER).should('exist'); + cy.get(INDICATOR_TYPE_CELL).its('length').should('be.gte', 0); + + clearKQLBar(); + }); +}); diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/investigations/threat_intelligence/timeline.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/investigations/threat_intelligence/timeline.cy.ts new file mode 100644 index 0000000000000..691dc1926a454 --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/e2e/investigations/threat_intelligence/timeline.cy.ts @@ -0,0 +1,123 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { visitWithTimeRange } from '../../../tasks/navigation'; +import { + addToTimelineFromBarchartLegend, + addToTimelineFromFlyoutOverviewTabBlock, + addToTimelineFromFlyoutOverviewTabTable, + addToTimelineFromTableCell, + closeTimeline, + investigateInTimelineFromFlyout, + investigateInTimelineFromTable, + openTimeline, +} from '../../../tasks/threat_intelligence/timeline'; +import { + closeFlyout, + openFlyout, + openFlyoutTakeAction, + waitForViewToBeLoaded, +} from '../../../tasks/threat_intelligence/common'; +import { + TIMELINE_AND_OR_BADGE, + TIMELINE_DATA_PROVIDERS_WRAPPER, + TIMELINE_DRAGGABLE_ITEM, +} from '../../../screens/threat_intelligence/timeline'; +import { login } from '../../../tasks/login'; + +const URL = '/app/security/threat_intelligence/indicators'; + +describe('Timeline', { tags: ['@ess'] }, () => { + before(() => cy.task('esArchiverLoad', { archiveName: 'ti_indicators_data_single' })); + + after(() => cy.task('esArchiverUnload', { archiveName: 'ti_indicators_data_single' })); + + beforeEach(() => { + login(); + visitWithTimeRange(URL); + waitForViewToBeLoaded(); + }); + + it('should verify add to timeline and investigate in timeline work from various places', () => { + cy.log('add to timeline when clicking in the barchart legend'); + + addToTimelineFromBarchartLegend(); + openTimeline(); + + cy.get(TIMELINE_DATA_PROVIDERS_WRAPPER).within(() => { + cy.get(TIMELINE_AND_OR_BADGE).should('be.visible').and('have.length', 3); + cy.get(TIMELINE_DRAGGABLE_ITEM).should('contain.text', 'threat.feed.name: "AbuseCH Malware"'); + }); + closeTimeline(); + + cy.log('add to timeline when clicking in an indicator flyout overview tab table row'); + + openFlyout(); + addToTimelineFromFlyoutOverviewTabTable(); + closeFlyout(); + openTimeline(); + + cy.get(TIMELINE_DATA_PROVIDERS_WRAPPER).within(() => { + cy.get(TIMELINE_AND_OR_BADGE).should('be.visible').and('have.length', 5); + cy.get(TIMELINE_DRAGGABLE_ITEM).should( + 'contain.text', + 'threat.indicator.file.hash.md5: "a7f997be65f62fdbe5ec076f0fe207f7"' + ); + }); + + closeTimeline(); + + cy.log( + 'add to timeline when clicking in an indicator flyout overview block (should not add a new entry)' + ); + + openFlyout(); + addToTimelineFromFlyoutOverviewTabBlock(); + closeFlyout(); + openTimeline(); + + cy.get(TIMELINE_DATA_PROVIDERS_WRAPPER).within(() => { + cy.get(TIMELINE_AND_OR_BADGE).should('be.visible').and('have.length', 5); + }); + + closeTimeline(); + + cy.log('add to timeline when clicking in an indicator table cell'); + + addToTimelineFromTableCell(); + openTimeline(); + + cy.get(TIMELINE_DATA_PROVIDERS_WRAPPER).within(() => { + cy.get(TIMELINE_AND_OR_BADGE).should('be.visible').and('have.length', 7); + cy.get(TIMELINE_DRAGGABLE_ITEM).should('contain.text', 'threat.indicator.type: "file"'); + }); + + closeTimeline(); + + cy.log('investigate in timeline when clicking in an indicator table action row'); + + investigateInTimelineFromTable(); + + cy.get(TIMELINE_DATA_PROVIDERS_WRAPPER).within(() => { + cy.get(TIMELINE_DRAGGABLE_ITEM).should('exist'); + cy.get(TIMELINE_AND_OR_BADGE).should('be.visible').and('have.length', 5); + }); + + closeTimeline(); + + cy.log('investigate in timeline when clicking in an indicator flyout'); + + openFlyout(); + openFlyoutTakeAction(); + investigateInTimelineFromFlyout(); + + cy.get(TIMELINE_DATA_PROVIDERS_WRAPPER).within(() => { + cy.get(TIMELINE_DRAGGABLE_ITEM).should('exist'); + cy.get(TIMELINE_AND_OR_BADGE).should('be.visible').and('have.length', 5); + }); + }); +}); diff --git a/x-pack/test/security_solution_cypress/cypress/screens/threat_intelligence/blocklist.ts b/x-pack/test/security_solution_cypress/cypress/screens/threat_intelligence/blocklist.ts new file mode 100644 index 0000000000000..b9c79fc18340c --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/screens/threat_intelligence/blocklist.ts @@ -0,0 +1,27 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { getDataTestSubjectSelector } from '../../helpers/common'; + +export const INDICATORS_TABLE_ADD_TO_BLOCK_LIST_BUTTON_ICON = getDataTestSubjectSelector( + 'tiIndicatorsTableAddToBlockListContextMenu' +); +export const FLYOUT_ADD_TO_BLOCK_LIST_ITEM = getDataTestSubjectSelector( + 'tiIndicatorFlyoutAddToBlockListContextMenu' +); +export const BLOCK_LIST_NAME = getDataTestSubjectSelector('blocklist-form-name-input'); +export const BLOCK_LIST_DESCRIPTION = getDataTestSubjectSelector( + 'blocklist-form-description-input' +); +export const BLOCK_LIST_ADD_BUTTON = `[class="eui-textTruncate"]`; +export const BLOCK_LIST_TOAST_LIST = getDataTestSubjectSelector('globalToastList'); +export const BLOCK_LIST_VALUE_INPUT = (iocId: string) => + getDataTestSubjectSelector(`blocklist-form-values-input-${iocId}`); +export const SAVED_BLOCK_LIST_NAME = getDataTestSubjectSelector('blocklistPage-card-header-title'); +export const SAVED_BLOCK_LIST_DESCRIPTION = getDataTestSubjectSelector( + 'blocklistPage-card-description' +); diff --git a/x-pack/test/security_solution_cypress/cypress/screens/threat_intelligence/cases.ts b/x-pack/test/security_solution_cypress/cypress/screens/threat_intelligence/cases.ts new file mode 100644 index 0000000000000..e0d207f5aa46b --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/screens/threat_intelligence/cases.ts @@ -0,0 +1,33 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { getDataTestSubjectSelector } from '../../helpers/common'; + +export const INDICATORS_TABLE_ADD_TO_NEW_CASE_BUTTON_ICON = getDataTestSubjectSelector( + 'tiIndicatorTableAddToNewCaseContextMenu' +); +export const INDICATORS_TABLE_ADD_TO_EXISTING_CASE_BUTTON_ICON = getDataTestSubjectSelector( + 'tiIndicatorTableAddToExistingCaseContextMenu' +); +export const FLYOUT_ADD_TO_EXISTING_CASE_ITEM = getDataTestSubjectSelector( + 'tiIndicatorFlyoutAddToExistingCaseContextMenu' +); +export const FLYOUT_ADD_TO_NEW_CASE_ITEM = getDataTestSubjectSelector( + 'tiIndicatorFlyoutAddToNewCaseContextMenu' +); +export const SELECT_EXISTING_CASE = `[class="eui-textTruncate"]`; +export const VIEW_CASE_TOASTER_LINK = getDataTestSubjectSelector('toaster-content-case-view-link'); +export const CASE_COMMENT_EXTERNAL_REFERENCE = getDataTestSubjectSelector( + 'comment-externalReference-indicator' +); +export const NEW_CASE_NAME_INPUT = getDataTestSubjectSelector( + 'input"][aria-describedby="caseTitle' +); +export const NEW_CASE_DESCRIPTION_INPUT = getDataTestSubjectSelector('euiMarkdownEditorTextArea'); +export const NEW_CASE_CREATE_BUTTON = getDataTestSubjectSelector('create-case-submit'); +export const SELECT_CASE_TABLE_ROW = `.euiTableRow`; +export const SELECT_EXISTING_CASES_MODAL = getDataTestSubjectSelector('all-cases-modal'); diff --git a/x-pack/test/security_solution_cypress/cypress/screens/threat_intelligence/common.ts b/x-pack/test/security_solution_cypress/cypress/screens/threat_intelligence/common.ts new file mode 100644 index 0000000000000..c4e0a2913af8e --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/screens/threat_intelligence/common.ts @@ -0,0 +1,17 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { getDataTestSubjectSelector } from '../../helpers/common'; + +export const UPDATE_STATUS = getDataTestSubjectSelector('updateStatus'); +export const SECURITY_SOLUTION_NAVBAR_MANAGE_ITEM = getDataTestSubjectSelector( + 'solutionSideNavItemLink-administration' +); +export const SECURITY_SOLUTION_NAVBAR_THREAT_INTELLIGENCE_ITEM = getDataTestSubjectSelector( + 'solutionSideNavItemLink-threat_intelligence' +); +export const MANAGE_NAVIGATION_ITEMS = `.euiLink`; diff --git a/x-pack/test/security_solution_cypress/cypress/screens/threat_intelligence/empty_page.ts b/x-pack/test/security_solution_cypress/cypress/screens/threat_intelligence/empty_page.ts new file mode 100644 index 0000000000000..4db010fb19068 --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/screens/threat_intelligence/empty_page.ts @@ -0,0 +1,14 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { getDataTestSubjectSelector } from '../../helpers/common'; + +export const EMPTY_PAGE_BODY = getDataTestSubjectSelector('tiEmptyPage'); +export const EMPTY_PAGE_DOCS_LINK = getDataTestSubjectSelector('tiEmptyPageDocsLink'); +export const EMPTY_PAGE_INTEGRATIONS_LINK = getDataTestSubjectSelector( + 'tiEmptyPageIntegrationsPageLink' +); diff --git a/x-pack/test/security_solution_cypress/cypress/screens/threat_intelligence/indicators.ts b/x-pack/test/security_solution_cypress/cypress/screens/threat_intelligence/indicators.ts new file mode 100644 index 0000000000000..04d4e93dfc85b --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/screens/threat_intelligence/indicators.ts @@ -0,0 +1,130 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { getDataTestSubjectSelector } from '../../helpers/common'; + +/* Indicators Table */ + +export const INDICATORS_TABLE = getDataTestSubjectSelector('tiIndicatorsTable'); +export const INDICATORS_TABLE_ROW_CELL = getDataTestSubjectSelector('dataGridRowCell'); +export const INDICATORS_TABLE_INDICATOR_NAME_COLUMN_HEADER = getDataTestSubjectSelector( + 'dataGridHeaderCell-threat.indicator.name' +); +export const INDICATORS_TABLE_INDICATOR_NAME_CELL = + '[data-gridcell-column-id="threat.indicator.name"]'; +export const INDICATORS_TABLE_INDICATOR_TYPE_COLUMN_HEADER = getDataTestSubjectSelector( + 'dataGridHeaderCell-threat.indicator.type' +); +export const INDICATORS_TABLE_INDICATOR_TYPE_CELL = + '[data-gridcell-column-id="threat.indicator.type"]'; +export const INDICATORS_TABLE_FEED_NAME_COLUMN_HEADER = getDataTestSubjectSelector( + 'dataGridHeaderCell-threat.feed.name' +); +export const INDICATORS_TABLE_FEED_NAME_CELL = '[data-gridcell-column-id="threat.feed.name"]'; +export const INDICATORS_TABLE_FIRST_SEEN_COLUMN_HEADER = getDataTestSubjectSelector( + 'dataGridHeaderCell-threat.indicator.first_seen' +); +export const INDICATORS_TABLE_INDICATOR_FIRST_SEEN_CELL = + '[data-gridcell-column-id="threat.indicator.first_seen"]'; +export const INDICATORS_TABLE_LAST_SEEN_COLUMN_HEADER = getDataTestSubjectSelector( + 'dataGridHeaderCell-threat.indicator.last_seen' +); +export const INDICATORS_TABLE_INDICATOR_LAST_SEEN_CELL = + '[data-gridcell-column-id="threat.indicator.last_seen"]'; +export const TABLE_CONTROLS = getDataTestSubjectSelector('dataGridControls'); +export const INDICATOR_TYPE_CELL = `[role="gridcell"][data-gridcell-column-id="threat.indicator.type"]`; +export const INDICATORS_TABLE_CELL_FILTER_IN_BUTTON = `${getDataTestSubjectSelector( + 'tiIndicatorsTableCellFilterInButton' +)} button`; +export const INDICATORS_TABLE_CELL_FILTER_OUT_BUTTON = `${getDataTestSubjectSelector( + 'tiIndicatorsTableCellFilterOutButton' +)} button`; +export const INDICATORS_TABLE_MORE_ACTION_BUTTON_ICON = getDataTestSubjectSelector( + 'tiIndicatorTableMoreActionsButton' +); + +/* Flyout */ + +export const TOGGLE_FLYOUT_BUTTON = getDataTestSubjectSelector('tiToggleIndicatorFlyoutButton'); +export const FLYOUT_CLOSE_BUTTON = getDataTestSubjectSelector('euiFlyoutCloseButton'); +export const FLYOUT_TITLE = getDataTestSubjectSelector('tiIndicatorFlyoutTitle'); +export const FLYOUT_TABS = getDataTestSubjectSelector('tiIndicatorFlyoutTabs'); +export const FLYOUT_TABLE = getDataTestSubjectSelector('tiFlyoutTable'); +export const FLYOUT_JSON = getDataTestSubjectSelector('tiFlyoutJsonCodeBlock'); +export const FLYOUT_OVERVIEW_TAB_TABLE_ROW_FILTER_IN_BUTTON = getDataTestSubjectSelector( + 'tiFlyoutOverviewTableRowFilterInButton' +); +export const FLYOUT_OVERVIEW_TAB_TABLE_ROW_FILTER_OUT_BUTTON = getDataTestSubjectSelector( + 'tiFlyoutOverviewTableRowFilterOutButton' +); +export const FLYOUT_OVERVIEW_HIGH_LEVEL_BLOCK_ITEM = getDataTestSubjectSelector( + 'tiFlyoutOverviewHighLevelBlocksItem' +); +export const FLYOUT_OVERVIEW_TAB_BLOCKS_FILTER_IN_BUTTON = getDataTestSubjectSelector( + 'tiFlyoutOverviewHighLevelBlocksFilterInButton' +); +export const FLYOUT_OVERVIEW_TAB_BLOCKS_FILTER_OUT_BUTTON = getDataTestSubjectSelector( + 'tiFlyoutOverviewHighLevelBlocksFilterOutButton' +); +export const FLYOUT_OVERVIEW_HIGHLIGHTED_FIELDS_TABLE = getDataTestSubjectSelector( + 'tiFlyoutOverviewTableRow' +); +export const FLYOUT_TABLE_MORE_ACTIONS_BUTTON = `${getDataTestSubjectSelector( + 'tiFlyoutOverviewTableRowPopoverButton' +)} button`; +export const FLYOUT_BLOCK_MORE_ACTIONS_BUTTON = `${getDataTestSubjectSelector( + 'tiFlyoutOverviewHighLevelBlocksPopoverButton' +)} button`; +export const FLYOUT_TABLE_TAB_ROW_FILTER_IN_BUTTON = getDataTestSubjectSelector( + 'tiFlyoutTableFilterInButton' +); +export const FLYOUT_TABLE_TAB_ROW_FILTER_OUT_BUTTON = getDataTestSubjectSelector( + 'tiFlyoutTableFilterOutButton' +); + +export const FLYOUT_TAKE_ACTION_BUTTON = getDataTestSubjectSelector( + 'tiIndicatorFlyoutTakeActionButton' +); + +/* Field selector */ + +export const FIELD_SELECTOR = getDataTestSubjectSelector('tiIndicatorFieldSelectorDropdown'); +export const FIELD_SELECTOR_INPUT = getDataTestSubjectSelector('comboBoxSearchInput'); +export const FIELD_SELECTOR_TOGGLE_BUTTON = getDataTestSubjectSelector('comboBoxToggleListButton'); +export const FIELD_SELECTOR_LIST = getDataTestSubjectSelector( + 'comboBoxOptionsList tiIndicatorFieldSelectorDropdown-optionsList' +); + +/* Field browser */ + +export const FIELD_BROWSER = getDataTestSubjectSelector('show-field-browser'); +export const FIELD_BROWSER_MODAL = getDataTestSubjectSelector('fields-browser-container'); +export const FIELD_BROWSER_MODAL_CLOSE_BUTTON = getDataTestSubjectSelector('close'); + +/* Barchart */ + +export const BARCHART_WRAPPER = getDataTestSubjectSelector('tiBarchartWrapper'); +export const BARCHART_POPOVER_BUTTON = getDataTestSubjectSelector('tiBarchartPopoverButton'); +export const BARCHART_TIMELINE_BUTTON = getDataTestSubjectSelector('tiBarchartTimelineButton'); +export const BARCHART_FILTER_IN_BUTTON = getDataTestSubjectSelector('tiBarchartFilterInButton'); +export const BARCHART_FILTER_OUT_BUTTON = getDataTestSubjectSelector('tiBarchartFilterOutButton'); + +/* Miscellaneous */ + +export const DEFAULT_LAYOUT_TITLE = getDataTestSubjectSelector('tiDefaultPageLayoutTitle'); +export const BREADCRUMBS = getDataTestSubjectSelector('breadcrumbs'); +export const LEADING_BREADCRUMB = getDataTestSubjectSelector('breadcrumb first'); +export const ENDING_BREADCRUMB = getDataTestSubjectSelector('breadcrumb last'); +export const FILTERS_GLOBAL_CONTAINER = getDataTestSubjectSelector('filters-global-container'); +export const TIME_RANGE_PICKER = getDataTestSubjectSelector('superDatePickerToggleQuickMenuButton'); +export const QUERY_INPUT = getDataTestSubjectSelector('queryInput'); +export const EMPTY_STATE = getDataTestSubjectSelector('tiIndicatorsTableEmptyState'); +export const INSPECTOR_BUTTON = getDataTestSubjectSelector('tiIndicatorsGridInspect'); +export const INSPECTOR_PANEL = getDataTestSubjectSelector('inspectorPanel'); +export const ADD_INTEGRATIONS_BUTTON = getDataTestSubjectSelector('add-data'); +export const REFRESH_BUTTON = getDataTestSubjectSelector('querySubmitButton'); +export const ADDED_TO_TIMELINE_TOAST = getDataTestSubjectSelector('add-to-timeline-toast-success'); diff --git a/x-pack/test/security_solution_cypress/cypress/screens/threat_intelligence/query_bar.ts b/x-pack/test/security_solution_cypress/cypress/screens/threat_intelligence/query_bar.ts new file mode 100644 index 0000000000000..ab04913c59182 --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/screens/threat_intelligence/query_bar.ts @@ -0,0 +1,15 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { getDataTestSubjectSelector } from '../../helpers/common'; + +export const QUERY_BAR = getDataTestSubjectSelector('globalDatePicker'); +export const QUERY_BAR_MENU = getDataTestSubjectSelector('showQueryBarMenu'); +export const QUERY_BAR_MENU_REMOVE_ALL_FILTERS_BUTTON = getDataTestSubjectSelector( + 'filter-sets-removeAllFilters' +); +export const KQL_FILTER = `[id="popoverFor_filter0"]`; diff --git a/x-pack/test/security_solution_cypress/cypress/screens/threat_intelligence/timeline.ts b/x-pack/test/security_solution_cypress/cypress/screens/threat_intelligence/timeline.ts new file mode 100644 index 0000000000000..ed1adb33f5392 --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/screens/threat_intelligence/timeline.ts @@ -0,0 +1,31 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { getDataTestSubjectSelector } from '../../helpers/common'; + +export const INDICATORS_TABLE_INVESTIGATE_IN_TIMELINE_BUTTON_ICON = getDataTestSubjectSelector( + 'tiIndicatorTableInvestigateInTimelineButtonIcon' +); +export const UNTITLED_TIMELINE_BUTTON = getDataTestSubjectSelector( + `timeline-bottom-bar-title-button` +); +export const INDICATORS_TABLE_CELL_TIMELINE_BUTTON = `${getDataTestSubjectSelector( + 'tiIndicatorsTableCellTimelineButton' +)} button`; +export const TIMELINE_DATA_PROVIDERS_WRAPPER = getDataTestSubjectSelector(`dataProviders`); +export const TIMELINE_DRAGGABLE_ITEM = getDataTestSubjectSelector(`providerContainer`); +export const TIMELINE_AND_OR_BADGE = getDataTestSubjectSelector(`and-or-badge`); +export const CLOSE_TIMELINE_BTN = '[data-test-subj="timeline-modal-header-close-button"]'; +export const FLYOUT_OVERVIEW_TAB_TABLE_ROW_TIMELINE_BUTTON = getDataTestSubjectSelector( + 'tiFlyoutOverviewTableRowTimelineButton' +); +export const FLYOUT_OVERVIEW_TAB_BLOCKS_TIMELINE_BUTTON = getDataTestSubjectSelector( + 'tiFlyoutOverviewHighLevelBlocksTimelineButton' +); +export