Elasticsearch
Elasticsearch_Analysis
Author: Nick Prokop
License: MIT
Version: 1.0
Supported observables types:
- url
- domain
- ip
- hash
- filename
- fqdn
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A
Description
Search for IoCs in Elasticsearch
Configuration
| endpoints |
Define the Elasticsearch endpoints |
| Default value if not configured |
['http://127.0.0.1:9200'] |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
True |
| Is required |
True |
| keys |
Set the Elasticsearch api keys for each endpoint. Note: Use api key or basic auth, but not both. |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
True |
| Is required |
False |
| users |
Set the Elasticsearch users for each endpoint. Note: Use api key or basic auth, but not both. |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
True |
| Is required |
False |
| passwords |
Set the Elasticsearch passwords for each endpoint. Note: Use api key or basic auth, but not both. |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
True |
| Is required |
False |
| kibana |
Define the kibana address |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| dashboard |
Set the kibana dashboard id that will be linked in the report |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| index |
Define the Elasticsearch indices to use |
| Default value if not configured |
['apm--transaction', 'auditbeat-', 'endgame-', 'filebeat-', 'packetbeat-', 'winlogbeat-*'] |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
True |
| Is required |
True |
| field |
Define the fields to query |
| Default value if not configured |
['destination.ip', 'dll.hash.md5', 'dll.hash.sha256', 'dns.question.name', 'dns.resolved_ip', 'file.hash.md5', 'file.hash.sha256', 'file.name', 'hash.md5', 'hash.sha256', 'process.args', 'process.hash.md5', 'process.hash.sha256', 'process.parent.hash.md5', 'process.parent.hash.sha256', 'source.ip', 'url.domain', 'url.full'] |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
True |
| Is required |
True |
| size |
Define the number of hits per index to return |
| Default value if not configured |
10 |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| verifyssl |
Verify SSL certificate |
| Default value if not configured |
True |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| cert_path |
Path to the CA on the system used to check server certificate |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
Templates samples for TheHive
No template samples to display.