AbuseCH | failed to parse field [abusech.malwarebazaar.code_sign] of type [keyword]

[matthiasledergerber]

Elastic-Stack 8.4.0 AbuseCH 1.7.0

Three Log examples:

Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Date(2022, time.August, 29, 22, 31, 24, 50266838, time.Local), Meta:{"input_id":"httpjson-ti_abusech-fad55fe4-d403-4bc1-aa33-93038ae9a022","raw_index":"logs-ti_abusech.malwarebazaar-default","stream_id":"httpjson-ti_abusech.malwarebazaar-fad55fe4-d403-4bc1-aa33-93038ae9a022"}, Fields:{"agent":{"ephemeral_id":"ec227456-60b4-433e-8991-90a905e7e683","id":"8615abd5-d3c7-49b5-80c2-4b783f42fe11","name":"xxxxxx","type":"filebeat","version":"8.4.0"},"data_stream":{"dataset":"ti_abusech.malwarebazaar","namespace":"default","type":"logs"},"ecs":{"version":"8.0.0"},"elastic_agent":{"id":"8615abd5-d3c7-49b5-80c2-4b783f42fe11","snapshot":false,"version":"8.4.0"},"event":{"created":"2022-08-29T20:31:24.050Z","dataset":"ti_abusech.malwarebazaar"},"input":{"type":"httpjson"},"message":"{\"anonymous\":0,\"code_sign\":[{\"algorithm\":\"sha1WithRSAEncryption\",\"issuer_cn\":\"Android\",\"serial_number\":\"936eacbe07f201df\",\"subject_cn\":\"Android\",\"thumbprint\":\"a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc\",\"thumbprint_algorithm\":\"SHA256\",\"valid_from\":\"2008-02-29T01:33:46Z\",\"valid_to\":\"2035-07-17T01:33:46Z\"}],\"dhash_icon\":null,\"file_name\":\"gen_signed3.apk\",\"file_size\":3423432,\"file_type\":\"apk\",\"file_type_mime\":\"application/java-archive\",\"first_seen\":\"2022-08-29 20:19:53\",\"gimphash\":null,\"imphash\":null,\"intelligence\":{\"clamav\":null,\"downloads\":\"43\",\"mail\":null,\"uploads\":\"1\"},\"last_seen\":null,\"md5_hash\":\"67bc18eeaca9ec3254394dcce2e3b0a4\",\"origin_country\":\"US\",\"reporter\":\"onecert_ir\",\"sha1_hash\":\"ef0a17ed409896959fb93e5f6d62c14e3ba5422f\",\"sha256_hash\":\"c160f3d1d4559482aa8f614e74c1cbd33dcebc2f7be5df622ee1ef3cfb052593\",\"sha3_384_hash\":\"22b8afe43259efc7099025e9c3751f7b528518b49b805521aa00ed19f0aa754ba044db87213a5c11391da4a28f296aed\",\"signature\":null,\"ssdeep\":\"98304:IEVF6aL7fDW3v0AMYfccAAmonM9QF7FuYN8p5HWVrziP:I46x3vKcAqnXJCp5292P\",\"tags\":[\"Android\",\"apk\",\"iran\",\"IRATA\",\"signed\"],\"telfhash\":null,\"tlsh\":\"T194F53337BFB3D135E957B03D9566A109A9E614BA860CFF037A54A58F48E3F80CB41E21\"}","tags":["forwarded","abusech-malwarebazaar"]}, Private:interface {}(nil), TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:mapstr.M(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [abusech.malwarebazaar.code_sign] of type [keyword] in document with id '05FU14oQ2iDJUftBx+I//qoeLdc='. Preview of field's value: '{thumbprint=a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc, thumbprint_algorithm=SHA256}'","caused_by":{"type":"illegal_state_exception","reason":"Can't get text on a START_OBJECT at 1:674"}}, dropping event!

Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Date(2022, time.August, 29, 22, 19, 23, 42643111, time.Local), Meta:{"input_id":"httpjson-ti_abusech-fad55fe4-d403-4bc1-aa33-93038ae9a022","raw_index":"logs-ti_abusech.malwarebazaar-default","stream_id":"httpjson-ti_abusech.malwarebazaar-fad55fe4-d403-4bc1-aa33-93038ae9a022"}, Fields:{"agent":{"ephemeral_id":"5251125e-65f8-46c5-9ad8-94254d6e68c9","id":"8615abd5-d3c7-49b5-80c2-4b783f42fe11","name":"xxxxxx","type":"filebeat","version":"8.4.0"},"data_stream":{"dataset":"ti_abusech.malwarebazaar","namespace":"default","type":"logs"},"ecs":{"version":"8.0.0"},"elastic_agent":{"id":"8615abd5-d3c7-49b5-80c2-4b783f42fe11","snapshot":false,"version":"8.4.0"},"event":{"created":"2022-08-29T20:19:23.042Z","dataset":"ti_abusech.malwarebazaar"},"input":{"type":"httpjson"},"message":"{\"anonymous\":0,\"code_sign\":[{\"algorithm\":\"sha1WithRSAEncryption\",\"issuer_cn\":\"Dell Alienware x15 R1 X15-9970) silver Core i7-11800H/32G/512G SSD 15 FHD IPS 360Hz AGNV RTX3080 8G\",\"serial_number\":\"5c88b3c539fdf5a94e319cc012765d80\",\"subject_cn\":\"Dell Alienware x15 R1 X15-9970) silver Core i7-11800H/32G/512G SSD 15 FHD IPS 360Hz AGNV RTX3080 8G\",\"thumbprint\":\"416304decfc2482a42f324e949a9b589505859ae381df9e8377d9b511ffa8a49\",\"thumbprint_algorithm\":\"SHA256\",\"valid_from\":\"2022-08-28T15:48:37Z\",\"valid_to\":\"2032-08-29T15:48:37Z\"}],\"dhash_icon\":\"d4ec66cac966ecd4\",\"file_name\":\"file\",\"file_size\":5220200,\"file_type\":\"exe\",\"file_type_mime\":\"application/x-dosexec\",\"first_seen\":\"2022-08-29 19:23:26\",\"gimphash\":null,\"imphash\":\"172750858dcc0719eed08c952858023c\",\"intelligence\":{\"clamav\":null,\"downloads\":\"189\",\"mail\":null,\"uploads\":\"1\"},\"last_seen\":null,\"md5_hash\":\"7835486c4edc317ceeec1d761e66249f\",\"origin_country\":\"FR\",\"reporter\":\"andretavare5\",\"sha1_hash\":\"42d2cfa6b5a4a3e3f2785a2d18d43c8c0f7c9f3e\",\"sha256_hash\":\"4aa853c8b52d8846ca5593c6af59c6bcb925027b7227283cedebf97303ad7241\",\"sha3_384_hash\":\"718b1938287b5fa2af8d7905f955e8e2b6b3af6c325166fc4bcd6e07a3e8312452558a8f379217bc58cd5582aabb54e6\",\"signature\":\"RedLineStealer\",\"ssdeep\":\"98304:D1G3orcO5/t390ihbftnKu2AoonlzLHxAlNHGnKlxgVX0wH/wu0S6M6LdFJ3ufv:DHrcO5/t390ihbft8GlzD+mn/EwH/iRI\",\"tags\":[\"exe\",\"RedLineStealer\",\"signed\"],\"telfhash\":null,\"tlsh\":\"T1423612B26260019EC0E68C358937FDF572B4162B6F436CB775C97DDA26325F0A223993\"}","tags":["forwarded","abusech-malwarebazaar"]}, Private:interface {}(nil), TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:mapstr.M(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [abusech.malwarebazaar.code_sign] of type [keyword] in document with id 'tKrxoGPP+R0owFz5qmRU/3WroFI='. Preview of field's value: '{thumbprint=416304decfc2482a42f324e949a9b589505859ae381df9e8377d9b511ffa8a49, thumbprint_algorithm=SHA256}'","caused_by":{"type":"illegal_state_exception","reason":"Can't get text on a START_OBJECT at 1:772"}}, dropping event!

Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Date(2022, time.August, 29, 22, 38, 23, 227988181, time.Local), Meta:{"input_id":"httpjson-ti_abusech-fad55fe4-d403-4bc1-aa33-93038ae9a022","raw_index":"logs-ti_abusech.malwarebazaar-default","stream_id":"httpjson-ti_abusech.malwarebazaar-fad55fe4-d403-4bc1-aa33-93038ae9a022"}, Fields:{"agent":{"ephemeral_id":"5251125e-65f8-46c5-9ad8-94254d6e68c9","id":"8615abd5-d3c7-49b5-80c2-4b783f42fe11","name":"xxxxxx","type":"filebeat","version":"8.4.0"},"data_stream":{"dataset":"ti_abusech.malwarebazaar","namespace":"default","type":"logs"},"ecs":{"version":"8.0.0"},"elastic_agent":{"id":"8615abd5-d3c7-49b5-80c2-4b783f42fe11","snapshot":false,"version":"8.4.0"},"event":{"created":"2022-08-29T20:38:23.227Z","dataset":"ti_abusech.malwarebazaar"},"input":{"type":"httpjson"},"message":"{\"anonymous\":0,\"code_sign\":[{\"algorithm\":\"sha1WithRSAEncryption\",\"issuer_cn\":\"Android\",\"serial_number\":\"936eacbe07f201df\",\"subject_cn\":\"Android\",\"thumbprint\":\"a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc\",\"thumbprint_algorithm\":\"SHA256\",\"valid_from\":\"2008-02-29T01:33:46Z\",\"valid_to\":\"2035-07-17T01:33:46Z\"}],\"dhash_icon\":null,\"file_name\":\"gen_signed3.apk\",\"file_size\":3423432,\"file_type\":\"apk\",\"file_type_mime\":\"application/java-archive\",\"first_seen\":\"2022-08-29 20:19:53\",\"gimphash\":null,\"imphash\":null,\"intelligence\":{\"clamav\":null,\"downloads\":\"47\",\"mail\":null,\"uploads\":\"1\"},\"last_seen\":null,\"md5_hash\":\"67bc18eeaca9ec3254394dcce2e3b0a4\",\"origin_country\":\"US\",\"reporter\":\"onecert_ir\",\"sha1_hash\":\"ef0a17ed409896959fb93e5f6d62c14e3ba5422f\",\"sha256_hash\":\"c160f3d1d4559482aa8f614e74c1cbd33dcebc2f7be5df622ee1ef3cfb052593\",\"sha3_384_hash\":\"22b8afe43259efc7099025e9c3751f7b528518b49b805521aa00ed19f0aa754ba044db87213a5c11391da4a28f296aed\",\"signature\":null,\"ssdeep\":\"98304:IEVF6aL7fDW3v0AMYfccAAmonM9QF7FuYN8p5HWVrziP:I46x3vKcAqnXJCp5292P\",\"tags\":[\"Android\",\"apk\",\"iran\",\"IRATA\",\"signed\"],\"telfhash\":null,\"tlsh\":\"T194F53337BFB3D135E957B03D9566A109A9E614BA860CFF037A54A58F48E3F80CB41E21\"}","tags":["forwarded","abusech-malwarebazaar"]}, Private:interface {}(nil), TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:mapstr.M(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [abusech.malwarebazaar.code_sign] of type [keyword] in document with id '05FU14oQ2iDJUftBx+I//qoeLdc='. Preview of field's value: '{thumbprint=a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc, thumbprint_algorithm=SHA256}'","caused_by":{"type":"illegal_state_exception","reason":"Can't get text on a START_OBJECT at 1:674"}}, dropping event!

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)