const FLYOUT_INVESTIGATE_IN_TIMELINE_ITEM = getDataTestSubjectSelector( + 'tiIndicatorFlyoutInvestigateInTimelineContextMenu' +); diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/threat_intelligence/blocklist.ts b/x-pack/test/security_solution_cypress/cypress/tasks/threat_intelligence/blocklist.ts new file mode 100644 index 0000000000000..7a56a7235f453 --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/tasks/threat_intelligence/blocklist.ts @@ -0,0 +1,41 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { + BLOCK_LIST_ADD_BUTTON, + BLOCK_LIST_DESCRIPTION, + BLOCK_LIST_NAME, + BLOCK_LIST_TOAST_LIST, + FLYOUT_ADD_TO_BLOCK_LIST_ITEM, + INDICATORS_TABLE_ADD_TO_BLOCK_LIST_BUTTON_ICON, +} from '../../screens/threat_intelligence/blocklist'; + +/** + * Open the blocklist form from the indicators table more actions menu + */ +export const openAddToBlockListFlyoutFromTable = () => { + cy.get(INDICATORS_TABLE_ADD_TO_BLOCK_LIST_BUTTON_ICON).first().click(); +}; + +/** + * Open the blocklist form from the indicators flyout take action menu + */ +export const openAddToBlocklistFromFlyout = () => { + cy.get(FLYOUT_ADD_TO_BLOCK_LIST_ITEM).first().click(); +}; + +/** + * Fill out blocklist form with title and description + */ +export const fillBlocklistForm = (title: string, description: string) => { + cy.get(BLOCK_LIST_NAME).type(title); + cy.get(BLOCK_LIST_DESCRIPTION).type(description); + cy.get(BLOCK_LIST_ADD_BUTTON).last().click(); + + const text: string = `"${title}" has been added`; + cy.get(BLOCK_LIST_TOAST_LIST).should('exist').and('contain.text', text); +}; diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/threat_intelligence/cases.ts b/x-pack/test/security_solution_cypress/cypress/tasks/threat_intelligence/cases.ts new file mode 100644 index 0000000000000..8037b436ace15 --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/tasks/threat_intelligence/cases.ts @@ -0,0 +1,74 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { + FLYOUT_ADD_TO_EXISTING_CASE_ITEM, + FLYOUT_ADD_TO_NEW_CASE_ITEM, + INDICATORS_TABLE_ADD_TO_EXISTING_CASE_BUTTON_ICON, + INDICATORS_TABLE_ADD_TO_NEW_CASE_BUTTON_ICON, + NEW_CASE_CREATE_BUTTON, + NEW_CASE_DESCRIPTION_INPUT, + NEW_CASE_NAME_INPUT, + SELECT_CASE_TABLE_ROW, + SELECT_EXISTING_CASE, + SELECT_EXISTING_CASES_MODAL, + VIEW_CASE_TOASTER_LINK, +} from '../../screens/threat_intelligence/cases'; + +/** + * Open the add to new case flyout from the indicators table more actions menu + */ +export const openAddToNewCaseFlyoutFromTable = () => { + cy.get(INDICATORS_TABLE_ADD_TO_NEW_CASE_BUTTON_ICON).first().click(); +}; + +/** + * Open the add to existing case flyout from the indicators table more actions menu + */ +export const openAddToExistingCaseFlyoutFromTable = () => { + cy.get(INDICATORS_TABLE_ADD_TO_EXISTING_CASE_BUTTON_ICON).first().click(); +}; + +/** + * Open the new case flyout from the indicators flyout take action menu + */ +export const openAddToNewCaseFromFlyout = () => { + cy.get(FLYOUT_ADD_TO_NEW_CASE_ITEM).first().click(); +}; + +/** + * Open the new existing flyout from the indicators flyout take action menu + */ +export const openAddToExistingCaseFromFlyout = () => { + cy.get(FLYOUT_ADD_TO_EXISTING_CASE_ITEM).first().click(); +}; + +/** + * Create a new case from the Threat Intelligence page + */ +export const createNewCaseFromTI = () => { + cy.get(NEW_CASE_NAME_INPUT).type('case'); + cy.get(NEW_CASE_DESCRIPTION_INPUT).type('case description'); + cy.get(NEW_CASE_CREATE_BUTTON).click(); +}; + +/** + * Click on the toaster to navigate to case and verified created case + */ +export const navigateToCaseViaToaster = () => { + cy.get(VIEW_CASE_TOASTER_LINK).click(); +}; + +/** + * Select existing case from cases modal + */ +export const selectExistingCase = () => { + cy.get(SELECT_EXISTING_CASES_MODAL).within(() => { + cy.get(SELECT_CASE_TABLE_ROW).its('length').should('be.gte', 0); + cy.get(SELECT_EXISTING_CASE).should('exist').contains('Select').click(); + }); +}; diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/threat_intelligence/common.ts b/x-pack/test/security_solution_cypress/cypress/tasks/threat_intelligence/common.ts new file mode 100644 index 0000000000000..ab80cca467f04 --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/tasks/threat_intelligence/common.ts @@ -0,0 +1,120 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { recurse } from 'cypress-recurse'; +import { + MANAGE_NAVIGATION_ITEMS, + SECURITY_SOLUTION_NAVBAR_MANAGE_ITEM, + SECURITY_SOLUTION_NAVBAR_THREAT_INTELLIGENCE_ITEM, + UPDATE_STATUS, +} from '../../screens/threat_intelligence/common'; +import { + BARCHART_POPOVER_BUTTON, + BARCHART_WRAPPER, + FLYOUT_CLOSE_BUTTON, + FLYOUT_TABS, + FLYOUT_TAKE_ACTION_BUTTON, + INDICATORS_TABLE, + INDICATORS_TABLE_MORE_ACTION_BUTTON_ICON, + TOGGLE_FLYOUT_BUTTON, +} from '../../screens/threat_intelligence/indicators'; + +/** + * Navigate to Blocklist screen via the Security Solution navbar and Manage menu item + */ +export const navigateToBlocklist = () => { + cy.get(SECURITY_SOLUTION_NAVBAR_MANAGE_ITEM).click(); + cy.get(MANAGE_NAVIGATION_ITEMS).contains('Blocklist').click(); +}; + +/** + * Navigate to Threat Intelligence screen via the Security Solution navbar + */ +export const navigateToThreatIntelligence = () => { + cy.get(SECURITY_SOLUTION_NAVBAR_THREAT_INTELLIGENCE_ITEM).click(); +}; + +/** + * Close the opened flyout + */ +export const closeFlyout = () => { + cy.get(FLYOUT_CLOSE_BUTTON).click(); +}; + +/** + * Open the indicators table more actions menu + */ +export const openIndicatorsTableMoreActions = (index = 0) => { + cy.get(INDICATORS_TABLE_MORE_ACTION_BUTTON_ICON).eq(index).click(); +}; + +/** + * Open the indicator flyout from indicators table + */ +export const openFlyout = (index = 0) => { + cy.get(TOGGLE_FLYOUT_BUTTON).eq(index).click(); +}; + +/** + * Open the take action button within indicator flyout + */ +export const openFlyoutTakeAction = () => { + cy.get(FLYOUT_TAKE_ACTION_BUTTON).first().click(); +}; + +/** + * Navigate to Table tab in indicators flyout + */ +export const navigateToFlyoutTableTab = () => { + cy.get(`${FLYOUT_TABS} button:nth-child(2)`).click(); +}; + +/** + * Navigate to Json tab in indicators flyout + */ +export const navigateToFlyoutJsonTab = () => { + cy.get(`${FLYOUT_TABS} button:nth-child(3)`).click(); +}; + +/** + * Wait for the view to be fully loaded + */ +export const waitForViewToBeLoaded = () => { + cy.get(INDICATORS_TABLE).should('exist'); + cy.get(BARCHART_WRAPPER).should('exist'); + waitForViewToBeUpdated(); +}; + +/** + * Wait for the view to be updated + */ +export const waitForViewToBeUpdated = () => { + cy.get(UPDATE_STATUS).should('contain.text', 'Updated'); +}; + +/** + * Open barchart 3-dot popover menu + */ +export const openBarchartPopoverMenu = () => { + cy.get(BARCHART_POPOVER_BUTTON).first().click(); +}; + +/** + * Performs click on element that require a mouse hover first + */ +export const clickAction = (propertySelector: string, rowIndex: number, actionSelector: string) => { + recurse( + () => { + cy.get(propertySelector).eq(rowIndex).realHover(); + return cy.get(actionSelector).first(); + }, + ($el) => $el.is(':visible') + ); + + // while { force: true } shouldn't really be used, here it allows us to get rid of flakiness on things that need an mouse hover + cy.get(actionSelector).first().click({ force: true }); +}; diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/threat_intelligence/indicators.ts b/x-pack/test/security_solution_cypress/cypress/tasks/threat_intelligence/indicators.ts new file mode 100644 index 0000000000000..f1d80fb079689 --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/tasks/threat_intelligence/indicators.ts @@ -0,0 +1,62 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { + ADD_INTEGRATIONS_BUTTON, + FIELD_BROWSER, + FIELD_BROWSER_MODAL, + FIELD_BROWSER_MODAL_CLOSE_BUTTON, + INDICATORS_TABLE, + INSPECTOR_BUTTON, + QUERY_INPUT, +} from '../../screens/threat_intelligence/indicators'; + +/** + * Navigate to specific page in indicators table + */ +export const navigateToIndicatorsTablePage = (index: number) => { + cy.get(`[data-test-subj="pagination-button-${index}"]`).click(); +}; + +/** + * Clears text in KQL bar + */ +export const enterQuery = (text: string) => { + cy.get(QUERY_INPUT).focus(); + cy.get(QUERY_INPUT).type(text); +}; + +/** + * Clears text in KQL bar + */ +export const clearQuery = () => { + cy.get(QUERY_INPUT).focus(); + cy.get(QUERY_INPUT).clear(); +}; + +/** + * Open field browser modal + */ +export const openFieldBrowser = () => { + cy.get(INDICATORS_TABLE).within(() => cy.get(FIELD_BROWSER).last().click()); +}; + +/** + * Close field browser modal + */ +export const closeFieldBrowser = () => + cy.get(FIELD_BROWSER_MODAL).within(() => cy.get(FIELD_BROWSER_MODAL_CLOSE_BUTTON).click()); + +/** + * Open inspector flyout + */ +export const openInspector = () => cy.get(INSPECTOR_BUTTON).last().click(); + +/** + * Navigate to integrations + */ +export const navigateToIntegrations = () => cy.get(ADD_INTEGRATIONS_BUTTON).click(); diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/threat_intelligence/query_bar.ts b/x-pack/test/security_solution_cypress/cypress/tasks/threat_intelligence/query_bar.ts new file mode 100644 index 0000000000000..0ccb2b5eb9780 --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/tasks/threat_intelligence/query_bar.ts @@ -0,0 +1,115 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { clickAction, openBarchartPopoverMenu } from './common'; +import { + QUERY_BAR, + QUERY_BAR_MENU_REMOVE_ALL_FILTERS_BUTTON, + QUERY_BAR_MENU, +} from '../../screens/threat_intelligence/query_bar'; +import { + BARCHART_FILTER_IN_BUTTON, + BARCHART_FILTER_OUT_BUTTON, + INDICATORS_TABLE_CELL_FILTER_IN_BUTTON, + INDICATORS_TABLE_CELL_FILTER_OUT_BUTTON, + INDICATOR_TYPE_CELL, + FLYOUT_OVERVIEW_TAB_BLOCKS_FILTER_IN_BUTTON, + FLYOUT_OVERVIEW_TAB_BLOCKS_FILTER_OUT_BUTTON, + FLYOUT_OVERVIEW_TAB_TABLE_ROW_FILTER_IN_BUTTON, + FLYOUT_OVERVIEW_TAB_TABLE_ROW_FILTER_OUT_BUTTON, + FLYOUT_TABLE_TAB_ROW_FILTER_IN_BUTTON, + FLYOUT_TABLE_TAB_ROW_FILTER_OUT_BUTTON, + FLYOUT_OVERVIEW_HIGH_LEVEL_BLOCK_ITEM, +} from '../../screens/threat_intelligence/indicators'; + +/** + * Filter in value by clicking on the menu item within barchart popover + */ +export const filterInFromBarChartLegend = () => { + openBarchartPopoverMenu(); + cy.get(BARCHART_FILTER_IN_BUTTON).click(); +}; + +/** + * Filter out value by clicking on the menu item within barchart popover + */ +export const filterOutFromBarChartLegend = () => { + openBarchartPopoverMenu(); + cy.get(BARCHART_FILTER_OUT_BUTTON).click(); +}; + +/** + * Filter in value by clicking on the menu item within an indicators table cell + */ +export const filterInFromTableCell = () => { + clickAction(INDICATOR_TYPE_CELL, 0, INDICATORS_TABLE_CELL_FILTER_IN_BUTTON); +}; + +/** + * Filter out value by clicking on the menu item within an indicators table cell + */ +export const filterOutFromTableCell = () => { + clickAction(INDICATOR_TYPE_CELL, 0, INDICATORS_TABLE_CELL_FILTER_OUT_BUTTON); +}; + +/** + * Clears all filters within KQL bar + */ +export const clearKQLBar = () => { + cy.get(QUERY_BAR).within(() => cy.get(QUERY_BAR_MENU).click()); + cy.get(QUERY_BAR_MENU_REMOVE_ALL_FILTERS_BUTTON).click(); +}; + +/** + * Filter in value from indicators flyout block item + */ +export const filterInFromFlyoutBlockItem = () => { + clickAction( + FLYOUT_OVERVIEW_HIGH_LEVEL_BLOCK_ITEM, + 0, + FLYOUT_OVERVIEW_TAB_BLOCKS_FILTER_IN_BUTTON + ); +}; + +/** + * Filter out value from indicators flyout block item + */ +export const filterOutFromFlyoutBlockItem = () => { + clickAction( + FLYOUT_OVERVIEW_HIGH_LEVEL_BLOCK_ITEM, + 0, + FLYOUT_OVERVIEW_TAB_BLOCKS_FILTER_OUT_BUTTON + ); +}; + +/** + * Filter in value from indicators flyout overview tab table + */ +export const filterInFromFlyoutOverviewTable = () => { + cy.get(FLYOUT_OVERVIEW_TAB_TABLE_ROW_FILTER_IN_BUTTON).first().click(); +}; + +/** + * Filter out value from indicators flyout overview tab table + */ +export const filterOutFromFlyoutOverviewTable = () => { + cy.get(FLYOUT_OVERVIEW_TAB_TABLE_ROW_FILTER_OUT_BUTTON).first().click(); +}; + +/** + * Filter in value from indicators flyout overview tab table + */ +export const filterInFromFlyoutTableTab = () => { + cy.get(FLYOUT_TABLE_TAB_ROW_FILTER_IN_BUTTON).first().click(); +}; + +/** + * Filter out value from indicators flyout overview tab table + */ +export const filterOutFromFlyoutTableTab = () => { + cy.get(FLYOUT_TABLE_TAB_ROW_FILTER_OUT_BUTTON).first().click(); +}; diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/threat_intelligence/timeline.ts b/x-pack/test/security_solution_cypress/cypress/tasks/threat_intelligence/timeline.ts new file mode 100644 index 0000000000000..be4e7e618b6eb --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/tasks/threat_intelligence/timeline.ts @@ -0,0 +1,80 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { clickAction, openBarchartPopoverMenu } from './common'; +import { + CLOSE_TIMELINE_BTN, + FLYOUT_INVESTIGATE_IN_TIMELINE_ITEM, + FLYOUT_OVERVIEW_TAB_TABLE_ROW_TIMELINE_BUTTON, + INDICATORS_TABLE_CELL_TIMELINE_BUTTON, + INDICATORS_TABLE_INVESTIGATE_IN_TIMELINE_BUTTON_ICON, + UNTITLED_TIMELINE_BUTTON, +} from '../../screens/threat_intelligence/timeline'; +import { + BARCHART_TIMELINE_BUTTON, + FLYOUT_BLOCK_MORE_ACTIONS_BUTTON, + FLYOUT_OVERVIEW_HIGH_LEVEL_BLOCK_ITEM, + FLYOUT_TABLE_MORE_ACTIONS_BUTTON, + INDICATOR_TYPE_CELL, +} from '../../screens/threat_intelligence/indicators'; + +/** + * Add data to timeline from barchart legend menu item + */ +export const addToTimelineFromBarchartLegend = () => { + openBarchartPopoverMenu(); + cy.get(BARCHART_TIMELINE_BUTTON).first().click(); +}; +/** + * Add data to timeline from indicators table cell menu + */ +export const addToTimelineFromTableCell = () => { + clickAction(INDICATOR_TYPE_CELL, 0, INDICATORS_TABLE_CELL_TIMELINE_BUTTON); +}; + +/** + * Open untitled timeline from button in footer + */ +export const openTimeline = () => { + cy.get(UNTITLED_TIMELINE_BUTTON).first().click(); +}; + +/** + * Close flyout button in top right corner + */ +export const closeTimeline = () => { + cy.get(CLOSE_TIMELINE_BTN).should('be.visible').click(); +}; + +/** + * Add data to timeline from flyout overview tab table + */ +export const addToTimelineFromFlyoutOverviewTabTable = () => { + cy.get(FLYOUT_TABLE_MORE_ACTIONS_BUTTON).first().click(); + cy.get(FLYOUT_OVERVIEW_TAB_TABLE_ROW_TIMELINE_BUTTON).first().click(); +}; + +/** + * Add data to timeline from flyout overview tab block + */ +export const addToTimelineFromFlyoutOverviewTabBlock = () => { + clickAction(FLYOUT_OVERVIEW_HIGH_LEVEL_BLOCK_ITEM, 0, FLYOUT_BLOCK_MORE_ACTIONS_BUTTON); +}; + +/** + * Investigate data to timeline from indicators table row + */ +export const investigateInTimelineFromTable = () => { + cy.get(INDICATORS_TABLE_INVESTIGATE_IN_TIMELINE_BUTTON_ICON).first().click(); +}; + +/** + * Investigate data to timeline from flyout take action button + */ +export const investigateInTimelineFromFlyout = () => { + cy.get(FLYOUT_INVESTIGATE_IN_TIMELINE_ITEM).first().click(); +}; diff --git a/x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_invalid/data.json b/x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_invalid/data.json new file mode 100644 index 0000000000000..664ef1b35417f --- /dev/null +++ b/x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_invalid/data.json @@ -0,0 +1,1809 @@ +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "RP0HlUQkToBRTlZeGAItbyWMx1E=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.677Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.677Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "a7f997be65f62fdbe5ec076f0fe207f7", + "d86e656455f985357df3063dff6637f7f3b95bb27d1769a6b88c7adecaf7763f", + "6144:Eiu4rKJqctSMeWml5SBm5bT6rhnMqvTRrbx50Elf03jhBtGuYEs0gw4N1c5b8Onl:vuI6QWm+6bTShnMIRUEKThB1sn5hOnl", + "T15194232F21ACD2E5F4379415A97680C8DE041E08695B5F2AD73B237AC5EF2F682C57" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "sha256": "sha256", + "md5": "md5", + "sha1": "sha1", + "sha224": "sha224", + "sha3-224": "sha3-224", + "sha3-256": "sha3-256", + "sha384": "sha384", + "sha3-384": "sha3-384", + "sha512": "sha512", + "sha3-512": "sha3-512", + "sha512/224": "sha512/224", + "sha512/256": "sha512/256", + "ssdeep": "ssdeep", + "tlsh": "tlsh", + "impfuzzy": "impfuzzy", + "imphash": "imphash", + "pehash": "pehash", + "vhash": "vhash" + }, + "pe": { + }, + "size": 441803, + "type": "zip" + }, + "first_seen": "2022-06-02T13:29:44.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "C4ObxkoTZzcjmk1jFwGlRadzMnA=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.678Z", + "abusech": { + "malware": { + "virustotal": { + "link": "https://www.virustotal.com/gui/file/d3e2cf87eabf84ef929aaf8dad1431b3387f5a26de8ffb7a0c3c2a13f973c0ab/detection/f-d3e2cf8", + "percent": 41.94, + "result": "26 / 62" + } + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.678Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "cce28cbfb3cb7ecdae0f5969476f3f09", + "d3e2cf87eabf84ef929aaf8dad1431b3387f5a26de8ffb7a0c3c2a13f973c0ab", + "24576:WEnrkvPLK8Qtaw+sy0AdrIFeGvoPTM2oMkM0DqLpj5I9qe32L8rayvevBhIb7q:WEnrkRDDzCFeGvMTM2/gY9vxv7o7q", + "T1F95533F3C00FA54679E42E57649F8B2996112DFC8A9C412ECA743397E4D782C869BC" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "md5", + "sha1": "sha1", + "sha224": "sha224", + "sha3-224": "sha3-224", + "sha3-256": "sha3-256", + "sha384": "sha384", + "sha3-384": "sha3-384", + "sha512": "sha512", + "sha3-512": "sha3-512", + "sha512/224": "sha512/224", + "sha512/256": "sha512/256", + "ssdeep": "ssdeep", + "tlsh": "tlsh", + "impfuzzy": "impfuzzy", + "imphash": "imphash", + "pehash": "pehash", + "vhash": "vhash" + }, + "pe": { + }, + "size": 1361342, + "type": "zip" + }, + "first_seen": "2022-06-02T13:29:40.