Skip to content

Elasticsearch#

Elasticsearch_Analysis#

Author: Nick Prokop
License: MIT
Version: 1.0
Supported observables types:
- url
- domain
- ip
- hash
- filename
- fqdn
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Search for IoCs in Elasticsearch

Configuration#

endpoints Define the Elasticsearch endpoints
Default value if not configured ['http://127.0.0.1:9200']
Type of the configuration item string
The configuration item can contain multiple values True
Is required True
keys Set the Elasticsearch api keys for each endpoint. Note: Use api key or basic auth, but not both.
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values True
Is required False
users Set the Elasticsearch users for each endpoint. Note: Use api key or basic auth, but not both.
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values True
Is required False
passwords Set the Elasticsearch passwords for each endpoint. Note: Use api key or basic auth, but not both.
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values True
Is required False
kibana Define the kibana address
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
dashboard Set the kibana dashboard id that will be linked in the report
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
index Define the Elasticsearch indices to use
Default value if not configured ['apm--transaction', 'auditbeat-', 'endgame-', 'filebeat-', 'packetbeat-', 'winlogbeat-*']
Type of the configuration item string
The configuration item can contain multiple values True
Is required True
field Define the fields to query
Default value if not configured ['destination.ip', 'dll.hash.md5', 'dll.hash.sha256', 'dns.question.name', 'dns.resolved_ip', 'file.hash.md5', 'file.hash.sha256', 'file.name', 'hash.md5', 'hash.sha256', 'process.args', 'process.hash.md5', 'process.hash.sha256', 'process.parent.hash.md5', 'process.parent.hash.sha256', 'source.ip', 'url.domain', 'url.full']
Type of the configuration item string
The configuration item can contain multiple values True
Is required True
size Define the number of hits per index to return
Default value if not configured 10
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
verifyssl Verify SSL certificate
Default value if not configured True
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required True
cert_path Path to the CA on the system used to check server certificate
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False

Templates samples for TheHive#

No template samples to display.