Elasticsearch#
Elasticsearch_Analysis#
Author: Nick Prokop
License: MIT
Version: 1.0
Supported observables types:
- url
- domain
- ip
- hash
- filename
- fqdn
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A
Description#
Search for IoCs in Elasticsearch
Configuration#
| endpoints | Define the Elasticsearch endpoints |
|---|---|
| Default value if not configured | ['http://127.0.0.1:9200'] |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | True |
| keys | Set the Elasticsearch api keys for each endpoint. Note: Use api key or basic auth, but not both. |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | False |
| users | Set the Elasticsearch users for each endpoint. Note: Use api key or basic auth, but not both. |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | False |
| passwords | Set the Elasticsearch passwords for each endpoint. Note: Use api key or basic auth, but not both. |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | False |
| kibana | Define the kibana address |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | False |
| dashboard | Set the kibana dashboard id that will be linked in the report |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | False |
| index | Define the Elasticsearch indices to use |
|---|---|
| Default value if not configured | ['apm--transaction', 'auditbeat-', 'endgame-', 'filebeat-', 'packetbeat-', 'winlogbeat-*'] |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | True |
| field | Define the fields to query |
|---|---|
| Default value if not configured | ['destination.ip', 'dll.hash.md5', 'dll.hash.sha256', 'dns.question.name', 'dns.resolved_ip', 'file.hash.md5', 'file.hash.sha256', 'file.name', 'hash.md5', 'hash.sha256', 'process.args', 'process.hash.md5', 'process.hash.sha256', 'process.parent.hash.md5', 'process.parent.hash.sha256', 'source.ip', 'url.domain', 'url.full'] |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | True |
| size | Define the number of hits per index to return |
|---|---|
| Default value if not configured | 10 |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| verifyssl | Verify SSL certificate |
|---|---|
| Default value if not configured | True |
| Type of the configuration item | boolean |
| The configuration item can contain multiple values | False |
| Is required | True |
| cert_path | Path to the CA on the system used to check server certificate |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | False |
Templates samples for TheHive#
No template samples to display.