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "5hGL0ETQsk+B0L7ryVcQVwsYhOk=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.678Z", + "abusech": { + "malware": { + "virustotal": { + "link": "https://www.virustotal.com/gui/file/4880faee7a174bf9701c7356137b2fed8681525527deb2d1c8a1c7a6d0e7eaaa/detection/f-4880fae", + "percent": 39.34, + "result": "24 / 61" + } + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.678Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "261b83754435cc988d8d37abe8b97f4c", + "4880faee7a174bf9701c7356137b2fed8681525527deb2d1c8a1c7a6d0e7eaaa", + "24576:O4nrkvPLK8Qtaw+sy0AdrIFeGvoPTM2oMkM0DqLpj5I9qe32L8rayvevBhIb7V:O4nrkRDDzCFeGvMTM2/gY9vxv7o7V", + "T19D5533F3C00FA51A79D03A4668AF875D95112DAC8A9C412ECA74339BD9C7C2CD697C" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "sha1": "sha1", + "sha224": "sha224", + "sha3-224": "sha3-224", + "sha3-256": "sha3-256", + "sha384": "sha384", + "sha3-384": "sha3-384", + "sha512": "sha512", + "sha3-512": "sha3-512", + "sha512/224": "sha512/224", + "sha512/256": "sha512/256", + "ssdeep": "ssdeep", + "tlsh": "tlsh", + "impfuzzy": "impfuzzy", + "imphash": "imphash", + "pehash": "pehash", + "vhash": "vhash" + }, + "pe": { + }, + "size": 1361341, + "type": "zip" + }, + "first_seen": "2022-06-02T13:29:39.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "qq3AKvjp1c/FBtEoh10Vt+PsT14=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.678Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.678Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "354f8e74f6a070127fe6c5247c99b937", + "bcc53ec3c58f46b331550725ac1ea79070368c672584861027f13f08ff18402e", + "12:6ia5Wl1LCHBF5CRyPFJ+QIGZL5sR6Tl/WQPKlQHl2+ew5+qzL35BE3t5:i5WK4EFJzN5d14+ewN9C3n", + "T164017540AD6A9BF525086CF97D86390884AB61E850ABD19CFE4DDB44153E15083520" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "sha224": "sha224", + "sha3-224": "sha3-224", + "sha3-256": "sha3-256", + "sha384": "sha384", + "sha3-384": "sha3-384", + "sha512": "sha512", + "sha3-512": "sha3-512", + "sha512/224": "sha512/224", + "sha512/256": "sha512/256", + "ssdeep": "ssdeep", + "tlsh": "tlsh", + "impfuzzy": "impfuzzy", + "imphash": "imphash", + "pehash": "pehash", + "vhash": "vhash" + }, + "pe": { + }, + "size": 782, + "type": "unknown" + }, + "first_seen": "2022-06-02T13:29:37.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "CNCiNUxTNHF5qyRWclltlrnxwhk=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.678Z", + "abusech": { + "malware": { + "virustotal": { + "link": "https://www.virustotal.com/gui/file/cce0876cfaf187e222cdfba3469ed75da67e2c43067750e36ac0bb3299964f6d/detection/f-cce0876", + "percent": 41.94, + "result": "26 / 62" + } + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.678Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "ef633ad733a6c18a008150c34e708b2a", + "cce0876cfaf187e222cdfba3469ed75da67e2c43067750e36ac0bb3299964f6d", + "24576:dkiaxnrkvPLK8Qtaw+sy0AdrIFeGvoPTM2oMkM0DqLpj5I9qe32L8rayvevBhIbZ:OiaxnrkRDDzCFeGvMTM2/gY9vxv7o7d", + "T1675533F7C00FA50675D06943689F8B6E96112EAC8B9C412DCA343397E9C792C92DBC" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "sha3-224": "sha3-224", + "sha3-256": "sha3-256", + "sha384": "sha384", + "sha3-384": "sha3-384", + "sha512": "sha512", + "sha3-512": "sha3-512", + "sha512/224": "sha512/224", + "sha512/256": "sha512/256", + "ssdeep": "ssdeep", + "tlsh": "tlsh", + "impfuzzy": "impfuzzy", + "imphash": "imphash", + "pehash": "pehash", + "vhash": "vhash" + }, + "pe": { + }, + "size": 1361341, + "type": "zip" + }, + "first_seen": "2022-06-02T13:29:35.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "Rk80kuvgnMegEB+1jhGlgLO5h5Y=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.681Z", + "abusech": { + "malware": { + "virustotal": { + "link": "https://www.virustotal.com/gui/file/377d56f1683ee27d9147bc2bb2c417926686abfee7705de96a032f982c9f6364/detection/f-377d56f", + "percent": 42.62, + "result": "26 / 61" + } + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.681Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "24dda97b79673d8676c3cfc3c83e694c", + "377d56f1683ee27d9147bc2bb2c417926686abfee7705de96a032f982c9f6364", + "24576:CRnrkvPLK8Qtaw+sy0AdrIFeGvoPTM2oMkM0DqLpj5I9qe32L8rayvevBhIb7o:CnrkRDDzCFeGvMTM2/gY9vxv7o7o", + "T1C95533F3C00FA90679D06A57A09F872E96112DBC8B9C512ECA703357E5D7C2C9697C" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "sha3-256": "sha3-256", + "sha384": "sha384", + "sha3-384": "sha3-384", + "sha512": "sha512", + "sha3-512": "sha3-512", + "sha512/224": "sha512/224", + "sha512/256": "sha512/256", + "ssdeep": "ssdeep", + "tlsh": "tlsh", + "impfuzzy": "impfuzzy", + "imphash": "imphash", + "pehash": "pehash", + "vhash": "vhash" + }, + "pe": { + }, + "size": 1361346, + "type": "zip" + }, + "first_seen": "2022-06-02T13:29:30.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "oF2/6vlWcu7040SDtfZuBX4sXEo=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.681Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.681Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "375677c2333221471a9dbabb4cf100f8", + "7b8f4047dd83e8a9e9642a9ef1af05756ad29a15e45a2b7de0a1959976def4f6", + "48:Mfh7te/6TxaYWLcv2CfnQE2HVt51fo/Gjw:SJe/6Txa19CfnB2HVtTgD", + "T15731FAD01EDCA96960E677BB0635B53748ED382D4C031835F652CD7244B199C10293" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "sha384": "sha384", + "sha3-384": "sha3-384", + "sha512": "sha512", + "sha3-512": "sha3-512", + "sha512/224": "sha512/224", + "sha512/256": "sha512/256", + "ssdeep": "ssdeep", + "tlsh": "tlsh", + "impfuzzy": "impfuzzy", + "imphash": "imphash", + "pehash": "pehash", + "vhash": "vhash" + }, + "pe": { + }, + "size": 1666, + "type": "unknown" + }, + "first_seen": "2022-06-02T13:29:30.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "mgUWSsWrUtqPZFUpBNhFU75TKyc=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.681Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.681Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "f086951b963255abf639d261ddc17d69", + "3c2a0cd048eccf7a3d61455db095d5900880fec9a06a3c8698a6f4ac0e30f9ea", + "12288:Q4n4CkVBDDYcoY7UDn8QUoMlZ6+syJsTXy8VAz6VerIFyZGvMPPQ457kWjfa2mQr:Q4nrkvPLK8Qtaw+sy0AdrIFeGvoPTM2z", + "T1ABF433E7C20ED45DB0A42A03FDB3C65E8A241CA41D0C412F96353282DDDBD2CA697C" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "sha3-384": "sha3-384", + "sha512": "sha512", + "sha3-512": "sha3-512", + "sha512/224": "sha512/224", + "sha512/256": "sha512/256", + "ssdeep": "ssdeep", + "tlsh": "tlsh", + "impfuzzy": "impfuzzy", + "imphash": "imphash", + "pehash": "pehash", + "vhash": "vhash" + }, + "pe": { + }, + "size": 767547, + "type": "zip" + }, + "first_seen": "2022-06-02T13:29:30.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "auKnqhqoLKmnMsohKHQMvqvLSK4=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.681Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.681Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "c44b945dba0433b8c1ed8467ed109128", + "56e1313ad26fdf3f105959c76eb9b6ec1653285a2d2f900b6e8ca82d100ae666", + "12288:luVn4CkVBDDYcoY7UDn8QUoMlZ6+syJsTXy8VAz6VerIFyZGvMPPQv:luVnrkvPLK8Qtaw+sy0AdrIFeGvoPU", + "T1D9A423FBC40EA157F4D02E8A65EBCA9C053C2DAC0C594D249235308ACED953DBD96E" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "sha512": "sha512", + "sha3-512": "sha3-512", + "sha512/224": "sha512/224", + "sha512/256": "sha512/256", + "ssdeep": "ssdeep", + "tlsh": "tlsh", + "impfuzzy": "impfuzzy", + "imphash": "imphash", + "pehash": "pehash", + "vhash": "vhash" + }, + "pe": { + }, + "size": 475136, + "type": "zip" + }, + "first_seen": "2022-06-02T13:29:29.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "Llc8xZPNZbUM6j5sAHAFCeyu+po=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.681Z", + "abusech": { + "malware": { + "virustotal": { + "link": "https://www.virustotal.com/gui/file/e1d9c3d1ec47342b333cb3d82f28167585377e1c7ff4f5743ae085ba4e4f5cf7/detection/f-e1d9c3d", + "percent": 32.69, + "result": "17 / 52" + } + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.681Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "89c639a74da0b66661bcda4c632fc4b5", + "e1d9c3d1ec47342b333cb3d82f28167585377e1c7ff4f5743ae085ba4e4f5cf7", + "24576:TkiaxnrkvPLK8Qtaw+sy0AdrIFeGvoPTM2oMkM0DqLpj5I9qe32L8rayvevBhIbe:YiaxnrkRDDzCFeGvMTM2/gY9vxv7o7q", + "T18C5533F7C00FA50675D46947689F8B6E96112EAC8B9C412ECA343357E9C782C92DBC" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "sha3-512": "sha3-512", + "sha512/224": "sha512/224", + "sha512/256": "sha512/256", + "ssdeep": "ssdeep", + "tlsh": "tlsh", + "impfuzzy": "impfuzzy", + "imphash": "imphash", + "pehash": "pehash", + "vhash": "vhash" + }, + "pe": { + }, + "size": 1361347, + "type": "zip" + }, + "first_seen": "2022-06-02T13:29:23.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "VbMLdKEoQI/Xli/LgjmvMOlGYZY=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.681Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.681Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "e8f9dc1ebc9c3836e630ea890f49062c", + "99b0048497cf99ac223f56fdc57e9c9da368474bfd3249333d20245617584a36", + "12288:ZrNSkSCzn4CawkkDYcjt2PwnnbziBHZy+syptTHysl8Zz6xW3rIBGrS35jhQgZUb:lNnSCznrawnPjt2PibziFI+syIZoSrI8", + "T1EAD423FBAD4FE145F4B63D56ACAC8B8C61147AF5070E8A20D82DB448454F66C29E7C" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "sha512/224": "sha512/224", + "sha512/256": "sha512/256", + "ssdeep": "ssdeep", + "tlsh": "tlsh", + "impfuzzy": "impfuzzy", + "imphash": "imphash", + "pehash": "pehash", + "vhash": "vhash" + }, + "pe": { + }, + "size": 607710, + "type": "zip" + }, + "first_seen": "2022-06-02T13:29:21.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "/6DDSx9lUsUoJUF8QSZiQ/oMvmQ=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.681Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.681Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "96dd2f36a091a5ebb2fbc8a4521165ee", + "1e60c0e0b23ba3767698116522460ee55cc44c3f4dc9d295bf572bedd5ac0f65", + "1536:IN9xqKCppztoghURX5Ll1bYL1T+6XpcT9YpDFa+9:IN9xqfftLhoJbYE6XOT9R+9", + "T11D23D1FB616D7CF1772BEED66E013B1A97BEC1C6052D1118AA5D8B9E2444C284FD0B" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "sha512/256": "sha512/256", + "ssdeep": "ssdeep", + "tlsh": "tlsh", + "impfuzzy": "impfuzzy", + "imphash": "imphash", + "pehash": "pehash", + "vhash": "vhash" + }, + "pe": { + }, + "size": 49326, + "type": "unknown" + }, + "first_seen": "2022-06-02T13:29:20.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "d+KIrgaxYVhvb/sqhlb5AYOHQDo=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.682Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.682Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "b339f90894265cb97515daa470af07cf", + "d0bd2eb817f80077a36b975511e8229822e8c34977a6fcdf890c996e7ef824e7", + "96:CeAh/kdPbox9Xvn9jx77DWtozT1oImYAwjrTXTd4JBR4pxG+WP:CnMbox9/nXWtLImYAUTR4jRckP", + "T197916CFC910373F4642EF274EA4BEA722BE6E4F415EC1A43496A5250E23F2D1B2037" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "ssdeep": "ssdeep", + "tlsh": "tlsh", + "impfuzzy": "impfuzzy", + "imphash": "imphash", + "pehash": "pehash", + "vhash": "vhash" + }, + "pe": { + }, + "size": 4240, + "type": "unknown" + }, + "first_seen": "2022-06-02T13:29:20.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "bAPvrGKWj/ess46s3KwFqAJ8+tc=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.682Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.682Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "a977be9538079d04662cb855472280f0", + "b169429bc31d82019f106c1a4888bf0cb09cdd67223ab8ee11ad1cb22e5b33d8", + "48:JY1vl8uN9y+xhS/frD/yPkrceiEJ77ejwqu3GHmcjBMInNeAVOp4P1Y:JA8CyxvJiE17gwqcGGGmInNeAVOA1Y", + "T1E0514CE79E74FD4AD8E01B49383529032FD325EE050A405D7D77312856722B5D051B" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "tlsh": "tlsh", + "impfuzzy": "impfuzzy", + "imphash": "imphash", + "pehash": "pehash", + "vhash": "vhash" + }, + "pe": { + }, + "size": 2762, + "type": "unknown" + }, + "first_seen": "2022-06-02T13:29:18.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "uM8A5Yr/gMJ4tPHb9XIABYC/mRk=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.682Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.682Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "ff8378ca6de4242367a38c559481b269", + "825c15ab9faf964fb5a904953dd2d37abbce9e140dbd4cc22e0cd37a3ea76ae4", + "24:d8sxTEAby02+ygbBSND09H6j/NljGCBm5fLrkHsu4MHlerNhBzGCt3Th9Nwn:dvT80FKDqHI/2P5fLrgJler1zGCt9Nw", + "T18F31D894CBF5B99B65302DBC0FA5AD508C641E5C3ABCC8348F6A905A69994D3814CD" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "impfuzzy": "impfuzzy", + "imphash": "imphash", + "pehash": "pehash", + "vhash": "vhash" + }, + "pe": { + }, + "size": 1665, + "type": "unknown" + }, + "first_seen": "2022-06-02T13:29:16.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "YPTTIf8ctfvqnTo2W9OpoJD6n9Q=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.682Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.682Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "5dcb49bc49109e90f5c6b8e5597b80ca", + "51bbdb79175fe1a9bb2ba6055f80bdd35d8486781881fef5cfe8d28b86c5870d", + "48:dyin3B3LH5XfXaImL3esbl9HglyiqRuBrTgq:d53B9XfX8L1vgnqRW0q", + "T15431D836CB901B7FD26B160350A2A96527AF8C5B5B9F4C292816FC0AC354C634FA66" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "imphash": "imphash", + "pehash": "pehash", + "vhash": "vhash" + }, + "pe": { + }, + "size": 1664, + "type": "unknown" + }, + "first_seen": "2022-06-02T13:29:09.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "UJBUWYV6AtCidXCm1NBsWtAYWZI=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.682Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.682Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "72ec96611a0b5f493854a5dcdd1aa528", + "c5df0748e8b023886b12647c050a826a7b43374cdc9112124e55ed46a4f926d2", + "24:991g7c6kzftBeaOY3+1Zc0Iq3aGG9wpe8kZyLq39C7U:99evkbNv3iYXd5ILOCg", + "T1CA114437127EC8A9D93004342166AE26D1009941146099CBAB575D368C877C32F42B" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "pehash": "pehash", + "vhash": "vhash" + }, + "pe": { + }, + "size": 909, + "type": "zip" + }, + "first_seen": "2022-06-02T13:29:07.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "e1yn2nAO9PlprMEaPBhcjgg9lwE=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.682Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.682Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "9707127fb08e7956151dda4f502cf707", + "71f5f598623fefd1d6bad450da4cb736b3b2cfb9a62c8d867da8516641df73b3", + "12288:gwnSE7CkFiurKQXYFZlIo1aMrIw8ZoOajbxYE/:gqSORnXmHsbl6V3L/", + "T1ECB4233A9AECEAE05B6F8DD075B9B641B05E32E145F9533CC869C0AF87170E602857" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "vhash": "vhash" + }, + "pe": { + }, + "size": 507323, + "type": "zip" + }, + "first_seen": "2022-06-02T13:28:27.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "e74l+UPbo6o0DotQc8Roo3OVcJQ=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.682Z", + "abusech": { + "malware": { + "virustotal": { + "link": "https://www.virustotal.com/gui/file/38262d6bbeb72bfe5a3baf36250ee80a6824c4d6e1079e4cfdc6869c065693df/detection/f-38262d6", + "percent": 27.42, + "result": "17 / 62" + } + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.682Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "f1650fc9608337179d7424c87f1ee737", + "38262d6bbeb72bfe5a3baf36250ee80a6824c4d6e1079e4cfdc6869c065693df", + "24576:1EnrkvPLK8Qtaw+sy0AdrIFeGvoPTM2oMkM0DqLpj5I9qe32L8rayvevBhIb7P:1EnrkRDDzCFeGvMTM2/gY9vxv7o7P", + "T11F5533F3C00FA54679E42E57649F8B2996112DFC8A9C412ECA743397E4D782C869BC" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": {}, + "pe": { + }, + "size": 1361344, + "type": "zip" + }, + "first_seen": "2022-06-02T13:27:51.000Z", + "type": "file" + } + } + } + } +} + + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "XIDmYG67Bs5j3njl7xYKAyH1emM=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.682Z", + "abusech": { + "malware": { + "virustotal": { + "link": "https://www.virustotal.com/gui/file/cfb001ca42b62b1ade9220f44bd6479aff6eeaaa108aa98a4b0169ea1dec8e86/detection/f-cfb001c", + "percent": 38.1, + "result": "24 / 63" + } + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.682Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "970e0ba1981035359600b63b43b10bc0", + "cfb001ca42b62b1ade9220f44bd6479aff6eeaaa108aa98a4b0169ea1dec8e86", + "24576:MRnrkvPLK8Qtaw+sy0AdrIFeGvoPTM2oMkM0DqLpj5I9qe32L8rayvevBhIb7P:cnrkRDDzCFeGvMTM2/gY9vxv7o7P", + "T1025533F3C00FA90679D07A57A09F872E96112DB88B9C512ECA703357E5D7C2C9697C" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "first_seen": "2022-06-02T13:27:50.000Z", + "type": "file" + } + } + } + } +} + + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "TxxcH4E0aWG8D8rloVjU3cK+sy0=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.685Z", + "abusech": { + "malware": { + "virustotal": { + "link": "https://www.virustotal.com/gui/file/f1121e7b8419f84a7c8ad91acd9d4d804d78bb10a899cee1ab4f0b349097eb94/detection/f-f1121e7", + "percent": 43.55, + "result": "27 / 62" + } + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.685Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "d04039c9b1f2d6f13a17962c6131e573", + "f1121e7b8419f84a7c8ad91acd9d4d804d78bb10a899cee1ab4f0b349097eb94", + "24576:ikiaxnrkvPLK8Qtaw+sy0AdrIFeGvoPTM2oMkM0DqLpj5I9qe32L8rayvevBhIbS:HiaxnrkRDDzCFeGvMTM2/gY9vxv7o7m", + "T17D5533F7C00FA50679D46947689F8B6E96112EAC8B9C412ECA343357E5C782C92DBC" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": {} + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "0j+BQ8HFrDQYe5kbXMc9ANSCjBY=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.685Z", + "abusech": { + "malware": { + "virustotal": { + "link": "https://www.virustotal.com/gui/file/a2b6f823f7ce67a0b5ac0a0561139693e526f6c5b4a2ba05d20fd9e467e9dacc/detection/f-a2b6f82", + "percent": 41.67, + "result": "25 / 60" + } + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.685Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "2209a62733aa8fd802e60508ecce900a", + "a2b6f823f7ce67a0b5ac0a0561139693e526f6c5b4a2ba05d20fd9e467e9dacc", + "24576:hUQ2zgDnrawnPjt2PibziFI+syIZoSrI0r+xGgWdVnG45U3D9WHqyraYvb9mRhpt:CQm8nrawTGDIZoB0r+xkdciU5WHqgUjt", + "T19D5533FB4C4B9556B9F4AA43A88D8B3C9000E5EC574CA670D908C9FEE44B7B850DB8" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ] + } + } +} diff --git a/x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_invalid/mappings.json b/x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_invalid/mappings.json new file mode 100644 index 0000000000000..e0837a100a9a0 --- /dev/null +++ b/x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_invalid/mappings.json @@ -0,0 +1,1599 @@ +{ + "type": "data_stream", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "template": { + "_meta": { + "managed": true, + "managed_by": "fleet", + "package": { + "name": "ti_abusech" + } + }, + "data_stream": { + "allow_custom_routing": false, + "hidden": false + }, + "index_patterns": [ + "logs-ti_abusech.malware-*" + ], + "name": "logs-ti_abusech.malware", + "priority": 200, + "template": { + "mappings": { + "_meta": { + "managed": true, + "managed_by": "fleet", + "package": { + "name": "ti_abusech" + } + }, + "date_detection": false, + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "@timestamp": { + "type": "date" + }, + "abusech": { + "properties": { + "malware": { + "properties": { + "signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "virustotal": { + "properties": { + "link": { + "ignore_above": 1024, + "type": "keyword" + }, + "percent": { + "type": "float" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "container": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "dataset": { + "type": "constant_keyword" + }, + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "message": { + "type": "match_only_text" + } + } + }, + "event": { + "properties": { + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "type": "constant_keyword", + "value": "ti_abusech.malware" + }, + "ingested": { + "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "ti_abusech" + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "containerized": { + "type": "boolean" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "offset": { + "type": "long" + } + } + }, + "message": { + "type": "match_only_text" + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "properties": { + "feed": { + "properties": { + "dashboard_id": { + "type": "constant_keyword", + "value": "ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6" + }, + "name": { + "type": "constant_keyword", + "value": "AbuseCH Malware" + } + } + }, + "indicator": { + "properties": { + "file": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "imphash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "first_seen": { + "type": "date" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "settings": { + "index": { + "codec": "best_compression", + "default_pipeline": "logs-ti_abusech.malware-1.3.1", + "final_pipeline": ".fleet_final_pipeline-1", + "lifecycle": { + "name": "logs" + }, + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.kind", + "event.category", + "event.type", + "event.original", + "threat.indicator.type", + "threat.indicator.file.type", + "threat.indicator.file.hash.md5", + "threat.indicator.file.hash.sha256", + "threat.indicator.file.hash.ssdeep", + "threat.indicator.file.hash.tlsh", + "threat.indicator.file.pe.imphash", + "threat.indicator.provider", + "input.type", + "log.flags", + "log.file.path", + "ecs.version", + "message", + "error.message", + "tags", + "related.hash", + "abusech.malware.signature", + "abusech.malware.virustotal.result", + "abusech.malware.virustotal.link" + ] + } + } + } + } + } + } +} + +{ + "type": "data_stream", + "value": { + "data_stream": "logs-ti_abusech.malwarebazaar-default", + "template": { + "_meta": { + "managed": true, + "managed_by": "fleet", + "package": { + "name": "ti_abusech" + } + }, + "data_stream": { + "allow_custom_routing": false, + "hidden": false + }, + "index_patterns": [ + "logs-ti_abusech.malwarebazaar-*" + ], + "name": "logs-ti_abusech.malwarebazaar", + "priority": 200, + "template": { + "mappings": { + "_meta": { + "managed": true, + "managed_by": "fleet", + "package": { + "name": "ti_abusech" + } + }, + "date_detection": false, + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "@timestamp": { + "type": "date" + }, + "abusech": { + "properties": { + "malwarebazaar": { + "properties": { + "anonymous": { + "type": "long" + }, + "code_sign": { + "ignore_above": 1024, + "type": "keyword" + }, + "intelligence": { + "properties": { + "downloads": { + "type": "long" + }, + "mail": { + "properties": { + "Generic": { + "ignore_above": 1024, + "type": "keyword" + }, + "IT": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "uploads": { + "type": "long" + } + } + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "container": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "dataset": { + "type": "constant_keyword" + }, + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "message": { + "type": "match_only_text" + } + } + }, + "event": { + "properties": { + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "type": "constant_keyword", + "value": "ti_abusech.malwarebazaar" + }, + "ingested": { + "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "ti_abusech" + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "containerized": { + "type": "boolean" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "offset": { + "type": "long" + } + } + }, + "message": { + "type": "match_only_text" + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "properties": { + "feed": { + "properties": { + "dashboard_id": { + "type": "constant_keyword", + "value": "ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6" + }, + "name": { + "type": "constant_keyword", + "value": "AbuseCH MalwareBazaar" + } + } + }, + "indicator": { + "properties": { + "file": { + "properties": { + "elf": { + "properties": { + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "imphash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "last_seen": { + "type": "date" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "software": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "settings": { + "index": { + "codec": "best_compression", + "default_pipeline": "logs-ti_abusech.malwarebazaar-1.3.1", + "final_pipeline": ".fleet_final_pipeline-1", + "lifecycle": { + "name": "logs" + }, + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.kind", + "event.category", + "event.type", + "event.original", + "threat.indicator.type", + "threat.indicator.file.type", + "threat.indicator.file.name", + "threat.indicator.file.extension", + "threat.indicator.file.hash.sha1", + "threat.indicator.file.hash.md5", + "threat.indicator.file.hash.sha256", + "threat.indicator.file.hash.ssdeep", + "threat.indicator.file.hash.sha384", + "threat.indicator.file.hash.tlsh", + "threat.indicator.file.mime_type", + "threat.indicator.file.pe.imphash", + "threat.indicator.file.elf.telfhash", + "threat.indicator.file.x509.subject.common_name", + "threat.indicator.file.x509.issuer.common_name", + "threat.indicator.file.x509.public_key_algorithm", + "threat.indicator.file.x509.serial_number", + "threat.indicator.provider", + "threat.indicator.geo.country_iso_code", + "threat.software.alias", + "input.type", + "log.flags", + "log.file.path", + "ecs.version", + "message", + "error.message", + "tags", + "related.hash", + "abusech.malwarebazaar.tags", + "abusech.malwarebazaar.intelligence.mail.Generic", + "abusech.malwarebazaar.intelligence.mail.IT", + "abusech.malwarebazaar.code_sign" + ] + } + } + } + } + } + } +} + +{ + "type": "data_stream", + "value": { + "data_stream": "logs-ti_abusech.url-default", + "template": { + "_meta": { + "managed": true, + "managed_by": "fleet", + "package": { + "name": "ti_abusech" + } + }, + "data_stream": { + "allow_custom_routing": false, + "hidden": false + }, + "index_patterns": [ + "logs-ti_abusech.url-*" + ], + "name": "logs-ti_abusech.url", + "priority": 200, + "template": { + "mappings": { + "_meta": { + "managed": true, + "managed_by": "fleet", + "package": { + "name": "ti_abusech" + } + }, + "date_detection": false, + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "@timestamp": { + "type": "date" + }, + "abusech": { + "properties": { + "url": { + "properties": { + "blacklists": { + "properties": { + "spamhaus_dbl": { + "ignore_above": 1024, + "type": "keyword" + }, + "surbl": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "larted": { + "type": "boolean" + }, + "reporter": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "ignore_above": 1024, + "type": "keyword" + }, + "url_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "urlhaus_reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "container": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "dataset": { + "type": "constant_keyword" + }, + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "message": { + "type": "match_only_text" + } + } + }, + "event": { + "properties": { + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "type": "constant_keyword", + "value": "ti_abusech.url" + }, + "ingested": { + "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "ti_abusech" + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "containerized": { + "type": "boolean" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "offset": { + "type": "long" + } + } + }, + "message": { + "type": "match_only_text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "properties": { + "feed": { + "properties": { + "dashboard_id": { + "type": "constant_keyword", + "value": "ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6" + }, + "name": { + "type": "constant_keyword", + "value": "AbuseCH URL" + } + } + }, + "indicator": { + "properties": { + "first_seen": { + "type": "date" + }, + "ip": { + "type": "ip" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "wildcard" + }, + "original": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "wildcard" + }, + "path": { + "ignore_above": 1024, + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } + }, + "settings": { + "index": { + "codec": "best_compression", + "default_pipeline": "logs-ti_abusech.url-1.3.1", + "final_pipeline": ".fleet_final_pipeline-1", + "lifecycle": { + "name": "logs" + }, + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.kind", + "event.category", + "event.type", + "event.original", + "threat.indicator.type", + "threat.indicator.reference", + "threat.indicator.url.domain", + "threat.indicator.url.full", + "threat.indicator.url.extension", + "threat.indicator.url.original", + "threat.indicator.url.path", + "threat.indicator.url.scheme", + "threat.indicator.url.query", + "threat.indicator.provider", + "input.type", + "log.flags", + "log.file.path", + "ecs.version", + "message", + "error.message", + "tags", + "abusech.url.id", + "abusech.url.urlhaus_reference", + "abusech.url.url_status", + "abusech.url.threat", + "abusech.url.reporter", + "abusech.url.tags", + "abusech.url.blacklists.spamhaus_dbl", + "abusech.url.blacklists.surbl" + ] + } + } + } + } + } + } +} diff --git a/x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_multiple/data.json b/x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_multiple/data.json new file mode 100644 index 0000000000000..cb46bec034cb8 --- /dev/null +++ b/x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_multiple/data.json @@ -0,0 +1,2567 @@ +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "RP0HlUQkToBRTlZeGAItbyWMx1E=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T11:29:47.677Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T11:29:47.677Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T11:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "a7f997be65f62fdbe5ec076f0fe207f7", + "d86e656455f985357df3063dff6637f7f3b95bb27d1769a6b88c7adecaf7763f", + "6144:Eiu4rKJqctSMeWml5SBm5bT6rhnMqvTRrbx50Elf03jhBtGuYEs0gw4N1c5b8Onl:vuI6QWm+6bTShnMIRUEKThB1sn5hOnl", + "T15194232F21ACD2E5F4379415A97680C8DE041E08695B5F2AD73B237AC5EF2F682C57" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "a7f997be65f62fdbe5ec076f0fe207f7", + "sha256": "d86e656455f985357df3063dff6637f7f3b95bb27d1769a6b88c7adecaf7763f", + "ssdeep": "6144:Eiu4rKJqctSMeWml5SBm5bT6rhnMqvTRrbx50Elf03jhBtGuYEs0gw4N1c5b8Onl:vuI6QWm+6bTShnMIRUEKThB1sn5hOnl", + "tlsh": "T15194232F21ACD2E5F4379415A97680C8DE041E08695B5F2AD73B237AC5EF2F682C57" + }, + "pe": { + }, + "size": 441803, + "type": "zip" + }, + "first_seen": "2022-06-02T11:29:44.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "C4ObxkoTZzcjmk1jFwGlRadzMnA=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T12:29:47.678Z", + "abusech": { + "malware": { + "virustotal": { + "link": "https://www.virustotal.com/gui/file/d3e2cf87eabf84ef929aaf8dad1431b3387f5a26de8ffb7a0c3c2a13f973c0ab/detection/f-d3e2cf8", + "percent": 41.94, + "result": "26 / 62" + } + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T12:29:47.678Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T12:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "cce28cbfb3cb7ecdae0f5969476f3f09", + "d3e2cf87eabf84ef929aaf8dad1431b3387f5a26de8ffb7a0c3c2a13f973c0ab", + "24576:WEnrkvPLK8Qtaw+sy0AdrIFeGvoPTM2oMkM0DqLpj5I9qe32L8rayvevBhIb7q:WEnrkRDDzCFeGvMTM2/gY9vxv7o7q", + "T1F95533F3C00FA54679E42E57649F8B2996112DFC8A9C412ECA743397E4D782C869BC" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "cce28cbfb3cb7ecdae0f5969476f3f09", + "sha256": "d3e2cf87eabf84ef929aaf8dad1431b3387f5a26de8ffb7a0c3c2a13f973c0ab", + "ssdeep": "24576:WEnrkvPLK8Qtaw+sy0AdrIFeGvoPTM2oMkM0DqLpj5I9qe32L8rayvevBhIb7q:WEnrkRDDzCFeGvMTM2/gY9vxv7o7q", + "tlsh": "T1F95533F3C00FA54679E42E57649F8B2996112DFC8A9C412ECA743397E4D782C869BC" + }, + "pe": { + }, + "size": 1361342, + "type": "zip" + }, + "first_seen": "2022-06-02T12:29:40.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "5hGL0ETQsk+B0L7ryVcQVwsYhOk=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.678Z", + "abusech": { + "malware": { + "virustotal": { + "link": "https://www.virustotal.com/gui/file/4880faee7a174bf9701c7356137b2fed8681525527deb2d1c8a1c7a6d0e7eaaa/detection/f-4880fae", + "percent": 39.34, + "result": "24 / 61" + } + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.678Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "261b83754435cc988d8d37abe8b97f4c", + "4880faee7a174bf9701c7356137b2fed8681525527deb2d1c8a1c7a6d0e7eaaa", + "24576:O4nrkvPLK8Qtaw+sy0AdrIFeGvoPTM2oMkM0DqLpj5I9qe32L8rayvevBhIb7V:O4nrkRDDzCFeGvMTM2/gY9vxv7o7V", + "T19D5533F3C00FA51A79D03A4668AF875D95112DAC8A9C412ECA74339BD9C7C2CD697C" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "261b83754435cc988d8d37abe8b97f4c", + "sha256": "4880faee7a174bf9701c7356137b2fed8681525527deb2d1c8a1c7a6d0e7eaaa", + "ssdeep": "24576:O4nrkvPLK8Qtaw+sy0AdrIFeGvoPTM2oMkM0DqLpj5I9qe32L8rayvevBhIb7V:O4nrkRDDzCFeGvMTM2/gY9vxv7o7V", + "tlsh": "T19D5533F3C00FA51A79D03A4668AF875D95112DAC8A9C412ECA74339BD9C7C2CD697C" + }, + "pe": { + }, + "size": 1361341, + "type": "zip" + }, + "first_seen": "2022-06-02T13:29:39.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "qq3AKvjp1c/FBtEoh10Vt+PsT14=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.678Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.678Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "354f8e74f6a070127fe6c5247c99b937", + "bcc53ec3c58f46b331550725ac1ea79070368c672584861027f13f08ff18402e", + "12:6ia5Wl1LCHBF5CRyPFJ+QIGZL5sR6Tl/WQPKlQHl2+ew5+qzL35BE3t5:i5WK4EFJzN5d14+ewN9C3n", + "T164017540AD6A9BF525086CF97D86390884AB61E850ABD19CFE4DDB44153E15083520" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "354f8e74f6a070127fe6c5247c99b937", + "sha256": "bcc53ec3c58f46b331550725ac1ea79070368c672584861027f13f08ff18402e", + "ssdeep": "12:6ia5Wl1LCHBF5CRyPFJ+QIGZL5sR6Tl/WQPKlQHl2+ew5+qzL35BE3t5:i5WK4EFJzN5d14+ewN9C3n", + "tlsh": "T164017540AD6A9BF525086CF97D86390884AB61E850ABD19CFE4DDB44153E15083520" + }, + "pe": { + }, + "size": 782, + "type": "unknown" + }, + "first_seen": "2022-06-02T13:29:37.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "CNCiNUxTNHF5qyRWclltlrnxwhk=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.678Z", + "abusech": { + "malware": { + "virustotal": { + "link": "https://www.virustotal.com/gui/file/cce0876cfaf187e222cdfba3469ed75da67e2c43067750e36ac0bb3299964f6d/detection/f-cce0876", + "percent": 41.94, + "result": "26 / 62" + } + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.678Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "ef633ad733a6c18a008150c34e708b2a", + "cce0876cfaf187e222cdfba3469ed75da67e2c43067750e36ac0bb3299964f6d", + "24576:dkiaxnrkvPLK8Qtaw+sy0AdrIFeGvoPTM2oMkM0DqLpj5I9qe32L8rayvevBhIbZ:OiaxnrkRDDzCFeGvMTM2/gY9vxv7o7d", + "T1675533F7C00FA50675D06943689F8B6E96112EAC8B9C412DCA343397E9C792C92DBC" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "ef633ad733a6c18a008150c34e708b2a", + "sha256": "cce0876cfaf187e222cdfba3469ed75da67e2c43067750e36ac0bb3299964f6d", + "ssdeep": "24576:dkiaxnrkvPLK8Qtaw+sy0AdrIFeGvoPTM2oMkM0DqLpj5I9qe32L8rayvevBhIbZ:OiaxnrkRDDzCFeGvMTM2/gY9vxv7o7d", + "tlsh": "T1675533F7C00FA50675D06943689F8B6E96112EAC8B9C412DCA343397E9C792C92DBC" + }, + "pe": { + }, + "size": 1361341, + "type": "zip" + }, + "first_seen": "2022-06-02T13:29:35.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "Rk80kuvgnMegEB+1jhGlgLO5h5Y=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.681Z", + "abusech": { + "malware": { + "virustotal": { + "link": "https://www.virustotal.com/gui/file/377d56f1683ee27d9147bc2bb2c417926686abfee7705de96a032f982c9f6364/detection/f-377d56f", + "percent": 42.62, + "result": "26 / 61" + } + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.681Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "24dda97b79673d8676c3cfc3c83e694c", + "377d56f1683ee27d9147bc2bb2c417926686abfee7705de96a032f982c9f6364", + "24576:CRnrkvPLK8Qtaw+sy0AdrIFeGvoPTM2oMkM0DqLpj5I9qe32L8rayvevBhIb7o:CnrkRDDzCFeGvMTM2/gY9vxv7o7o", + "T1C95533F3C00FA90679D06A57A09F872E96112DBC8B9C512ECA703357E5D7C2C9697C" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "24dda97b79673d8676c3cfc3c83e694c", + "sha256": "377d56f1683ee27d9147bc2bb2c417926686abfee7705de96a032f982c9f6364", + "ssdeep": "24576:CRnrkvPLK8Qtaw+sy0AdrIFeGvoPTM2oMkM0DqLpj5I9qe32L8rayvevBhIb7o:CnrkRDDzCFeGvMTM2/gY9vxv7o7o", + "tlsh": "T1C95533F3C00FA90679D06A57A09F872E96112DBC8B9C512ECA703357E5D7C2C9697C" + }, + "pe": { + }, + "size": 1361346, + "type": "zip" + }, + "first_seen": "2022-06-02T13:29:30.