iamhowardtheduck · June 22, 2025 12:48
diff --git a/logs-ti_tor.node_activity-Filebeat-Input.txt b/logs-ti_tor.node_activity-Filebeat-Input.txt
 filebeat.inputs:

 # TOR NODE ACTIVITY INPUT
 - type: httpjson
  interval: 60m
  index: logs-ti_tor.node_activity
  pipeline: "logs-ti_tor.node_activity"  
  request.url: https://onionoo.torproject.org/details?fields=exit_addresses,nickname,fingerprint,running,as_name,verified_host_names,unverified_host_names,or_addresses,last_seen,last_changed_address_or_port,first_seen,hibernating,last_restarted,bandwidth_rate,bandwidth_burst,observed_bandwidth,flags,version,version_status,advertised_bandwidth,platform,recommended_version,contact  
  response.split:
    target: body.relays
 # PROCESSORS         
  processors:
   - decode_json_fields:
       fields: ["message"]
       target: ""
       overwrite_keys: true
   - rename:
       fields:
         - from: "advertised_bandwidth"
           to: "tor.bandwidth.advertised"
       ignore_missing: true
   - rename:
       fields:
         - from: "bandwidth_burst"
           to: "tor.bandwidth.burst"
       ignore_missing: true       
   - rename:
       fields:
         - from: "bandwidth_rate"
           to: "tor.bandwidth.rate"
       ignore_missing: true
   - rename:
       fields:
         - from: "observed_bandwidth"
           to: "tor.bandwidth.observed"
       ignore_missing: true
   - rename:
       fields:
         - from: "as"
           to: "tor.as.number"
       ignore_missing: true
   - rename:
       fields:
         - from: "as_name"
           to: "tor.as.organization.name"
       ignore_missing: true
   - rename:
       fields:
         - from: "consensus_weight"
           to: "tor.consensus.weight"
       ignore_missing: true
   - rename:
       fields:
         - from: "consensus_weight_fraction"
           to: "tor.consensus.weight_fraction"
       ignore_missing: true     
   - rename:
       fields:
         - from: "contact"
           to: "tor.contact.original"
       ignore_missing: true 
   - rename:
       fields:
         - from: "alleged_family"
           to: "tor.family.alleged"
       ignore_missing: true
   - rename:
       fields:
         - from: "effective_family"
           to: "tor.family.effective"
       ignore_missing: true
   - rename:
       fields:
         - from: "exit_addresses"
           to: "tor.exit.ip"
       ignore_missing: true     
   - rename:
       fields:
         - from: "exit_policy"
           to: "tor.exit_policy"
       ignore_missing: true
   - rename:
       fields:
         - from: "exit_policy_summary.accept"
           to: "tor.exit.policy.ipv4.accept"
       ignore_missing: true
   - rename:
       fields:
         - from: "exit_policy_summary.reject"
           to: "tor.exit.policy.ipv4.reject"
       ignore_missing: true
   - rename:
       fields:
         - from: "exit_policy_v6_summary.accept"
           to: "tor.exit.policy.ipv6.accept"
       ignore_missing: true
   - rename:
       fields:
         - from: "exit_policy_v6_summary.reject"
           to: "tor.exit.policy.ipv6.reject"
       ignore_missing: true
   - rename:
       fields:
         - from: "exit_probability"
           to: "tor.exit.probability"
       ignore_missing: true
   - rename:
       fields:
         - from: "fingerprint"
           to: "tor.fingerprint"
       ignore_missing: true 
   - rename:
       fields:
         - from: "first_seen"
           to: "tor.first_seen"
       ignore_missing: true
   - rename:
       fields:
         - from: "flags"
           to: "tor.description"
       ignore_missing: true  
   - rename:
       fields:
         - from: "guard_probability"
           to: "tor.guard.probability"
       ignore_missing: true
   - rename:
       fields:
         - from: "indirect_family"
           to: "tor.family.indirect"
       ignore_missing: true
   - rename:
       fields:
         - from: "last_changed_address_or_port"
           to: "tor.last_changed"
       ignore_missing: true      
   - rename:
       fields:
         - from: "last_restarted"
           to: "tor.last_restarted"
       ignore_missing: true        
   - rename:
       fields:
         - from: "last_seen"
           to: "tor.last_seen"
       ignore_missing: true
   - rename:
       fields:
         - from: "measured"
           to: "tor.measured"
       ignore_missing: true
   - rename:
       fields:
         - from: "middle_probability"
           to: "tor.middle.probability"
       ignore_missing: true  
   - rename:
       fields:
         - from: "nickname"
           to: "tor.name"
       ignore_missing: true 
   - rename:
       fields:
         - from: "or_addresses"
           to: "tor.routing.addresses"
       ignore_missing: true   
   - rename:
       fields:
