{ "name": "Elasticsearch_Analysis", "author": "Nick Prokop", "license": "MIT", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.0", "description": "Search for IoCs in Elasticsearch", "dataTypeList": [ "url", "domain", "ip", "hash", "filename", "fqdn", "mail", "mail-subject", "user-agent", "hostname", "username" ], "command": "Elasticsearch/elk.py", "baseConfig": "Elasticsearch", "configurationItems": [ { "name": "endpoints", "description": "Define the Elasticsearch endpoints", "type": "string", "multi": true, "required": true, "defaultValue": [ "http://127.0.0.1:9200" ] }, { "name": "keys", "description": "Set the Elasticsearch api keys for each endpoint. Note: Use api key or basic auth, but not both.", "type": "string", "multi": true, "required": false }, { "name": "users", "description": "Set the Elasticsearch users for each endpoint. Note: Use api key or basic auth, but not both.", "type": "string", "multi": true, "required": false }, { "name": "passwords", "description": "Set the Elasticsearch passwords for each endpoint. Note: Use api key or basic auth, but not both.", "type": "string", "multi": true, "required": false }, { "name": "kibana", "description": "Define the kibana address", "type": "string", "multi": false, "required": false }, { "name": "dashboard", "description": "Set the kibana dashboard id that will be linked in the report", "type": "string", "multi": false, "required": false }, { "name": "index", "description": "Define the Elasticsearch indices to use", "type": "string", "multi": true, "required": true, "defaultValue": [ "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "packetbeat-*", "winlogbeat-*" ] }, { "name": "field", "description": "Define the fields to query", "type": "string", "multi": true, "required": true, "defaultValue": [ "dll.pe.original_file_name", "email.attachments.file.name", "file.name", "file.pe.original_file_name", "process.pe.original_file_name", "process.name", "process.parent.name", "process.session_leader.name", "process.parent.pe.original_file_name", "process.entry_leader.name", "process.group_leader.name", "client.ip", "client.nat.ip", "destination.ip", "destination.nat.ip", "dns.resolved_ip", "network.forwarded_ip", "orchestrator.resource.ip", "related.ip", "server.ip", "server.nat.ip", "source.ip", "source.nat.ip", "url.path", "url.full", "url.original", "client.user.id", "client.user.name", "destination.user.id", "destination.user.name", "destination.user.email", "source.user.id", "source.user.name", "source.user.email", "url.username", "user.changes.email", "user.changes.id", "user.effective.email", "user.id", "user.name", "user.email", "user.target.name", "dll.pe.imphash", "file.pe.imphash", "process.parent.pe.imphash", "process.pe.imphash", "dll.hash.md5", "email.attachments.file.hash.md5", "file.hash.md5", "process.hash.md5", "process.parent.hash.md5", "tls.client.hash.md5", "tls.server.hash.md5", "dll.pe.pehash", "file.pe.pehash", "process.parent.pe.pehash", "process.pe.pehash", "dll.hash.sha1", "email.attachments.file.hash.sha1", "file.hash.sha1", "process.hash.sha1", "process.parent.hash.sha1", "tls.client.hash.sha1", "tls.server.hash.sha1", "dll.code_signature.thumbprint_sha256", "dll.hash.sha256", "email.attachments.file.hash.sha256", "file.code_signature.thumbprint_sha256", "file.hash.sha256", "process.code_signature.thumbprint_sha256", "process.hash.sha256", "process.parent.code_signature.thumbprint_sha256", "process.parent.hash.sha256", "tls.client.hash.sha256", "tls.server.hash.sha256", "dll.hash.sha384", "email.attachments.file.hash.sha384", "file.hash.sha384", "process.hash.sha384", "process.parent.hash.sha384", "dll.hash.sha512", "email.attachments.file.hash.sha512", "file.hash.sha512", "process.hash.sha512", "process.parent.hash.sha512", "dll.hash.ssdeep", "email.attachments.file.hash.ssdeep", "file.hash.ssdeep", "process.hash.ssdeep", "process.parent.hash.ssdeep", "dll.hash.tlsh", "email.attachments.file.hash.tlsh", "file.hash.tlsh", "process.hash.tlsh", "process.parent.hash.tlsh", "user_agent.name", "user_agent.original", "email.subject", "source.user.email", "user.changes.email", "user.effective.email", "user.email", "user.target.name", "client.domain", "destination.domain", "dns.answers.name", "dns.question.name", "server.domain", "source.domain", "url.domain", "url.registered_domain", "client.registered_domain", "destination.registered_domain", "dns.question.registered_domain", "server.registered_domain", "source.registered_domain", "url.registered_domain" ] }, { "name": "size", "description": "Define the number of hits per index to return", "type": "string", "multi": false, "required": true, "defaultValue": "10" }, { "name": "verifyssl", "description": "Verify SSL certificate", "type": "boolean", "multi": false, "required": true, "defaultValue": true }, { "name": "cert_path", "description": "Path to the CA on the system used to check server certificate", "type": "string", "multi": false, "required": false } ], "registration_required": false, "subscription_required": false, "free_subscription": true, "service_homepage": "https://www.elastic.co" }