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "oF2/6vlWcu7040SDtfZuBX4sXEo=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.681Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.681Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "375677c2333221471a9dbabb4cf100f8", + "7b8f4047dd83e8a9e9642a9ef1af05756ad29a15e45a2b7de0a1959976def4f6", + "48:Mfh7te/6TxaYWLcv2CfnQE2HVt51fo/Gjw:SJe/6Txa19CfnB2HVtTgD", + "T15731FAD01EDCA96960E677BB0635B53748ED382D4C031835F652CD7244B199C10293" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "375677c2333221471a9dbabb4cf100f8", + "sha256": "7b8f4047dd83e8a9e9642a9ef1af05756ad29a15e45a2b7de0a1959976def4f6", + "ssdeep": "48:Mfh7te/6TxaYWLcv2CfnQE2HVt51fo/Gjw:SJe/6Txa19CfnB2HVtTgD", + "tlsh": "T15731FAD01EDCA96960E677BB0635B53748ED382D4C031835F652CD7244B199C10293" + }, + "pe": { + }, + "size": 1666, + "type": "unknown" + }, + "first_seen": "2022-06-02T13:29:30.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "mgUWSsWrUtqPZFUpBNhFU75TKyc=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.681Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.681Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "f086951b963255abf639d261ddc17d69", + "3c2a0cd048eccf7a3d61455db095d5900880fec9a06a3c8698a6f4ac0e30f9ea", + "12288:Q4n4CkVBDDYcoY7UDn8QUoMlZ6+syJsTXy8VAz6VerIFyZGvMPPQ457kWjfa2mQr:Q4nrkvPLK8Qtaw+sy0AdrIFeGvoPTM2z", + "T1ABF433E7C20ED45DB0A42A03FDB3C65E8A241CA41D0C412F96353282DDDBD2CA697C" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "f086951b963255abf639d261ddc17d69", + "sha256": "3c2a0cd048eccf7a3d61455db095d5900880fec9a06a3c8698a6f4ac0e30f9ea", + "ssdeep": "12288:Q4n4CkVBDDYcoY7UDn8QUoMlZ6+syJsTXy8VAz6VerIFyZGvMPPQ457kWjfa2mQr:Q4nrkvPLK8Qtaw+sy0AdrIFeGvoPTM2z", + "tlsh": "T1ABF433E7C20ED45DB0A42A03FDB3C65E8A241CA41D0C412F96353282DDDBD2CA697C" + }, + "pe": { + }, + "size": 767547, + "type": "zip" + }, + "first_seen": "2022-06-02T13:29:30.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "auKnqhqoLKmnMsohKHQMvqvLSK4=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.681Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.681Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "c44b945dba0433b8c1ed8467ed109128", + "56e1313ad26fdf3f105959c76eb9b6ec1653285a2d2f900b6e8ca82d100ae666", + "12288:luVn4CkVBDDYcoY7UDn8QUoMlZ6+syJsTXy8VAz6VerIFyZGvMPPQv:luVnrkvPLK8Qtaw+sy0AdrIFeGvoPU", + "T1D9A423FBC40EA157F4D02E8A65EBCA9C053C2DAC0C594D249235308ACED953DBD96E" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "c44b945dba0433b8c1ed8467ed109128", + "sha256": "56e1313ad26fdf3f105959c76eb9b6ec1653285a2d2f900b6e8ca82d100ae666", + "ssdeep": "12288:luVn4CkVBDDYcoY7UDn8QUoMlZ6+syJsTXy8VAz6VerIFyZGvMPPQv:luVnrkvPLK8Qtaw+sy0AdrIFeGvoPU", + "tlsh": "T1D9A423FBC40EA157F4D02E8A65EBCA9C053C2DAC0C594D249235308ACED953DBD96E" + }, + "pe": { + }, + "size": 475136, + "type": "zip" + }, + "first_seen": "2022-06-02T13:29:29.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "Llc8xZPNZbUM6j5sAHAFCeyu+po=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.681Z", + "abusech": { + "malware": { + "virustotal": { + "link": "https://www.virustotal.com/gui/file/e1d9c3d1ec47342b333cb3d82f28167585377e1c7ff4f5743ae085ba4e4f5cf7/detection/f-e1d9c3d", + "percent": 32.69, + "result": "17 / 52" + } + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.681Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "89c639a74da0b66661bcda4c632fc4b5", + "e1d9c3d1ec47342b333cb3d82f28167585377e1c7ff4f5743ae085ba4e4f5cf7", + "24576:TkiaxnrkvPLK8Qtaw+sy0AdrIFeGvoPTM2oMkM0DqLpj5I9qe32L8rayvevBhIbe:YiaxnrkRDDzCFeGvMTM2/gY9vxv7o7q", + "T18C5533F7C00FA50675D46947689F8B6E96112EAC8B9C412ECA343357E9C782C92DBC" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "89c639a74da0b66661bcda4c632fc4b5", + "sha256": "e1d9c3d1ec47342b333cb3d82f28167585377e1c7ff4f5743ae085ba4e4f5cf7", + "ssdeep": "24576:TkiaxnrkvPLK8Qtaw+sy0AdrIFeGvoPTM2oMkM0DqLpj5I9qe32L8rayvevBhIbe:YiaxnrkRDDzCFeGvMTM2/gY9vxv7o7q", + "tlsh": "T18C5533F7C00FA50675D46947689F8B6E96112EAC8B9C412ECA343357E9C782C92DBC" + }, + "pe": { + }, + "size": 1361347, + "type": "zip" + }, + "first_seen": "2022-06-02T13:29:23.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "VbMLdKEoQI/Xli/LgjmvMOlGYZY=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.681Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.681Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "e8f9dc1ebc9c3836e630ea890f49062c", + "99b0048497cf99ac223f56fdc57e9c9da368474bfd3249333d20245617584a36", + "12288:ZrNSkSCzn4CawkkDYcjt2PwnnbziBHZy+syptTHysl8Zz6xW3rIBGrS35jhQgZUb:lNnSCznrawnPjt2PibziFI+syIZoSrI8", + "T1EAD423FBAD4FE145F4B63D56ACAC8B8C61147AF5070E8A20D82DB448454F66C29E7C" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "e8f9dc1ebc9c3836e630ea890f49062c", + "sha256": "99b0048497cf99ac223f56fdc57e9c9da368474bfd3249333d20245617584a36", + "ssdeep": "12288:ZrNSkSCzn4CawkkDYcjt2PwnnbziBHZy+syptTHysl8Zz6xW3rIBGrS35jhQgZUb:lNnSCznrawnPjt2PibziFI+syIZoSrI8", + "tlsh": "T1EAD423FBAD4FE145F4B63D56ACAC8B8C61147AF5070E8A20D82DB448454F66C29E7C" + }, + "pe": { + }, + "size": 607710, + "type": "zip" + }, + "first_seen": "2022-06-02T13:29:21.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "/6DDSx9lUsUoJUF8QSZiQ/oMvmQ=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.681Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.681Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "96dd2f36a091a5ebb2fbc8a4521165ee", + "1e60c0e0b23ba3767698116522460ee55cc44c3f4dc9d295bf572bedd5ac0f65", + "1536:IN9xqKCppztoghURX5Ll1bYL1T+6XpcT9YpDFa+9:IN9xqfftLhoJbYE6XOT9R+9", + "T11D23D1FB616D7CF1772BEED66E013B1A97BEC1C6052D1118AA5D8B9E2444C284FD0B" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "96dd2f36a091a5ebb2fbc8a4521165ee", + "sha256": "1e60c0e0b23ba3767698116522460ee55cc44c3f4dc9d295bf572bedd5ac0f65", + "ssdeep": "1536:IN9xqKCppztoghURX5Ll1bYL1T+6XpcT9YpDFa+9:IN9xqfftLhoJbYE6XOT9R+9", + "tlsh": "T11D23D1FB616D7CF1772BEED66E013B1A97BEC1C6052D1118AA5D8B9E2444C284FD0B" + }, + "pe": { + }, + "size": 49326, + "type": "unknown" + }, + "first_seen": "2022-06-02T13:29:20.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "d+KIrgaxYVhvb/sqhlb5AYOHQDo=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.682Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.682Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "b339f90894265cb97515daa470af07cf", + "d0bd2eb817f80077a36b975511e8229822e8c34977a6fcdf890c996e7ef824e7", + "96:CeAh/kdPbox9Xvn9jx77DWtozT1oImYAwjrTXTd4JBR4pxG+WP:CnMbox9/nXWtLImYAUTR4jRckP", + "T197916CFC910373F4642EF274EA4BEA722BE6E4F415EC1A43496A5250E23F2D1B2037" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "b339f90894265cb97515daa470af07cf", + "sha256": "d0bd2eb817f80077a36b975511e8229822e8c34977a6fcdf890c996e7ef824e7", + "ssdeep": "96:CeAh/kdPbox9Xvn9jx77DWtozT1oImYAwjrTXTd4JBR4pxG+WP:CnMbox9/nXWtLImYAUTR4jRckP", + "tlsh": "T197916CFC910373F4642EF274EA4BEA722BE6E4F415EC1A43496A5250E23F2D1B2037" + }, + "pe": { + }, + "size": 4240, + "type": "unknown" + }, + "first_seen": "2022-06-02T13:29:20.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "bAPvrGKWj/ess46s3KwFqAJ8+tc=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.682Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.682Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "a977be9538079d04662cb855472280f0", + "b169429bc31d82019f106c1a4888bf0cb09cdd67223ab8ee11ad1cb22e5b33d8", + "48:JY1vl8uN9y+xhS/frD/yPkrceiEJ77ejwqu3GHmcjBMInNeAVOp4P1Y:JA8CyxvJiE17gwqcGGGmInNeAVOA1Y", + "T1E0514CE79E74FD4AD8E01B49383529032FD325EE050A405D7D77312856722B5D051B" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "a977be9538079d04662cb855472280f0", + "sha256": "b169429bc31d82019f106c1a4888bf0cb09cdd67223ab8ee11ad1cb22e5b33d8", + "ssdeep": "48:JY1vl8uN9y+xhS/frD/yPkrceiEJ77ejwqu3GHmcjBMInNeAVOp4P1Y:JA8CyxvJiE17gwqcGGGmInNeAVOA1Y", + "tlsh": "T1E0514CE79E74FD4AD8E01B49383529032FD325EE050A405D7D77312856722B5D051B" + }, + "pe": { + }, + "size": 2762, + "type": "unknown" + }, + "first_seen": "2022-06-02T13:29:18.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "uM8A5Yr/gMJ4tPHb9XIABYC/mRk=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.682Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.682Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "ff8378ca6de4242367a38c559481b269", + "825c15ab9faf964fb5a904953dd2d37abbce9e140dbd4cc22e0cd37a3ea76ae4", + "24:d8sxTEAby02+ygbBSND09H6j/NljGCBm5fLrkHsu4MHlerNhBzGCt3Th9Nwn:dvT80FKDqHI/2P5fLrgJler1zGCt9Nw", + "T18F31D894CBF5B99B65302DBC0FA5AD508C641E5C3ABCC8348F6A905A69994D3814CD" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "ff8378ca6de4242367a38c559481b269", + "sha256": "825c15ab9faf964fb5a904953dd2d37abbce9e140dbd4cc22e0cd37a3ea76ae4", + "ssdeep": "24:d8sxTEAby02+ygbBSND09H6j/NljGCBm5fLrkHsu4MHlerNhBzGCt3Th9Nwn:dvT80FKDqHI/2P5fLrgJler1zGCt9Nw", + "tlsh": "T18F31D894CBF5B99B65302DBC0FA5AD508C641E5C3ABCC8348F6A905A69994D3814CD" + }, + "pe": { + }, + "size": 1665, + "type": "unknown" + }, + "first_seen": "2022-06-02T13:29:16.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "YPTTIf8ctfvqnTo2W9OpoJD6n9Q=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.682Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.682Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "5dcb49bc49109e90f5c6b8e5597b80ca", + "51bbdb79175fe1a9bb2ba6055f80bdd35d8486781881fef5cfe8d28b86c5870d", + "48:dyin3B3LH5XfXaImL3esbl9HglyiqRuBrTgq:d53B9XfX8L1vgnqRW0q", + "T15431D836CB901B7FD26B160350A2A96527AF8C5B5B9F4C292816FC0AC354C634FA66" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "5dcb49bc49109e90f5c6b8e5597b80ca", + "sha256": "51bbdb79175fe1a9bb2ba6055f80bdd35d8486781881fef5cfe8d28b86c5870d", + "ssdeep": "48:dyin3B3LH5XfXaImL3esbl9HglyiqRuBrTgq:d53B9XfX8L1vgnqRW0q", + "tlsh": "T15431D836CB901B7FD26B160350A2A96527AF8C5B5B9F4C292816FC0AC354C634FA66" + }, + "pe": { + }, + "size": 1664, + "type": "unknown" + }, + "first_seen": "2022-06-02T13:29:09.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "UJBUWYV6AtCidXCm1NBsWtAYWZI=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.682Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.682Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "72ec96611a0b5f493854a5dcdd1aa528", + "c5df0748e8b023886b12647c050a826a7b43374cdc9112124e55ed46a4f926d2", + "24:991g7c6kzftBeaOY3+1Zc0Iq3aGG9wpe8kZyLq39C7U:99evkbNv3iYXd5ILOCg", + "T1CA114437127EC8A9D93004342166AE26D1009941146099CBAB575D368C877C32F42B" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "72ec96611a0b5f493854a5dcdd1aa528", + "sha256": "c5df0748e8b023886b12647c050a826a7b43374cdc9112124e55ed46a4f926d2", + "ssdeep": "24:991g7c6kzftBeaOY3+1Zc0Iq3aGG9wpe8kZyLq39C7U:99evkbNv3iYXd5ILOCg", + "tlsh": "T1CA114437127EC8A9D93004342166AE26D1009941146099CBAB575D368C877C32F42B" + }, + "pe": { + }, + "size": 909, + "type": "zip" + }, + "first_seen": "2022-06-02T13:29:07.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "e1yn2nAO9PlprMEaPBhcjgg9lwE=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.682Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.682Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "9707127fb08e7956151dda4f502cf707", + "71f5f598623fefd1d6bad450da4cb736b3b2cfb9a62c8d867da8516641df73b3", + "12288:gwnSE7CkFiurKQXYFZlIo1aMrIw8ZoOajbxYE/:gqSORnXmHsbl6V3L/", + "T1ECB4233A9AECEAE05B6F8DD075B9B641B05E32E145F9533CC869C0AF87170E602857" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "9707127fb08e7956151dda4f502cf707", + "sha256": "71f5f598623fefd1d6bad450da4cb736b3b2cfb9a62c8d867da8516641df73b3", + "ssdeep": "12288:gwnSE7CkFiurKQXYFZlIo1aMrIw8ZoOajbxYE/:gqSORnXmHsbl6V3L/", + "tlsh": "T1ECB4233A9AECEAE05B6F8DD075B9B641B05E32E145F9533CC869C0AF87170E602857" + }, + "pe": { + }, + "size": 507323, + "type": "zip" + }, + "first_seen": "2022-06-02T13:28:27.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "e74l+UPbo6o0DotQc8Roo3OVcJQ=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.682Z", + "abusech": { + "malware": { + "virustotal": { + "link": "https://www.virustotal.com/gui/file/38262d6bbeb72bfe5a3baf36250ee80a6824c4d6e1079e4cfdc6869c065693df/detection/f-38262d6", + "percent": 27.42, + "result": "17 / 62" + } + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.682Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "f1650fc9608337179d7424c87f1ee737", + "38262d6bbeb72bfe5a3baf36250ee80a6824c4d6e1079e4cfdc6869c065693df", + "24576:1EnrkvPLK8Qtaw+sy0AdrIFeGvoPTM2oMkM0DqLpj5I9qe32L8rayvevBhIb7P:1EnrkRDDzCFeGvMTM2/gY9vxv7o7P", + "T11F5533F3C00FA54679E42E57649F8B2996112DFC8A9C412ECA743397E4D782C869BC" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "f1650fc9608337179d7424c87f1ee737", + "sha256": "38262d6bbeb72bfe5a3baf36250ee80a6824c4d6e1079e4cfdc6869c065693df", + "ssdeep": "24576:1EnrkvPLK8Qtaw+sy0AdrIFeGvoPTM2oMkM0DqLpj5I9qe32L8rayvevBhIb7P:1EnrkRDDzCFeGvMTM2/gY9vxv7o7P", + "tlsh": "T11F5533F3C00FA54679E42E57649F8B2996112DFC8A9C412ECA743397E4D782C869BC" + }, + "pe": { + }, + "size": 1361344, + "type": "zip" + }, + "first_seen": "2022-06-02T13:27:51.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "XIDmYG67Bs5j3njl7xYKAyH1emM=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.682Z", + "abusech": { + "malware": { + "virustotal": { + "link": "https://www.virustotal.com/gui/file/cfb001ca42b62b1ade9220f44bd6479aff6eeaaa108aa98a4b0169ea1dec8e86/detection/f-cfb001c", + "percent": 38.1, + "result": "24 / 63" + } + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.682Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "970e0ba1981035359600b63b43b10bc0", + "cfb001ca42b62b1ade9220f44bd6479aff6eeaaa108aa98a4b0169ea1dec8e86", + "24576:MRnrkvPLK8Qtaw+sy0AdrIFeGvoPTM2oMkM0DqLpj5I9qe32L8rayvevBhIb7P:cnrkRDDzCFeGvMTM2/gY9vxv7o7P", + "T1025533F3C00FA90679D07A57A09F872E96112DB88B9C512ECA703357E5D7C2C9697C" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "970e0ba1981035359600b63b43b10bc0", + "sha256": "cfb001ca42b62b1ade9220f44bd6479aff6eeaaa108aa98a4b0169ea1dec8e86", + "ssdeep": "24576:MRnrkvPLK8Qtaw+sy0AdrIFeGvoPTM2oMkM0DqLpj5I9qe32L8rayvevBhIb7P:cnrkRDDzCFeGvMTM2/gY9vxv7o7P", + "tlsh": "T1025533F3C00FA90679D07A57A09F872E96112DB88B9C512ECA703357E5D7C2C9697C" + }, + "pe": { + }, + "size": 1361347, + "type": "zip" + }, + "first_seen": "2022-06-02T13:27:50.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "TxxcH4E0aWG8D8rloVjU3cK+sy0=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.685Z", + "abusech": { + "malware": { + "virustotal": { + "link": "https://www.virustotal.com/gui/file/f1121e7b8419f84a7c8ad91acd9d4d804d78bb10a899cee1ab4f0b349097eb94/detection/f-f1121e7", + "percent": 43.55, + "result": "27 / 62" + } + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.685Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "d04039c9b1f2d6f13a17962c6131e573", + "f1121e7b8419f84a7c8ad91acd9d4d804d78bb10a899cee1ab4f0b349097eb94", + "24576:ikiaxnrkvPLK8Qtaw+sy0AdrIFeGvoPTM2oMkM0DqLpj5I9qe32L8rayvevBhIbS:HiaxnrkRDDzCFeGvMTM2/gY9vxv7o7m", + "T17D5533F7C00FA50679D46947689F8B6E96112EAC8B9C412ECA343357E5C782C92DBC" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "d04039c9b1f2d6f13a17962c6131e573", + "sha256": "f1121e7b8419f84a7c8ad91acd9d4d804d78bb10a899cee1ab4f0b349097eb94", + "ssdeep": "24576:ikiaxnrkvPLK8Qtaw+sy0AdrIFeGvoPTM2oMkM0DqLpj5I9qe32L8rayvevBhIbS:HiaxnrkRDDzCFeGvMTM2/gY9vxv7o7m", + "tlsh": "T17D5533F7C00FA50679D46947689F8B6E96112EAC8B9C412ECA343357E5C782C92DBC" + }, + "pe": { + }, + "size": 1361347, + "type": "zip" + }, + "first_seen": "2022-06-02T13:27:46.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "0j+BQ8HFrDQYe5kbXMc9ANSCjBY=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.685Z", + "abusech": { + "malware": { + "virustotal": { + "link": "https://www.virustotal.com/gui/file/a2b6f823f7ce67a0b5ac0a0561139693e526f6c5b4a2ba05d20fd9e467e9dacc/detection/f-a2b6f82", + "percent": 41.67, + "result": "25 / 60" + } + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.685Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "2209a62733aa8fd802e60508ecce900a", + "a2b6f823f7ce67a0b5ac0a0561139693e526f6c5b4a2ba05d20fd9e467e9dacc", + "24576:hUQ2zgDnrawnPjt2PibziFI+syIZoSrI0r+xGgWdVnG45U3D9WHqyraYvb9mRhpt:CQm8nrawTGDIZoB0r+xkdciU5WHqgUjt", + "T19D5533FB4C4B9556B9F4AA43A88D8B3C9000E5EC574CA670D908C9FEE44B7B850DB8" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "2209a62733aa8fd802e60508ecce900a", + "sha256": "a2b6f823f7ce67a0b5ac0a0561139693e526f6c5b4a2ba05d20fd9e467e9dacc", + "ssdeep": "24576:hUQ2zgDnrawnPjt2PibziFI+syIZoSrI0r+xGgWdVnG45U3D9WHqyraYvb9mRhpt:CQm8nrawTGDIZoB0r+xkdciU5WHqgUjt", + "tlsh": "T19D5533FB4C4B9556B9F4AA43A88D8B3C9000E5EC574CA670D908C9FEE44B7B850DB8" + }, + "pe": { + }, + "size": 1361339, + "type": "zip" + }, + "first_seen": "2022-06-02T13:27:40.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "0iMNuOxitDAkMEozdSjgX9jeA+g=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.686Z", + "abusech": { + "malware": { + "virustotal": { + "link": "https://www.virustotal.com/gui/file/7cbf47ef916aa02a1b39cad40dfe71ea121d8d5b36d5a13fdec5977a8dcb4550/detection/f-7cbf47e", + "percent": 41.67, + "result": "25 / 60" + } + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.686Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "03021a5d7811ffb12b28c3372af1e674", + "7cbf47ef916aa02a1b39cad40dfe71ea121d8d5b36d5a13fdec5977a8dcb4550", + "24576:LkiaxnrkvPLK8Qtaw+sy0AdrIFeGvoPTM2oMkM0DqLpj5I9qe32L8rayvevBhIbz:AiaxnrkRDDzCFeGvMTM2/gY9vxv7o7v", + "T1365533F7C00FA50679D46943689F876A96212DBC8B9C412ECA743397E5C782C929BC" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "03021a5d7811ffb12b28c3372af1e674", + "sha256": "7cbf47ef916aa02a1b39cad40dfe71ea121d8d5b36d5a13fdec5977a8dcb4550", + "ssdeep": "24576:LkiaxnrkvPLK8Qtaw+sy0AdrIFeGvoPTM2oMkM0DqLpj5I9qe32L8rayvevBhIbz:AiaxnrkRDDzCFeGvMTM2/gY9vxv7o7v", + "tlsh": "T1365533F7C00FA50679D46943689F876A96212DBC8B9C412ECA743397E5C782C929BC" + }, + "pe": { + }, + "size": 1361341, + "type": "zip" + }, + "first_seen": "2022-06-02T13:27:38.