Skip to content

Commit c659733

Browse files
peaseadpeasead
authored
Merge pull request elastic#3 from dcode/blog/mozin-about
Adds Kibana API to create index pattern
2 parents 2edb3ec + 0933aeb commit c659733

File tree

5 files changed

+464
-3
lines changed

5 files changed

+464
-3
lines changed

blog/mozi'n-about/README.MD renamed to blog/mozin-about/README.MD

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,6 @@ Artifacts and code snippets from the blog post.
1111

1212
| Artifact | Description | Note |
1313
| - | - | - |
14-
| [Geo Ingest Pipeline](./ingest-pipeline.yml) | Artifact desc. | Artifact note |
15-
| [Mozi Collection Script](./collection-script.sh) | Script to collect Mozi samples | NA |
16-
| [Etc.]() | Artifact desc. | Artifact note |
14+
| [Mozi Collection Script](./collection.sh) | Script to collect Mozi samples and send to Elasticsearch | NA |
15+
| [Ingest Node Pipeline](./ingest-node-pipeline.json) | ThreatFox Ingest Node Pipeline | NA |
16+
| [YARA Signature](./mozi-obfuscation-technique.yara) | Mozi obfuscation technique YARA signature | NA |

blog/mozin-about/collection.sh

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
#!/bin/bash
2+
3+
# Collect Mozi sample data
4+
curl -X POST https://threatfox-api.abuse.ch/api/v1/ -d '{ "query": "taginfo", "tag": "Mozi", "limit": 1000 }' > mozi-raw.json
5+
6+
# Local Elasticsearch & Kibana
7+
ES_HOST='http://elastic:password@localhost:9200'
8+
KBN_HOST='http://elastic:password@localhost:5601'
9+
10+
# Elastic Cloud
11+
# ES_HOST='https://elastic:changeme@abcdef0123456789abcdef0123456789.us-central1.gcp.cloud.es.io:9243'
12+
# KBN_HOST='https://elastic:changeme@0123456789abcdef01234567890abcdef.us-central1.gcp.cloud.es.io:9243'
13+
14+
# Create the Threat Fox Ingest Pipeline
15+
curl -XPUT ${ES_HOST}/_ingest/pipeline/threatfox-enrichment -H 'Content-Type: application/json' [email protected]
16+
17+
# Creates a new index called 'indicators' with the given settings
18+
curl -XPUT ${ES_HOST}/indicators -H 'Content-Type: application/json' [email protected]
19+
20+
# Ingests raw data from the cURL response of Threat Fox in the file listed, then does a bulk upload to ES
21+
cat mozi-raw.json | jq -c -r '.data[]' | \
22+
while read line; do
23+
echo '{"index":{}}';
24+
echo $line;
25+
done | \
26+
curl --silent -XPOST \
27+
-H 'Content-Type: application/x-ndjson' \
28+
--data-binary \
29+
@- \
30+
${ES_HOST}/indicators/_doc/_bulk
31+
32+
# Create Kibana index pattern
33+
curl -XPOST -H 'kbn-xsrf: true' -H 'Content-Type: application/json' \
34+
${KBN_HOST}/api/index_patterns/index_pattern -d'
35+
{
36+
"override": false,
37+
"refresh_fields": true,
38+
"index_pattern": {
39+
"title": "indicators*",
40+
"timeFieldName": "event.ingested"
41+
}
42+
}'

blog/mozin-about/index-settings.json

Lines changed: 159 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,159 @@
1+
{
2+
"settings": {
3+
"number_of_shards": 1,
4+
"default_pipeline": "threatfox-enrichment"
5+
},
6+
"mappings": {
7+
"properties": {
8+
"event": {
9+
"properties": {
10+
"category": {
11+
"type": "keyword"
12+
},
13+
"id": {
14+
"type": "keyword"
15+
},
16+
"ingested": {
17+
"type": "date"
18+
},
19+
"kind": {
20+
"type": "keyword"
21+
},
22+
"provider": {
23+
"type": "keyword"
24+
},
25+
"reference": {
26+
"type": "keyword"
27+
},
28+
"type": {
29+
"type": "keyword"
30+
}
31+
}
32+
},
33+
"file": {
34+
"properties": {
35+
"hash": {
36+
"properties": {
37+
"sha256": {
38+
"type": "keyword"
39+
}
40+
}
41+
}
42+
}
43+
},
44+
"related": {
45+
"properties": {
46+
"hash": {
47+
"type": "keyword"
48+
},
49+
"ip": {
50+
"type": "ip"
51+
}
52+
}
53+
},
54+
"tags": {
55+
"type": "keyword"
56+
},
57+
"threat": {
58+
"properties": {
59+
"indicator": {
60+
"properties": {
61+
"confidence": {
62+
"type": "long"
63+
},
64+
"description": {
65+
"type": "text"
66+
},
67+
"first_seen": {
68+
"type": "date"
69+
},
70+
"last_seen": {
71+
"type": "date"
72+
},
73+
"geo": {
74+
"properties": {
75+
"city_name": {
76+
"type": "keyword",
77+
"ignore_above": 1024
78+
},
79+
"continent_name": {
80+
"type": "keyword",
81+
"ignore_above": 1024
82+
},
83+
"country_iso_code": {
84+
"type": "keyword",
85+
"ignore_above": 1024
86+
},
87+
"country_name": {
88+
"type": "keyword",
89+
"ignore_above": 1024
90+
},
91+
"location": {
92+
"type": "geo_point"
93+
},
94+
"name": {
95+
"type": "keyword",
96+
"ignore_above": 1024
97+
},
98+
"region_iso_code": {
99+
"type": "keyword",
100+
"ignore_above": 1024
101+
},
102+
"region_name": {
103+
"type": "keyword",
104+
"ignore_above": 1024
105+
},
106+
"timezone": {
107+
"type": "keyword",
108+
"ignore_above": 1024
109+
},
110+
"asn": {
111+
"type": "long"
112+
},
113+
"organization_name": {
114+
"type": "text",
115+
"fields": {
116+
"keyword": {
117+
"type": "keyword",
118+
"ignore_above": 256
119+
}
120+
}
121+
}
122+
}
123+
},
124+
"ip": {
125+
"type": "ip"
126+
},
127+
"port": {
128+
"type": "long"
129+
},
130+
"type": {
131+
"type": "keyword"
132+
}
133+
}
134+
},
135+
"software": {
136+
"properties": {
137+
"name": {
138+
"type": "keyword"
139+
},
140+
"reference": {
141+
"type": "keyword"
142+
},
143+
"type": {
144+
"type": "keyword"
145+
}
146+
}
147+
},
148+
"threatfox": {
149+
"properties": {
150+
"malware_printable": {
151+
"type": "keyword"
152+
}
153+
}
154+
}
155+
}
156+
}
157+
}
158+
}
159+
}

0 commit comments

Comments
 (0)