-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathconfig.yml
155 lines (132 loc) · 4.54 KB
/
config.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
# Your MISP's URL
url: https://localhost
# The auth key to the MISP user that you wish to use. Make sure that the
# user has auth_key access
key:
# Should the certificate be validated?
verify_ssl: false
# The base directory for the outputs
output_dir: ./output
feeds:
# Here begins the list of feeds to produce
# The name of the feed
- name: published
# The number of entries to output
entries: 10
# The filters to be used for by the feed. You can use any filter that
# you can use on the event index, such as organization, tags, etc.
# It uses the same joining and condition rules as the API parameters
# This example generates all published events
filters:
published: true
# By default all attributes will be included in the feed generation
# Remove the levels that you do not wish to include in the feed
# Use this to further narrow down what gets exported, for example:
# Setting this to ['3', '5'] will exclude any attributes from the feed that
# are not exportable to all or inherit the event
#
# The levels are as follows:
# 0: Your Organization Only
# 1: This Community Only
# 2: Connected Communities
# 3: All
# 4: Sharing Group
# 5: Inherit Event
valid_attribute_distribution_levels:
- 0
- 1
- 2
- 3
- 4
- 5
# Apply any modifiers to the feed
modifiers:
# The specific modifier to apply, anonymize in this case
# Each modifier will have their own configuration options
- type: anonymize
# The UUID to set the event org to
uuid: 0d9264a8-67dd-41fc-a607-cabe96e0bcaf
# The Name of the anonymized org
name: Anon
outputs:
# Defines all the outputs you're like to send this feed to
# Type is the output format to use
# Each feed type will have their own configuration requirements
- type: misp
# The output directory relative to the global output_dir
output_dir: published
# You can even use the same feed multiple times
- type: misp
# The output directory relative to the global output_dir
output_dir: published2
# Output to the STIX 2.1 (Default) format
- type: stix2
# The output directory relitive to the global output_dir
output_dir: stix/2.1
# Output to the STIX 2.0 format
- type: stix2
# The output directory relitive to the global output_dir
format: 20
output_dir: stix/2.0
# Silly output to screen using default fields
- type: screen
# Silly output to screen with custom fields and headers
- type: screen
fields:
- Event.date
- Event.info
- Event.Orgc.name
headers:
- Date
- Info
- Org Name
# Output to CSV file
- type: csv
# The file to write to, from the base directory defined above
filename: output.csv
# Which Fields you want, pattern matching from https://pypi.org/project/dotted-notation/
fields:
- Event.date
- Event.Attribute[*].value
- Event.info
- Event.Tag[*].name
# Which defined fields do you want to unroll as individual rows
# Otherwise, will output as Comma Seperated Quoted Text
unroll:
- Event.Attribute[*].value
# The top level headers for Row 1
headers:
- Date
- IoC
- Info
- Tag
# Any hooks to run at the end of feed generation
hooks:
# The Hook type, in this case, a shell
- type: shell
# The command to run in shell, a real example of this could be rsync
command: ls
# Another example feed, that would generate a feed for all published events created by CIRCL,
# tagged tlp:white and/or feed-export but exclude anything tagged privint
- name: CIRCL
output_dir: /circl
entries: 200
filters:
tag: tlp:white|feed-export|!privint
org: CIRCL
published: true
valid_attribute_distribution_levels:
- 0
- 1
- 2
- 3
- 4
- 5
modifiers:
- type: anonymize
uuid: 0d9264a8-67dd-41fc-a607-cabe96e0bcaf
name: Anon
outputs:
- type: misp
output_dir: circl
- type: screen