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "/3dtJlkuhnqok29y8dY0+Q4ifHQ=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.686Z", + "abusech": { + "malware": { + "virustotal": { + "link": "https://www.virustotal.com/gui/file/d4ba36cfa7e4191199836b228f6d79bd74e86793bc183563b78591f508b066ed/detection/f-d4ba36c", + "percent": 41.94, + "result": "26 / 62" + } + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.686Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "27e0088dde23b9e6fe6b7711b653da96", + "d4ba36cfa7e4191199836b228f6d79bd74e86793bc183563b78591f508b066ed", + "24576:2RjAnrKbP2UmQn0+synQfr4cdGv9P8a2oMkM0DqLpj5I9qe32L8rayvevBhIb7i:OAnrKaODnQEcdGvh8a2/gY9vxv7o7i", + "T1565533F3C00AE9067AE43A16A85E871D92106DA88BDC516ECB643757F6D3C1CA2D7C" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "27e0088dde23b9e6fe6b7711b653da96", + "sha256": "d4ba36cfa7e4191199836b228f6d79bd74e86793bc183563b78591f508b066ed", + "ssdeep": "24576:2RjAnrKbP2UmQn0+synQfr4cdGv9P8a2oMkM0DqLpj5I9qe32L8rayvevBhIb7i:OAnrKaODnQEcdGvh8a2/gY9vxv7o7i", + "tlsh": "T1565533F3C00AE9067AE43A16A85E871D92106DA88BDC516ECB643757F6D3C1CA2D7C" + }, + "pe": { + }, + "size": 1361337, + "type": "zip" + }, + "first_seen": "2022-06-02T13:27:38.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "j5JnUNNYnbyiFGlCGClPpRa72kc=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.686Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.686Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "70d1a2f0eb51b776885f945ebb26529e", + "1132eef3ff0d63e0895cfb727a78093396731bf381d6e6b5ece32769895cfc50", + "48:SA1Y/0a0Pcuj4Y/FXTMz9izueAvG5601Sn:SuY/KcujLXTMBeEG5Y", + "T181311AB0C227CD659FC6D2923B9AB450C45466911C38B1BE3AA1F20FC06002C56103" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "70d1a2f0eb51b776885f945ebb26529e", + "sha256": "1132eef3ff0d63e0895cfb727a78093396731bf381d6e6b5ece32769895cfc50", + "ssdeep": "48:SA1Y/0a0Pcuj4Y/FXTMz9izueAvG5601Sn:SuY/KcujLXTMBeEG5Y", + "tlsh": "T181311AB0C227CD659FC6D2923B9AB450C45466911C38B1BE3AA1F20FC06002C56103" + }, + "pe": { + }, + "size": 1665, + "type": "unknown" + }, + "first_seen": "2022-06-02T13:27:32.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "kDF3gd3Mn0AOywia9xgchqGAuUE=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.686Z", + "abusech": { + "malware": { + "virustotal": { + "link": "https://www.virustotal.com/gui/file/882d547a8820864c217970a2cfa90e8ae0430139dee3dd51024570df01e3c233/detection/f-882d547", + "percent": 24.19, + "result": "15 / 62" + } + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.686Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "e43b16a442e7746df64df904688c821d", + "882d547a8820864c217970a2cfa90e8ae0430139dee3dd51024570df01e3c233", + "24576:5u+nrawnPjt2PibziFI+syIZoSrI0r+xGgWdVnG45U3D9WHqyraYvb9mRhpgtz:5BnrawTGDIZoB0r+xkdciU5WHqgUjc", + "T1075533FB4C4B9555F8F89E53AC9D8A2CD100A5EC574CE674DA08C4AEE80B37860DBC" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "e43b16a442e7746df64df904688c821d", + "sha256": "882d547a8820864c217970a2cfa90e8ae0430139dee3dd51024570df01e3c233", + "ssdeep": "24576:5u+nrawnPjt2PibziFI+syIZoSrI0r+xGgWdVnG45U3D9WHqyraYvb9mRhpgtz:5BnrawTGDIZoB0r+xkdciU5WHqgUjc", + "tlsh": "T1075533FB4C4B9555F8F89E53AC9D8A2CD100A5EC574CE674DA08C4AEE80B37860DBC" + }, + "pe": { + }, + "size": 1361342, + "type": "zip" + }, + "first_seen": "2022-06-02T13:27:26.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.url-default", + "id": "PQGb8YxgAc57YSFEaYrO9A/YF5U=", + "index": ".ds-logs-ti_abusech.url-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:39:46.305Z", + "abusech": { + "url": { + "blacklists": { + "spamhaus_dbl": "not listed", + "surbl": "not listed" + }, + "id": "2221794", + "larted": true, + "tags": [ + "elf" + ], + "threat": "malware_download", + "url_status": "online" + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.url", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:39:46.305Z", + "dataset": "ti_abusech.url", + "ingested": "2022-06-02T13:39:46Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "forwarded", + "abusech-url" + ], + "threat": { + "indicator": { + "first_seen": "2022-06-02T13:22:04.000Z", + "ip": "149.57.201.137", + "provider": "tolisec", + "reference": "https://urlhaus.abuse.ch/url/2221794/", + "type": "url", + "url": { + "domain": "149.57.201.137", + "extension": "arm5", + "full": "http://149.57.201.137/razor/r4z0r.arm5", + "original": "http://149.57.201.137/razor/r4z0r.arm5", + "path": "/razor/r4z0r.arm5", + "scheme": "http" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.url-default", + "id": "OSUKXqaqw3yp3MWwWGyb3qBB6jU=", + "index": ".ds-logs-ti_abusech.url-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:39:46.305Z", + "abusech": { + "url": { + "blacklists": { + "spamhaus_dbl": "not listed", + "surbl": "not listed" + }, + "id": "2221795", + "larted": true, + "tags": [ + "elf" + ], + "threat": "malware_download", + "url_status": "online" + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.url", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:39:46.305Z", + "dataset": "ti_abusech.url", + "ingested": "2022-06-02T13:39:46Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "forwarded", + "abusech-url" + ], + "threat": { + "indicator": { + "first_seen": "2022-06-02T13:22:04.000Z", + "ip": "149.57.201.137", + "provider": "tolisec", + "reference": "https://urlhaus.abuse.ch/url/2221795/", + "type": "url", + "url": { + "domain": "149.57.201.137", + "extension": "ppc", + "full": "http://149.57.201.137/razor/r4z0r.ppc", + "original": "http://149.57.201.137/razor/r4z0r.ppc", + "path": "/razor/r4z0r.ppc", + "scheme": "http" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.url-default", + "id": "dX+wc559fHomjmPvAps1NIN+XaE=", + "index": ".ds-logs-ti_abusech.url-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:39:46.305Z", + "abusech": { + "url": { + "blacklists": { + "spamhaus_dbl": "not listed", + "surbl": "not listed" + }, + "id": "2221796", + "larted": true, + "tags": [ + "elf" + ], + "threat": "malware_download", + "url_status": "online" + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.url", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:39:46.305Z", + "dataset": "ti_abusech.url", + "ingested": "2022-06-02T13:39:46Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "forwarded", + "abusech-url" + ], + "threat": { + "indicator": { + "first_seen": "2022-06-02T13:22:04.000Z", + "ip": "149.57.201.137", + "provider": "tolisec", + "reference": "https://urlhaus.abuse.ch/url/2221796/", + "type": "url", + "url": { + "domain": "149.57.201.137", + "extension": "x86", + "full": "http://149.57.201.137/razor/r4z0r.x86", + "original": "http://149.57.201.137/razor/r4z0r.x86", + "path": "/razor/r4z0r.x86", + "scheme": "http" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.url-default", + "id": "NwEdch4+R+FULfHDyBY42ZvKrnE=", + "index": ".ds-logs-ti_abusech.url-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:39:46.305Z", + "abusech": { + "url": { + "blacklists": { + "spamhaus_dbl": "not listed", + "surbl": "not listed" + }, + "id": "2221797", + "larted": true, + "tags": [ + "elf" + ], + "threat": "malware_download", + "url_status": "online" + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.url", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:39:46.305Z", + "dataset": "ti_abusech.url", + "ingested": "2022-06-02T13:39:46Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "forwarded", + "abusech-url" + ], + "threat": { + "indicator": { + "first_seen": "2022-06-02T13:22:04.000Z", + "ip": "149.57.201.137", + "provider": "tolisec", + "reference": "https://urlhaus.abuse.ch/url/2221797/", + "type": "url", + "url": { + "domain": "149.57.201.137", + "extension": "mpsl", + "full": "http://149.57.201.137/razor/r4z0r.mpsl", + "original": "http://149.57.201.137/razor/r4z0r.mpsl", + "path": "/razor/r4z0r.mpsl", + "scheme": "http" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.url-default", + "id": "AauapLcuuEqfVg1eR7VkDAExl54=", + "index": ".ds-logs-ti_abusech.url-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:39:46.306Z", + "abusech": { + "url": { + "blacklists": { + "spamhaus_dbl": "not listed", + "surbl": "not listed" + }, + "id": "2221798", + "larted": true, + "tags": [ + "elf" + ], + "threat": "malware_download", + "url_status": "online" + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.url", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:39:46.306Z", + "dataset": "ti_abusech.url", + "ingested": "2022-06-02T13:39:46Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "forwarded", + "abusech-url" + ], + "threat": { + "indicator": { + "first_seen": "2022-06-02T13:22:04.000Z", + "ip": "149.57.201.137", + "provider": "tolisec", + "reference": "https://urlhaus.abuse.ch/url/2221798/", + "type": "url", + "url": { + "domain": "149.57.201.137", + "extension": "mips", + "full": "http://149.57.201.137/razor/r4z0r.mips", + "original": "http://149.57.201.137/razor/r4z0r.mips", + "path": "/razor/r4z0r.mips", + "scheme": "http" + } + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.url-default", + "id": "rcwqq/Te2Djx8sE4gX9HjeHDj1c=", + "index": ".ds-logs-ti_abusech.url-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:39:46.306Z", + "abusech": { + "url": { + "blacklists": { + "spamhaus_dbl": "not listed", + "surbl": "not listed" + }, + "id": "2221799", + "larted": true, + "tags": [ + "elf" + ], + "threat": "malware_download", + "url_status": "online" + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.url", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:39:46.306Z", + "dataset": "ti_abusech.url", + "ingested": "2022-06-02T13:39:46Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "forwarded", + "abusech-url" + ], + "threat": { + "indicator": { + "first_seen": "2022-06-02T13:22:04.000Z", + "ip": "149.57.201.137", + "provider": "tolisec", + "reference": "https://urlhaus.abuse.ch/url/2221799/", + "type": "url", + "url": { + "domain": "149.57.201.137", + "extension": "arm", + "full": "http://149.57.201.137/razor/r4z0r.arm", + "original": "http://149.57.201.137/razor/r4z0r.arm", + "path": "/razor/r4z0r.arm", + "scheme": "http" + } + } + } + } + } +} diff --git a/x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_multiple/mappings.json b/x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_multiple/mappings.json new file mode 100644 index 0000000000000..e0837a100a9a0 --- /dev/null +++ b/x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_multiple/mappings.json @@ -0,0 +1,1599 @@ +{ + "type": "data_stream", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "template": { + "_meta": { + "managed": true, + "managed_by": "fleet", + "package": { + "name": "ti_abusech" + } + }, + "data_stream": { + "allow_custom_routing": false, + "hidden": false + }, + "index_patterns": [ + "logs-ti_abusech.malware-*" + ], + "name": "logs-ti_abusech.malware", + "priority": 200, + "template": { + "mappings": { + "_meta": { + "managed": true, + "managed_by": "fleet", + "package": { + "name": "ti_abusech" + } + }, + "date_detection": false, + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "@timestamp": { + "type": "date" + }, + "abusech": { + "properties": { + "malware": { + "properties": { + "signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "virustotal": { + "properties": { + "link": { + "ignore_above": 1024, + "type": "keyword" + }, + "percent": { + "type": "float" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "container": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "dataset": { + "type": "constant_keyword" + }, + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "message": { + "type": "match_only_text" + } + } + }, + "event": { + "properties": { + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "type": "constant_keyword", + "value": "ti_abusech.malware" + }, + "ingested": { + "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "ti_abusech" + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "containerized": { + "type": "boolean" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "offset": { + "type": "long" + } + } + }, + "message": { + "type": "match_only_text" + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "properties": { + "feed": { + "properties": { + "dashboard_id": { + "type": "constant_keyword", + "value": "ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6" + }, + "name": { + "type": "constant_keyword", + "value": "AbuseCH Malware" + } + } + }, + "indicator": { + "properties": { + "file": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "imphash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "first_seen": { + "type": "date" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "settings": { + "index": { + "codec": "best_compression", + "default_pipeline": "logs-ti_abusech.malware-1.3.1", + "final_pipeline": ".fleet_final_pipeline-1", + "lifecycle": { + "name": "logs" + }, + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.kind", + "event.category", + "event.type", + "event.original", + "threat.indicator.type", + "threat.indicator.file.type", + "threat.indicator.file.hash.md5", + "threat.indicator.file.hash.sha256", + "threat.indicator.file.hash.ssdeep", + "threat.indicator.file.hash.tlsh", + "threat.indicator.file.pe.imphash", + "threat.indicator.provider", + "input.type", + "log.flags", + "log.file.path", + "ecs.version", + "message", + "error.message", + "tags", + "related.hash", + "abusech.malware.signature", + "abusech.malware.virustotal.result", + "abusech.malware.virustotal.link" + ] + } + } + } + } + } + } +} + +{ + "type": "data_stream", + "value": { + "data_stream": "logs-ti_abusech.malwarebazaar-default", + "template": { + "_meta": { + "managed": true, + "managed_by": "fleet", + "package": { + "name": "ti_abusech" + } + }, + "data_stream": { + "allow_custom_routing": false, + "hidden": false + }, + "index_patterns": [ + "logs-ti_abusech.malwarebazaar-*" + ], + "name": "logs-ti_abusech.malwarebazaar", + "priority": 200, + "template": { + "mappings": { + "_meta": { + "managed": true, + "managed_by": "fleet", + "package": { + "name": "ti_abusech" + } + }, + "date_detection": false, + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "@timestamp": { + "type": "date" + }, + "abusech": { + "properties": { + "malwarebazaar": { + "properties": { + "anonymous": { + "type": "long" + }, + "code_sign": { + "ignore_above": 1024, + "type": "keyword" + }, + "intelligence": { + "properties": { + "downloads": { + "type": "long" + }, + "mail": { + "properties": { + "Generic": { + "ignore_above": 1024, + "type": "keyword" + }, + "IT": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "uploads": { + "type": "long" + } + } + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "container": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "dataset": { + "type": "constant_keyword" + }, + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "message": { + "type": "match_only_text" + } + } + }, + "event": { + "properties": { + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "type": "constant_keyword", + "value": "ti_abusech.malwarebazaar" + }, + "ingested": { + "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "ti_abusech" + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "containerized": { + "type": "boolean" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "offset": { + "type": "long" + } + } + }, + "message": { + "type": "match_only_text" + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "properties": { + "feed": { + "properties": { + "dashboard_id": { + "type": "constant_keyword", + "value": "ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6" + }, + "name": { + "type": "constant_keyword", + "value": "AbuseCH MalwareBazaar" + } + } + }, + "indicator": { + "properties": { + "file": { + "properties": { + "elf": { + "properties": { + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "imphash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "last_seen": { + "type": "date" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "software": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "settings": { + "index": { + "codec": "best_compression", + "default_pipeline": "logs-ti_abusech.malwarebazaar-1.3.1", + "final_pipeline": ".fleet_final_pipeline-1", + "lifecycle": { + "name": "logs" + }, + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.kind", + "event.category", + "event.type", + "event.original", + "threat.indicator.type", + "threat.indicator.file.type", + "threat.indicator.file.name", + "threat.indicator.file.extension", + "threat.indicator.file.hash.sha1", + "threat.indicator.file.hash.md5", + "threat.indicator.file.hash.sha256", + "threat.indicator.file.hash.ssdeep", + "threat.indicator.file.hash.sha384", + "threat.indicator.file.hash.tlsh", + "threat.indicator.file.mime_type", + "threat.indicator.file.pe.imphash", + "threat.indicator.file.elf.telfhash", + "threat.indicator.file.x509.subject.common_name", + "threat.indicator.file.x509.issuer.common_name", + "threat.indicator.file.x509.public_key_algorithm", + "threat.indicator.file.x509.serial_number", + "threat.indicator.provider", + "threat.indicator.geo.country_iso_code", + "threat.software.alias", + "input.type", + "log.flags", + "log.file.path", + "ecs.version", + "message", + "error.message", + "tags", + "related.hash", + "abusech.malwarebazaar.tags", + "abusech.malwarebazaar.intelligence.mail.Generic", + "abusech.malwarebazaar.intelligence.mail.IT", + "abusech.malwarebazaar.code_sign" + ] + } + } + } + } + } + } +} + +{ + "type": "data_stream", + "value": { + "data_stream": "logs-ti_abusech.url-default", + "template": { + "_meta": { + "managed": true, + "managed_by": "fleet", + "package": { + "name": "ti_abusech" + } + }, + "data_stream": { + "allow_custom_routing": false, + "hidden": false + }, + "index_patterns": [ + "logs-ti_abusech.url-*" + ], + "name": "logs-ti_abusech.url", + "priority": 200, + "template": { + "mappings": { + "_meta": { + "managed": true, + "managed_by": "fleet", + "package": { + "name": "ti_abusech" + } + }, + "date_detection": false, + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "@timestamp": { + "type": "date" + }, + "abusech": { + "properties": { + "url": { + "properties": { + "blacklists": { + "properties": { + "spamhaus_dbl": { + "ignore_above": 1024, + "type": "keyword" + }, + "surbl": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "larted": { + "type": "boolean" + }, + "reporter": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "ignore_above": 1024, + "type": "keyword" + }, + "url_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "urlhaus_reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "container": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "dataset": { + "type": "constant_keyword" + }, + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "message": { + "type": "match_only_text" + } + } + }, + "event": { + "properties": { + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "type": "constant_keyword", + "value": "ti_abusech.url" + }, + "ingested": { + "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "ti_abusech" + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "containerized": { + "type": "boolean" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "offset": { + "type": "long" + } + } + }, + "message": { + "type": "match_only_text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "properties": { + "feed": { + "properties": { + "dashboard_id": { + "type": "constant_keyword", + "value": "ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6" + }, + "name": { + "type": "constant_keyword", + "value": "AbuseCH URL" + } + } + }, + "indicator": { + "properties": { + "first_seen": { + "type": "date" + }, + "ip": { + "type": "ip" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "wildcard" + }, + "original": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "wildcard" + }, + "path": { + "ignore_above": 1024, + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } + }, + "settings": { + "index": { + "codec": "best_compression", + "default_pipeline": "logs-ti_abusech.url-1.3.1", + "final_pipeline": ".fleet_final_pipeline-1", + "lifecycle": { + "name": "logs" + }, + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.kind", + "event.category", + "event.type", + "event.original", + "threat.indicator.type", + "threat.indicator.reference", + "threat.indicator.url.domain", + "threat.indicator.url.full", + "threat.indicator.url.extension", + "threat.indicator.url.original", + "threat.indicator.url.path", + "threat.indicator.url.scheme", + "threat.indicator.url.query", + "threat.indicator.provider", + "input.type", + "log.flags", + "log.file.path", + "ecs.version", + "message", + "error.message", + "tags", + "abusech.url.id", + "abusech.url.urlhaus_reference", + "abusech.url.url_status", + "abusech.url.threat", + "abusech.url.reporter", + "abusech.url.tags", + "abusech.url.blacklists.spamhaus_dbl", + "abusech.url.blacklists.surbl" + ] + } + } + } + } + } + } +} diff --git a/x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_no_mappings/data.json b/x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_no_mappings/data.json new file mode 100644 index 0000000000000..dcd20e315a321 --- /dev/null +++ b/x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_no_mappings/data.json @@ -0,0 +1,171 @@ +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "RP0HlUQkToBRTlZeGAItbyWMx1E=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.677Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.677Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "a7f997be65f62fdbe5ec076f0fe207f7", + "d86e656455f985357df3063dff6637f7f3b95bb27d1769a6b88c7adecaf7763f", + "6144:Eiu4rKJqctSMeWml5SBm5bT6rhnMqvTRrbx50Elf03jhBtGuYEs0gw4N1c5b8Onl:vuI6QWm+6bTShnMIRUEKThB1sn5hOnl", + "T15194232F21ACD2E5F4379415A97680C8DE041E08695B5F2AD73B237AC5EF2F682C57" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "sha256": "sha256", + "md5": "md5", + "sha1": "sha1", + "sha224": "sha224", + "sha3-224": "sha3-224", + "sha3-256": "sha3-256", + "sha384": "sha384", + "sha3-384": "sha3-384", + "sha512": "sha512", + "sha3-512": "sha3-512", + "sha512/224": "sha512/224", + "sha512/256": "sha512/256", + "ssdeep": "ssdeep", + "tlsh": "tlsh", + "impfuzzy": "impfuzzy", + "imphash": "imphash", + "pehash": "pehash", + "vhash": "vhash" + }, + "pe": { + }, + "size": 441803, + "type": "zip" + }, + "first_seen": "2022-06-02T13:29:44.000Z", + "type": "file" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "C4ObxkoTZzcjmk1jFwGlRadzMnA=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.678Z", + "abusech": { + "malware": { + "virustotal": { + "link": "https://www.virustotal.com/gui/file/d3e2cf87eabf84ef929aaf8dad1431b3387f5a26de8ffb7a0c3c2a13f973c0ab/detection/f-d3e2cf8", + "percent": 41.94, + "result": "26 / 62" + } + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.678Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "cce28cbfb3cb7ecdae0f5969476f3f09", + "d3e2cf87eabf84ef929aaf8dad1431b3387f5a26de8ffb7a0c3c2a13f973c0ab", + "24576:WEnrkvPLK8Qtaw+sy0AdrIFeGvoPTM2oMkM0DqLpj5I9qe32L8rayvevBhIb7q:WEnrkRDDzCFeGvMTM2/gY9vxv7o7q", + "T1F95533F3C00FA54679E42E57649F8B2996112DFC8A9C412ECA743397E4D782C869BC" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "vhash": "vhash" + }, + "pe": { + }, + "size": 1361342, + "type": "zip" + }, + "first_seen": "2022-06-02T13:29:40.000Z", + "type": "file" + } + } + } + } +} diff --git a/x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_single/data.json b/x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_single/data.json new file mode 100644 index 0000000000000..22bc6031595e8 --- /dev/null +++ b/x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_single/data.json @@ -0,0 +1,77 @@ +{ + "type": "doc", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "id": "RP0HlUQkToBRTlZeGAItbyWMx1E=", + "index": ".ds-logs-ti_abusech.malware-default-2022.06.02-000001", + "source": { + "@timestamp": "2022-06-02T13:29:47.677Z", + "abusech": { + "malware": { + } + }, + "agent": { + "ephemeral_id": "5c9f7693-8486-4634-a024-994faa6dee51", + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "name": "luke-VirtualBox", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "8eee41bf-442d-48c3-9cc7-41b072d29a9b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "category": "threat", + "created": "2022-06-02T13:29:47.677Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-06-02T13:29:48Z", + "kind": "enrichment", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "a7f997be65f62fdbe5ec076f0fe207f7", + "d86e656455f985357df3063dff6637f7f3b95bb27d1769a6b88c7adecaf7763f", + "6144:Eiu4rKJqctSMeWml5SBm5bT6rhnMqvTRrbx50Elf03jhBtGuYEs0gw4N1c5b8Onl:vuI6QWm+6bTShnMIRUEKThB1sn5hOnl", + "T15194232F21ACD2E5F4379415A97680C8DE041E08695B5F2AD73B237AC5EF2F682C57" + ] + }, + "tags": [ + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "a7f997be65f62fdbe5ec076f0fe207f7", + "sha256": "d86e656455f985357df3063dff6637f7f3b95bb27d1769a6b88c7adecaf7763f", + "ssdeep": "6144:Eiu4rKJqctSMeWml5SBm5bT6rhnMqvTRrbx50Elf03jhBtGuYEs0gw4N1c5b8Onl:vuI6QWm+6bTShnMIRUEKThB1sn5hOnl", + "tlsh": "T15194232F21ACD2E5F4379415A97680C8DE041E08695B5F2AD73B237AC5EF2F682C57" + }, + "pe": { + }, + "size": 441803, + "type": "zip" + }, + "first_seen": "2022-06-02T13:29:44.000Z", + "type": "file" + } + } + } + } +} diff --git a/x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_single/mappings.json b/x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_single/mappings.json new file mode 100644 index 0000000000000..e0837a100a9a0 --- /dev/null +++ b/x-pack/test/security_solution_cypress/es_archives/ti_indicators_data_single/mappings.json @@ -0,0 +1,1599 @@ +{ + "type": "data_stream", + "value": { + "data_stream": "logs-ti_abusech.malware-default", + "template": { + "_meta": { + "managed": true, + "managed_by": "fleet", + "package": { + "name": "ti_abusech" + } + }, + "data_stream": { + "allow_custom_routing": false, + "hidden": false + }, + "index_patterns": [ + "logs-ti_abusech.malware-*" + ], + "name": "logs-ti_abusech.malware", + "priority": 200, + "template": { + "mappings": { + "_meta": { + "managed": true, + "managed_by": "fleet", + "package": { + "name": "ti_abusech" + } + }, + "date_detection": false, + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "@timestamp": { + "type": "date" + }, + "abusech": { + "properties": { + "malware": { + "properties": { + "signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "virustotal": { + "properties": { + "link": { + "ignore_above": 1024, + "type": "keyword" + }, + "percent": { + "type": "float" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "container": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "dataset": { + "type": "constant_keyword" + }, + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "message": { + "type": "match_only_text" + } + } + }, + "event": { + "properties": { + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "type": "constant_keyword", + "value": "ti_abusech.malware" + }, + "ingested": { + "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "ti_abusech" + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "containerized": { + "type": "boolean" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "offset": { + "type": "long" + } + } + }, + "message": { + "type": "match_only_text" + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "properties": { + "feed": { + "properties": { + "dashboard_id": { + "type": "constant_keyword", + "value": "ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6" + }, + "name": { + "type": "constant_keyword", + "value": "AbuseCH Malware" + } + } + }, + "indicator": { + "properties": { + "file": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "imphash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "first_seen": { + "type": "date" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "settings": { + "index": { + "codec": "best_compression", + "default_pipeline": "logs-ti_abusech.malware-1.3.1", + "final_pipeline": ".fleet_final_pipeline-1", + "lifecycle": { + "name": "logs" + }, + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.kind", + "event.category", + "event.type", + "event.original", + "threat.indicator.type", + "threat.indicator.file.type", + "threat.indicator.file.hash.md5", + "threat.indicator.file.hash.sha256", + "threat.indicator.file.hash.ssdeep", + "threat.indicator.file.hash.tlsh", + "threat.indicator.file.pe.imphash", + "threat.indicator.provider", + "input.type", + "log.flags", + "log.file.path", + "ecs.version", + "message", + "error.message", + "tags", + "related.hash", + "abusech.malware.signature", + "abusech.malware.virustotal.result", + "abusech.malware.virustotal.link" + ] + } + } + } + } + } + } +} + +{ + "type": "data_stream", + "value": { + "data_stream": "logs-ti_abusech.malwarebazaar-default", + "template": { + "_meta": { + "managed": true, + "managed_by": "fleet", + "package": { + "name": "ti_abusech" + } + }, + "data_stream": { + "allow_custom_routing": false, + "hidden": false + }, + "index_patterns": [ + "logs-ti_abusech.malwarebazaar-*" + ], + "name": "logs-ti_abusech.malwarebazaar", + "priority": 200, + "template": { + "mappings": { + "_meta": { + "managed": true, + "managed_by": "fleet", + "package": { + "name": "ti_abusech" + } + }, + "date_detection": false, + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "@timestamp": { + "type": "date" + }, + "abusech": { + "properties": { + "malwarebazaar": { + "properties": { + "anonymous": { + "type": "long" + }, + "code_sign": { + "ignore_above": 1024, + "type": "keyword" + }, + "intelligence": { + "properties": { + "downloads": { + "type": "long" + }, + "mail": { + "properties": { + "Generic": { + "ignore_above": 1024, + "type": "keyword" + }, + "IT": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "uploads": { + "type": "long" + } + } + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "container": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "dataset": { + "type": "constant_keyword" + }, + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "message": { + "type": "match_only_text" + } + } + }, + "event": { + "properties": { + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "type": "constant_keyword", + "value": "ti_abusech.malwarebazaar" + }, + "ingested": { + "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "ti_abusech" + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "containerized": { + "type": "boolean" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "offset": { + "type": "long" + } + } + }, + "message": { + "type": "match_only_text" + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "properties": { + "feed": { + "properties": { + "dashboard_id": { + "type": "constant_keyword", + "value": "ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6" + }, + "name": { + "type": "constant_keyword", + "value": "AbuseCH MalwareBazaar" + } + } + }, + "indicator": { + "properties": { + "file": { + "properties": { + "elf": { + "properties": { + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "imphash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "last_seen": { + "type": "date" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "software": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "settings": { + "index": { + "codec": "best_compression", + "default_pipeline": "logs-ti_abusech.malwarebazaar-1.3.1", + "final_pipeline": ".fleet_final_pipeline-1", + "lifecycle": { + "name": "logs" + }, + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.kind", + "event.category", + "event.type", + "event.original", + "threat.indicator.type", + "threat.indicator.file.type", + "threat.indicator.file.name", + "threat.indicator.file.extension", + "threat.indicator.file.hash.sha1", + "threat.indicator.file.hash.md5", + "threat.indicator.file.hash.sha256", + "threat.indicator.file.hash.ssdeep", + "threat.indicator.file.hash.sha384", + "threat.indicator.file.hash.tlsh", + "threat.indicator.file.mime_type", + "threat.indicator.file.pe.imphash", + "threat.indicator.file.elf.telfhash", + "threat.indicator.file.x509.subject.common_name", + "threat.indicator.file.x509.issuer.common_name", + "threat.indicator.file.x509.public_key_algorithm", + "threat.indicator.file.x509.serial_number", + "threat.indicator.provider", + "threat.indicator.geo.country_iso_code", + "threat.software.alias", + "input.type", + "log.flags", + "log.file.path", + "ecs.version", + "message", + "error.message", + "tags", + "related.hash", + "abusech.malwarebazaar.tags", + "abusech.malwarebazaar.intelligence.mail.Generic", + "abusech.malwarebazaar.intelligence.mail.IT", + "abusech.malwarebazaar.code_sign" + ] + } + } + } + } + } + } +} + +{ + "type": "data_stream", + "value": { + "data_stream": "logs-ti_abusech.url-default", + "template": { + "_meta": { + "managed": true, + "managed_by": "fleet", + "package": { + "name": "ti_abusech" + } + }, + "data_stream": { + "allow_custom_routing": false, + "hidden": false + }, + "index_patterns": [ + "logs-ti_abusech.url-*" + ], + "name": "logs-ti_abusech.url", + "priority": 200, + "template": { + "mappings": { + "_meta": { + "managed": true, + "managed_by": "fleet", + "package": { + "name": "ti_abusech" + } + }, + "date_detection": false, + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "@timestamp": { + "type": "date" + }, + "abusech": { + "properties": { + "url": { + "properties": { + "blacklists": { + "properties": { + "spamhaus_dbl": { + "ignore_above": 1024, + "type": "keyword" + }, + "surbl": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "larted": { + "type": "boolean" + }, + "reporter": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "ignore_above": 1024, + "type": "keyword" + }, + "url_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "urlhaus_reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "container": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "dataset": { + "type": "constant_keyword" + }, + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "message": { + "type": "match_only_text" + } + } + }, + "event": { + "properties": { + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "type": "constant_keyword", + "value": "ti_abusech.url" + }, + "ingested": { + "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "ti_abusech" + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "containerized": { + "type": "boolean" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "offset": { + "type": "long" + } + } + }, + "message": { + "type": "match_only_text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "properties": { + "feed": { + "properties": { + "dashboard_id": { + "type": "constant_keyword", + "value": "ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6" + }, + "name": { + "type": "constant_keyword", + "value": "AbuseCH URL" + } + } + }, + "indicator": { + "properties": { + "first_seen": { + "type": "date" + }, + "ip": { + "type": "ip" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "wildcard" + }, + "original": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "wildcard" + }, + "path": { + "ignore_above": 