Elasticsearch#
Elasticsearch_Analysis#
Author: Nick Prokop
License: MIT
Version: 1.0
Supported observables types:
- url
- domain
- ip
- hash
- filename
- fqdn
- mail
- mail-subject
- user-agent
- hostname
- username
Registration required: False
Subscription required: False
Free subscription: True
Third party service: https://www.elastic.co
Description#
Search for IoCs in Elasticsearch
Configuration#
| endpoints | Define the Elasticsearch endpoints |
|---|---|
| Default value if not configured | ['http://127.0.0.1:9200'] |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | True |
| keys | Set the Elasticsearch api keys for each endpoint. Note: Use api key or basic auth, but not both. |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | False |
| users | Set the Elasticsearch users for each endpoint. Note: Use api key or basic auth, but not both. |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | False |
| passwords | Set the Elasticsearch passwords for each endpoint. Note: Use api key or basic auth, but not both. |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | False |
| kibana | Define the kibana address |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | False |
| dashboard | Set the kibana dashboard id that will be linked in the report |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | False |
| index | Define the Elasticsearch indices to use |
|---|---|
| Default value if not configured | ['apm--transaction', 'auditbeat-', 'endgame-', 'filebeat-', 'packetbeat-', 'winlogbeat-*'] |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | True |
| field | Define the fields to query |
|---|---|
| Default value if not configured | ['dll.pe.original_file_name', 'email.attachments.file.name', 'file.name', 'file.pe.original_file_name', 'process.pe.original_file_name', 'process.name', 'process.parent.name', 'process.session_leader.name', 'process.parent.pe.original_file_name', 'process.entry_leader.name', 'process.group_leader.name', 'client.ip', 'client.nat.ip', 'destination.ip', 'destination.nat.ip', 'dns.resolved_ip', 'network.forwarded_ip', 'orchestrator.resource.ip', 'related.ip', 'server.ip', 'server.nat.ip', 'source.ip', 'source.nat.ip', 'url.path', 'url.full', 'url.original', 'client.user.id', 'client.user.name', 'destination.user.id', 'destination.user.name', 'destination.user.email', 'source.user.id', 'source.user.name', 'source.user.email', 'url.username', 'user.changes.email', 'user.changes.id', 'user.effective.email', 'user.id', 'user.name', 'user.email', 'user.target.name', 'dll.pe.imphash', 'file.pe.imphash', 'process.parent.pe.imphash', 'process.pe.imphash', 'dll.hash.md5', 'email.attachments.file.hash.md5', 'file.hash.md5', 'process.hash.md5', 'process.parent.hash.md5', 'tls.client.hash.md5', 'tls.server.hash.md5', 'dll.pe.pehash', 'file.pe.pehash', 'process.parent.pe.pehash', 'process.pe.pehash', 'dll.hash.sha1', 'email.attachments.file.hash.sha1', 'file.hash.sha1', 'process.hash.sha1', 'process.parent.hash.sha1', 'tls.client.hash.sha1', 'tls.server.hash.sha1', 'dll.code_signature.thumbprint_sha256', 'dll.hash.sha256', 'email.attachments.file.hash.sha256', 'file.code_signature.thumbprint_sha256', 'file.hash.sha256', 'process.code_signature.thumbprint_sha256', 'process.hash.sha256', 'process.parent.code_signature.thumbprint_sha256', 'process.parent.hash.sha256', 'tls.client.hash.sha256', 'tls.server.hash.sha256', 'dll.hash.sha384', 'email.attachments.file.hash.sha384', 'file.hash.sha384', 'process.hash.sha384', 'process.parent.hash.sha384', 'dll.hash.sha512', 'email.attachments.file.hash.sha512', 'file.hash.sha512', 'process.hash.sha512', 'process.parent.hash.sha512', 'dll.hash.ssdeep', 'email.attachments.file.hash.ssdeep', 'file.hash.ssdeep', 'process.hash.ssdeep', 'process.parent.hash.ssdeep', 'dll.hash.tlsh', 'email.attachments.file.hash.tlsh', 'file.hash.tlsh', 'process.hash.tlsh', 'process.parent.hash.tlsh', 'user_agent.name', 'user_agent.original', 'email.subject', 'source.user.email', 'user.changes.email', 'user.effective.email', 'user.email', 'user.target.name', 'client.domain', 'destination.domain', 'dns.answers.name', 'dns.question.name', 'server.domain', 'source.domain', 'url.domain', 'url.registered_domain', 'client.registered_domain', 'destination.registered_domain', 'dns.question.registered_domain', 'server.registered_domain', 'source.registered_domain', 'url.registered_domain'] |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | True |
| size | Define the number of hits per index to return |
|---|---|
| Default value if not configured | 10 |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| verifyssl | Verify SSL certificate |
|---|---|
| Default value if not configured | True |
| Type of the configuration item | boolean |
| The configuration item can contain multiple values | False |
| Is required | True |
| cert_path | Path to the CA on the system used to check server certificate |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | False |
Templates samples for TheHive#
No template samples to display.