You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+1-1
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ Load IOCs from MISP Threat sharing platform to memcached. Use Logstash to enrich
6
6
7
7
Examples are provided for Elasticsearch based SIEM with ECS mapping, but you can modify the examples to work with your setup.
8
8
9
-
Check out the [Getting started](https://github.com/j91321) if you want to see a simple use case on how to enrich data from Sysmon shipped by Winlogbeat.
9
+
Check out the [Getting started](./docs/getting_started.md) if you want to see a simple use case on how to enrich data from Sysmon shipped by Winlogbeat.
We will edit `config.yml` and add the API key under `misp.token` and change `misp.url` to point to out MISP instance.
61
61
We have also set `misp.ignore_cert_errors` to `true` because this is a development MISP instance and it doesn't have proper SSL
@@ -86,7 +86,7 @@ As a test we will create two Events in MISP with some attributes, if you already
86
86
87
87
These events will contain attributes with type `domain`, `ip-dst`, `sha256`. We're using the domain and ip of our server as an IoC and sha256 hash of calc.exe
Now we can run `misp2memcached.py` and load the attributes into memcached. No logs will be printed for now, but you can verify the results by connecting to the memcached.
Now our pipeline will consist of three components input, filter and output.
120
120
121
-
First create [01-input.conf](https://github.com/j91321/MISP2memcached/docs/examples/01-input.conf) in `/etc/logstash/conf.d/` (or your path for pipelines). It's a simple beats input.
121
+
First create [01-input.conf](./examples/01-input.conf) in `/etc/logstash/conf.d/` (or your path for pipelines). It's a simple beats input.
122
122
123
123
```logstash
124
124
input {
@@ -128,7 +128,7 @@ input {
128
128
}
129
129
```
130
130
131
-
Next we will create [03-output.conf](https://github.com/j91321/MISP2memcached/docs/examples/03-output.conf). I'm creating a minimalistic input and output configuration. When using in production
131
+
Next we will create [03-output.conf](./examples/03-output.conf). I'm creating a minimalistic input and output configuration. When using in production
132
132
make sure to have Security setup on your Elasticsearch. I also recommend securing Beats-Logstash communication with SSL according to the documentation.
133
133
134
134
```logstash
@@ -140,7 +140,7 @@ output {
140
140
}
141
141
```
142
142
143
-
At last we will create [02-filter.conf](https://github.com/j91321/MISP2memcached/docs/examples/02-filter.conf) this actually contains the filters used for enriching winlogbeat data.
143
+
At last we will create [02-filter.conf](./examples/02-filter.conf) this actually contains the filters used for enriching winlogbeat data.
144
144
```logstash
145
145
filter{
146
146
if [destination][ip] {
@@ -258,7 +258,7 @@ Now new fields `misp.event_id` and `misp.type` should be visible in Kibana. Don'
258
258
259
259
We can use KQL `misp.event_id: *` to find all documents where `misp.event_id` exists.
260
260
261
-
261
+
262
262
263
263
Now to make the analyst user experience a bit better, we will add a scripted field with URL pointing to our MISP event.
264
264
@@ -278,8 +278,8 @@ Fill out the form like this:
278
278
279
279
Modify the URL template to point to the MISP instance. The `{{value}}` will be replaced by values from `misp.event_id` field.
Save the scripted field, now we can go into discovery use KQL `misp.event_id: *` again and see that the documents now have misp.url field which is a clickable URL that opens new tab with the matching event in MISP. (You need to be logged in).
0 commit comments