1024, + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } + }, + "settings": { + "index": { + "codec": "best_compression", + "default_pipeline": "logs-ti_abusech.url-1.3.1", + "final_pipeline": ".fleet_final_pipeline-1", + "lifecycle": { + "name": "logs" + }, + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.kind", + "event.category", + "event.type", + "event.original", + "threat.indicator.type", + "threat.indicator.reference", + "threat.indicator.url.domain", + "threat.indicator.url.full", + "threat.indicator.url.extension", + "threat.indicator.url.original", + "threat.indicator.url.path", + "threat.indicator.url.scheme", + "threat.indicator.url.query", + "threat.indicator.provider", + "input.type", + "log.flags", + "log.file.path", + "ecs.version", + "message", + "error.message", + "tags", + "abusech.url.id", + "abusech.url.urlhaus_reference", + "abusech.url.url_status", + "abusech.url.threat", + "abusech.url.reporter", + "abusech.url.tags", + "abusech.url.blacklists.spamhaus_dbl", + "abusech.url.blacklists.surbl" + ] + } + } + } + } + } + } +} diff --git a/x-pack/test/security_solution_cypress/pipelines/pipeline.ts b/x-pack/test/security_solution_cypress/pipelines/pipeline.ts new file mode 100644 index 0000000000000..61f383394c469 --- /dev/null +++ b/x-pack/test/security_solution_cypress/pipelines/pipeline.ts @@ -0,0 +1,12 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export interface Pipeline { + name: string; + processors: Array>; + on_failure?: Array>; +} diff --git a/x-pack/test/security_solution_cypress/pipelines/ti_abusech_malware.ts b/x-pack/test/security_solution_cypress/pipelines/ti_abusech_malware.ts new file mode 100644 index 0000000000000..93a8ddf713f71 --- /dev/null +++ b/x-pack/test/security_solution_cypress/pipelines/ti_abusech_malware.ts @@ -0,0 +1,212 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { Pipeline } from './pipeline'; + +export const tiAbusechMalware: Pipeline = { + name: 'logs-ti_abusech.malware-1.3.1', + processors: [ + { + set: { + field: 'ecs.version', + value: '8.2.0', + }, + }, + { + set: { + field: 'event.kind', + value: 'enrichment', + }, + }, + { + set: { + field: 'event.category', + value: 'threat', + }, + }, + { + set: { + field: 'event.type', + value: 'indicator', + }, + }, + { + rename: { + field: 'message', + target_field: 'event.original', + ignore_missing: true, + }, + }, + { + json: { + field: 'event.original', + target_field: 'abusech.malware', + }, + }, + { + fingerprint: { + fields: ['abusech.malware.md5_hash', 'abusech.malware.sha256_hash'], + target_field: '_id', + }, + }, + { + date: { + field: 'abusech.malware.firstseen', + target_field: 'threat.indicator.first_seen', + formats: ['yyyy-MM-dd HH:mm:ss z', 'yyyy-MM-dd HH:mm:ss Z', 'yyyy-MM-dd HH:mm:ss'], + if: 'ctx.abusech?.malware?.firstseen != null', + }, + }, + { + set: { + field: 'threat.indicator.type', + value: 'file', + }, + }, + { + rename: { + field: 'abusech.malware.file_size', + target_field: 'threat.indicator.file.size', + ignore_missing: true, + }, + }, + { + rename: { + field: 'abusech.malware.file_type', + target_field: 'threat.indicator.file.type', + ignore_missing: true, + }, + }, + { + remove: { + field: 'abusech.malware.urlhaus_download', + ignore_missing: true, + }, + }, + { + convert: { + field: 'threat.indicator.file.size', + type: 'long', + ignore_missing: true, + }, + }, + { + convert: { + field: 'abusech.malware.virustotal.percent', + type: 'float', + ignore_missing: true, + }, + }, + { + rename: { + field: 'abusech.malware.md5_hash', + target_field: 'threat.indicator.file.hash.md5', + ignore_missing: true, + }, + }, + { + rename: { + field: 'abusech.malware.sha256_hash', + target_field: 'threat.indicator.file.hash.sha256', + ignore_missing: true, + }, + }, + { + rename: { + field: 'abusech.malware.imphash', + target_field: 'threat.indicator.file.pe.imphash', + ignore_missing: true, + }, + }, + { + rename: { + field: 'abusech.malware.ssdeep', + target_field: 'threat.indicator.file.hash.ssdeep', + ignore_missing: true, + }, + }, + { + rename: { + field: 'abusech.malware.tlsh', + target_field: 'threat.indicator.file.hash.tlsh', + ignore_missing: true, + }, + }, + { + append: { + field: 'related.hash', + value: '{{{threat.indicator.file.hash.md5}}}', + if: 'ctx?.threat?.indicator?.file?.hash?.md5 != null', + }, + }, + { + append: { + field: 'related.hash', + value: '{{{threat.indicator.file.hash.sha256}}}', + if: 'ctx?.threat?.indicator?.file?.hash?.sha256 != null', + }, + }, + { + append: { + field: 'related.hash', + value: '{{{threat.indicator.file.hash.ssdeep}}}', + if: 'ctx?.threat?.indicator?.file?.hash?.ssdeep != null', + }, + }, + { + append: { + field: 'related.hash', + value: '{{{threat.indicator.file.pe.imphash}}}', + if: 'ctx?.threat?.indicator?.file?.pe?.imphash != null', + }, + }, + { + append: { + field: 'related.hash', + value: '{{{threat.indicator.file.hash.tlsh}}}', + if: 'ctx?.threat?.indicator?.file?.hash?.tlsh != null', + }, + }, + { + set: { + field: 'threat.indicator.type', + value: 'unknown', + if: 'ctx?.threat?.indicator?.type == null', + }, + }, + { + script: { + lang: 'painless', + if: 'ctx?.abusech != null', + source: + 'void handleMap(Map map) {\n for (def x : map.values()) {\n if (x instanceof Map) {\n handleMap(x);\n } else if (x instanceof List) {\n handleList(x);\n }\n }\nmap.values().removeIf(v -> v == null);\n}\nvoid handleList(List list) {\n for (def x : list) {\n if (x instanceof Map) {\n handleMap(x);\n } else if (x instanceof List) {\n handleList(x);\n }\n }\n}\nhandleMap(ctx);\n', + }, + }, + { + remove: { + field: 'event.original', + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))", + ignore_failure: true, + ignore_missing: true, + }, + }, + { + remove: { + field: ['abusech.malware.firstseen', 'message'], + ignore_missing: true, + }, + }, + ], + on_failure: [ + { + set: { + field: 'error.message', + value: '{{ _ingest.on_failure_message }}', + }, + }, + ], +}; diff --git a/x-pack/test/security_solution_cypress/pipelines/ti_abusech_malware_bazaar.ts b/x-pack/test/security_solution_cypress/pipelines/ti_abusech_malware_bazaar.ts new file mode 100644 index 0000000000000..b3cc69e8c9730 --- /dev/null +++ b/x-pack/test/security_solution_cypress/pipelines/ti_abusech_malware_bazaar.ts @@ -0,0 +1,356 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { Pipeline } from './pipeline'; + +export const tiAbusechMalwareBazaar: Pipeline = { + name: 'logs-ti_abusech.malwarebazaar-1.3.1', + processors: [ + { + set: { + field: 'ecs.version', + value: '8.2.0', + }, + }, + { + set: { + field: 'event.kind', + value: 'enrichment', + }, + }, + { + set: { + field: 'event.category', + value: 'threat', + }, + }, + { + set: { + field: 'event.type', + value: 'indicator', + }, + }, + { + rename: { + field: 'message', + target_field: 'event.original', + ignore_missing: true, + }, + }, + { + json: { + field: 'event.original', + target_field: 'abusech.malwarebazaar', + }, + }, + { + fingerprint: { + fields: ['abusech.malwarebazaar.md5_hash', 'abusech.malwarebazaar.sha256_hash'], + target_field: '_id', + }, + }, + { + date: { + field: 'abusech.malwarebazaar.first_seen', + target_field: 'threat.indicator.first_seen', + formats: ['yyyy-MM-dd HH:mm:ss z', 'yyyy-MM-dd HH:mm:ss Z', 'yyyy-MM-dd HH:mm:ss'], + if: 'ctx.abusech?.malwarebazaar?.first_seen != null', + }, + }, + { + date: { + field: 'abusech.malwarebazaar.last_seen', + target_field: 'threat.indicator.last_seen', + formats: ['yyyy-MM-dd HH:mm:ss z', 'yyyy-MM-dd HH:mm:ss Z', 'yyyy-MM-dd HH:mm:ss'], + if: 'ctx.abusech?.malwarebazaar?.last_seen != null', + }, + }, + { + set: { + field: 'threat.indicator.type', + value: 'file', + }, + }, + { + rename: { + field: 'abusech.malwarebazaar.file_name', + target_field: 'threat.indicator.file.name', + ignore_missing: true, + }, + }, + { + rename: { + field: 'abusech.malwarebazaar.file_type_mime', + target_field: 'threat.indicator.file.mime_type', + ignore_missing: true, + }, + }, + { + rename: { + field: 'abusech.malwarebazaar.reporter', + target_field: 'threat.indicator.provider', + ignore_missing: true, + }, + }, + { + rename: { + field: 'abusech.malwarebazaar.origin_country', + target_field: 'threat.indicator.geo.country_iso_code', + ignore_missing: true, + }, + }, + { + rename: { + field: 'abusech.malwarebazaar.signature', + target_field: 'threat.software.alias', + ignore_missing: true, + }, + }, + { + foreach: { + field: 'abusech.malwarebazaar.code_sign', + ignore_missing: true, + processor: { + rename: { + field: '_ingest._value.subject_cn', + target_field: 'threat.indicator.file.x509.subject.common_name', + }, + }, + }, + }, + { + foreach: { + field: 'abusech.malwarebazaar.code_sign', + ignore_missing: true, + processor: { + rename: { + field: '_ingest._value.issuer_cn', + target_field: 'threat.indicator.file.x509.issuer.common_name', + }, + }, + }, + }, + { + foreach: { + field: 'abusech.malwarebazaar.code_sign', + ignore_missing: true, + processor: { + rename: { + field: '_ingest._value.algorithm', + target_field: 'threat.indicator.file.x509.public_key_algorithm', + }, + }, + }, + }, + { + foreach: { + field: 'abusech.malwarebazaar.code_sign', + ignore_missing: true, + processor: { + rename: { + field: '_ingest._value.valid_from', + target_field: 'threat.indicator.file.x509.not_before', + }, + }, + }, + }, + { + foreach: { + field: 'abusech.malwarebazaar.code_sign', + ignore_missing: true, + processor: { + rename: { + field: '_ingest._value.valid_to', + target_field: 'threat.indicator.file.x509.not_after', + }, + }, + }, + }, + { + foreach: { + field: 'abusech.malwarebazaar.code_sign', + ignore_missing: true, + processor: { + rename: { + field: '_ingest._value.serial_number', + target_field: 'threat.indicator.file.x509.serial_number', + }, + }, + }, + }, + { + rename: { + field: 'abusech.malwarebazaar.file_size', + target_field: 'threat.indicator.file.size', + ignore_missing: true, + }, + }, + { + rename: { + field: 'abusech.malwarebazaar.file_type', + target_field: 'threat.indicator.file.extension', + ignore_missing: true, + }, + }, + { + rename: { + field: 'abusech.malwarebazaar.md5_hash', + target_field: 'threat.indicator.file.hash.md5', + ignore_missing: true, + }, + }, + { + rename: { + field: 'abusech.malwarebazaar.sha256_hash', + target_field: 'threat.indicator.file.hash.sha256', + ignore_missing: true, + }, + }, + { + rename: { + field: 'abusech.malwarebazaar.sha1_hash', + target_field: 'threat.indicator.file.hash.sha1', + ignore_missing: true, + }, + }, + { + rename: { + field: 'abusech.malwarebazaar.sha3_384_hash', + target_field: 'threat.indicator.file.hash.sha384', + ignore_missing: true, + }, + }, + { + rename: { + field: 'abusech.malwarebazaar.imphash', + target_field: 'threat.indicator.file.pe.imphash', + ignore_missing: true, + }, + }, + { + rename: { + field: 'abusech.malwarebazaar.ssdeep', + target_field: 'threat.indicator.file.hash.ssdeep', + ignore_missing: true, + }, + }, + { + rename: { + field: 'abusech.malwarebazaar.tlsh', + target_field: 'threat.indicator.file.hash.tlsh', + ignore_missing: true, + }, + }, + { + rename: { + field: 'abusech.malwarebazaar.telfhash', + target_field: 'threat.indicator.file.elf.telfhash', + ignore_missing: true, + }, + }, + { + append: { + field: 'related.hash', + value: '{{ threat.indicator.file.hash.md5 }}', + if: 'ctx?.threat?.indicator?.file?.hash?.md5 != null', + }, + }, + { + append: { + field: 'related.hash', + value: '{{ threat.indicator.file.hash.sha256 }}', + if: 'ctx?.threat?.indicator?.file?.hash?.sha256 != null', + }, + }, + { + append: { + field: 'related.hash', + value: '{{ threat.indicator.file.hash.ssdeep }}', + if: 'ctx?.threat?.indicator?.file?.hash?.ssdeep != null', + }, + }, + { + append: { + field: 'related.hash', + value: '{{ threat.indicator.file.pe.imphash }}', + if: 'ctx?.threat?.indicator?.file?.pe?.imphash != null', + }, + }, + { + append: { + field: 'related.hash', + value: '{{ threat.indicator.file.elf.telfhash }}', + if: 'ctx?.threat?.indicator?.file?.elf?.telfhash != null', + }, + }, + { + append: { + field: 'related.hash', + value: '{{ threat.indicator.file.hash.tlsh }}', + if: 'ctx?.threat?.indicator?.file?.hash?.tlsh != null', + }, + }, + { + convert: { + field: 'threat.indicator.file.size', + type: 'long', + ignore_missing: true, + }, + }, + { + convert: { + field: 'abusech.malwarebazaar.intelligence.downloads', + type: 'long', + ignore_missing: true, + }, + }, + { + convert: { + field: 'abusech.malwarebazaar.intelligence.uploads', + type: 'long', + ignore_missing: true, + }, + }, + { + set: { + field: 'threat.indicator.type', + value: 'unknown', + if: 'ctx?.threat?.indicator?.type == null', + }, + }, + { + script: { + lang: 'painless', + if: 'ctx?.abusech != null', + source: + 'void handleMap(Map map) {\n for (def x : map.values()) {\n if (x instanceof Map) {\n handleMap(x);\n } else if (x instanceof List) {\n handleList(x);\n }\n }\nmap.values().removeIf(v -> v == null);\n}\nvoid handleList(List list) {\n for (def x : list) {\n if (x instanceof Map) {\n handleMap(x);\n } else if (x instanceof List) {\n handleList(x);\n }\n }\n}\nhandleMap(ctx);\n', + }, + }, + { + remove: { + field: 'event.original', + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))", + ignore_failure: true, + ignore_missing: true, + }, + }, + { + remove: { + field: ['abusech.malwarebazaar.first_seen', 'abusech.malwarebazaar.last_seen', 'message'], + ignore_missing: true, + }, + }, + ], + on_failure: [ + { + set: { + field: 'error.message', + value: '{{ _ingest.on_failure_message }}', + }, + }, + ], +}; diff --git a/x-pack/test/security_solution_cypress/pipelines/ti_abusech_url.ts b/x-pack/test/security_solution_cypress/pipelines/ti_abusech_url.ts new file mode 100644 index 0000000000000..e05db6b8a4771 --- /dev/null +++ b/x-pack/test/security_solution_cypress/pipelines/ti_abusech_url.ts @@ -0,0 +1,151 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { Pipeline } from './pipeline'; + +export const tiAbusechUrl: Pipeline = { + name: 'logs-ti_abusech.url-1.3.1', + processors: [ + { + set: { + field: 'ecs.version', + value: '8.0.0', + }, + }, + { + set: { + field: 'event.kind', + value: 'enrichment', + }, + }, + { + set: { + field: 'event.category', + value: 'threat', + }, + }, + { + set: { + field: 'event.type', + value: 'indicator', + }, + }, + { + rename: { + field: 'message', + target_field: 'event.original', + ignore_missing: true, + }, + }, + { + json: { + field: 'event.original', + target_field: 'abusech.url', + }, + }, + { + fingerprint: { + fields: ['abusech.url.id'], + target_field: '_id', + }, + }, + { + set: { + field: 'threat.indicator.type', + value: 'url', + }, + }, + { + date: { + field: 'abusech.url.date_added', + target_field: 'threat.indicator.first_seen', + formats: ['yyyy-MM-dd HH:mm:ss z', 'yyyy-MM-dd HH:mm:ss Z'], + if: 'ctx.abusech?.url?.date_added != null', + }, + }, + { + uri_parts: { + field: 'abusech.url.url', + target_field: 'threat.indicator.url', + keep_original: true, + remove_if_successful: true, + }, + }, + { + set: { + field: 'threat.indicator.url.full', + value: '{{{threat.indicator.url.original}}}', + ignore_empty_value: true, + }, + }, + { + rename: { + field: 'abusech.url.urlhaus_reference', + target_field: 'threat.indicator.reference', + ignore_missing: true, + }, + }, + { + grok: { + field: 'abusech.url.host', + patterns: ['(?:%{IP:threat.indicator.ip}|%{GREEDYDATA:threat.indicator.url.domain})'], + ignore_failure: true, + }, + }, + { + rename: { + field: 'abusech.url.reporter', + target_field: 'threat.indicator.provider', + ignore_missing: true, + }, + }, + { + set: { + field: 'threat.indicator.type', + value: 'unknown', + if: 'ctx?.threat?.indicator?.type == null', + }, + }, + { + convert: { + field: 'abusech.url.larted', + type: 'boolean', + ignore_missing: true, + }, + }, + { + script: { + lang: 'painless', + if: 'ctx?.abusech != null', + source: + 'void handleMap(Map map) {\n for (def x : map.values()) {\n if (x instanceof Map) {\n handleMap(x);\n } else if (x instanceof List) {\n handleList(x);\n }\n }\nmap.values().removeIf(v -> v == null);\n}\nvoid handleList(List list) {\n for (def x : list) {\n if (x instanceof Map) {\n handleMap(x);\n } else if (x instanceof List) {\n handleList(x);\n }\n }\n}\nhandleMap(ctx);\n', + }, + }, + { + remove: { + field: 'event.original', + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))", + ignore_failure: true, + ignore_missing: true, + }, + }, + { + remove: { + field: ['abusech.url.date_added', 'abusech.url.url', 'abusech.url.host', 'message'], + ignore_missing: true, + }, + }, + ], + on_failure: [ + { + set: { + field: 'error.message', + value: '{{ _ingest.on_failure_message }}', + }, + }, + ], +}; diff --git a/x-pack/test/security_solution_cypress/runner.ts b/x-pack/test/security_solution_cypress/runner.ts index 049ef0de6b727..fb58d22a40cdc 100644 --- a/x-pack/test/security_solution_cypress/runner.ts +++ b/x-pack/test/security_solution_cypress/runner.ts @@ -7,14 +7,38 @@ import Url from 'url'; +import { TransportResult } from '@elastic/elasticsearch'; import { FtrProviderContext } from '../common/ftr_provider_context'; +import { tiAbusechMalware } from './pipelines/ti_abusech_malware'; +import { tiAbusechMalwareBazaar } from './pipelines/ti_abusech_malware_bazaar'; +import { tiAbusechUrl } from './pipelines/ti_abusech_url'; export type { FtrProviderContext } from '../common/ftr_provider_context'; export async function SecuritySolutionConfigurableCypressTestRunner({ getService, }: FtrProviderContext) { + const log = getService('log'); const config = getService('config'); + const es = getService('es'); + + const pipelines = [tiAbusechMalware, tiAbusechMalwareBazaar, tiAbusechUrl]; + + log.info('configure pipelines'); + + for (const pipeline of pipelines) { + const res: TransportResult = await es.transport.request({ + method: 'PUT', + path: `_ingest/pipeline/${pipeline.name}`, + body: { + processors: pipeline.processors, + on_failure: pipeline.on_failure, + }, + }); + + log.info(`PUT pipeline ${pipeline.name}: ${res.statusCode}`); + } + return { FORCE_COLOR: '1', BASE_URL: Url.format(config.get('servers.kibana')),