         - from: "overload_general_timestamp"
           to: "tor.overload"
       ignore_missing: true   
   - rename:
       fields:
         - from: "platform"
           to: "tor.platform"
       ignore_missing: true
   - rename:
       fields:
         - from: "recommended_version"
           to: "tor.recommended_version"
       ignore_missing: true
   - rename:
       fields:
         - from: "running"
           to: "tor.running"
       ignore_missing: true       
   - rename:
       fields:
         - from: "unverified_host_names"
           to: "tor.hostname.unverified"
       ignore_missing: true
   - rename:
       fields:
         - from: "verified_host_names"
           to: "tor.hostname.verified"
       ignore_missing: true
   - rename:
       fields:
         - from: "version"
           to: "tor.version"
       ignore_missing: true
   - rename:
       fields:
         - from: "version_status"
           to: "tor.version_status"
       ignore_missing: true
   - add_fields:
      target: event
      fields:
        module: "ti_tor"
        category: "threat"
        type: "indicator"
        kind: "enrichment"
        dataset: "node_activity"
   - copy_fields:
      fields:
        - from: tor.exit.ip
          to: threat.indicator.ip
      fail_on_error: false
      ignore_missing: true
	filebeat.inputs:

	# TOR NODE ACTIVITY INPUT
	- type: httpjson
	interval: 60m
	index: logs-ti_tor.node_activity
	pipeline: "logs-ti_tor.node_activity"
	request.url: https://onionoo.torproject.org/details?fields=exit_addresses,nickname,fingerprint,running,as_name,verified_host_names,unverified_host_names,or_addresses,last_seen,last_changed_address_or_port,first_seen,hibernating,last_restarted,bandwidth_rate,bandwidth_burst,observed_bandwidth,flags,version,version_status,advertised_bandwidth,platform,recommended_version,contact
	response.split:
	target: body.relays
	# PROCESSORS
	processors:
	- decode_json_fields:
	fields: ["message"]
	target: ""
	overwrite_keys: true
	- rename:
	fields:
	- from: "advertised_bandwidth"
	to: "tor.bandwidth.advertised"
	ignore_missing: true
	- rename:
	fields:
	- from: "bandwidth_burst"
	to: "tor.bandwidth.burst"
	ignore_missing: true
	- rename:
	fields:
	- from: "bandwidth_rate"
	to: "tor.bandwidth.rate"
	ignore_missing: true
	- rename:
	fields:
	- from: "observed_bandwidth"
	to: "tor.bandwidth.observed"
	ignore_missing: true
	- rename:
	fields:
	- from: "as"
	to: "tor.as.number"
	ignore_missing: true
	- rename:
	fields:
	- from: "as_name"
	to: "tor.as.organization.name"
	ignore_missing: true
	- rename:
	fields:
	- from: "consensus_weight"
	to: "tor.consensus.weight"
	ignore_missing: true
	- rename:
	fields:
	- from: "consensus_weight_fraction"
	to: "tor.consensus.weight_fraction"
	ignore_missing: true
	- rename:
	fields:
	- from: "contact"
	to: "tor.contact.original"
	ignore_missing: true
	- rename:
	fields:
	- from: "alleged_family"
	to: "tor.family.alleged"
	ignore_missing: true
	- rename:
	fields:
	- from: "effective_family"
	to: "tor.family.effective"
	ignore_missing: true
	- rename:
	fields:
	- from: "exit_addresses"
	to: "tor.exit.ip"
	ignore_missing: true
	- rename:
	fields:
	- from: "exit_policy"
	to: "tor.exit_policy"
	ignore_missing: true
	- rename:
	fields:
	- from: "exit_policy_summary.accept"
	to: "tor.exit.policy.ipv4.accept"
	ignore_missing: true
	- rename:
	fields:
	- from: "exit_policy_summary.reject"
	to: "tor.exit.policy.ipv4.reject"
	ignore_missing: true
	- rename:
	fields:
	- from: "exit_policy_v6_summary.accept"
	to: "tor.exit.policy.ipv6.accept"
	ignore_missing: true
	- rename:
	fields:
	- from: "exit_policy_v6_summary.reject"
	to: "tor.exit.policy.ipv6.reject"
	ignore_missing: true
	- rename:
	fields:
	- from: "exit_probability"
	to: "tor.exit.probability"
	ignore_missing: true
	- rename:
	fields:
	- from: "fingerprint"
	to: "tor.fingerprint"
	ignore_missing: true
	- rename:
	fields:
	- from: "first_seen"
	to: "tor.first_seen"
	ignore_missing: true
	- rename:
	fields:
	- from: "flags"
	to: "tor.description"
	ignore_missing: true
	- rename:
	fields:
	- from: "guard_probability"
	to: "tor.guard.probability"
	ignore_missing: true
	- rename:
	fields:
	- from: "indirect_family"
	to: "tor.family.indirect"
	ignore_missing: true
	- rename:
	fields:
	- from: "last_changed_address_or_port"
	to: "tor.last_changed"
	ignore_missing: true
	- rename:
	fields:
	- from: "last_restarted"
	to: "tor.last_restarted"
	ignore_missing: true
	- rename:
	fields:
	- from: "last_seen"
	to: "tor.last_seen"
	ignore_missing: true
	- rename:
	fields:
	- from: "measured"
	to: "tor.measured"
	ignore_missing: true
	- rename:
	fields:
	- from: "middle_probability"
	to: "tor.middle.probability"
	ignore_missing: true
	- rename:
	fields:
	- from: "nickname"
	to: "tor.name"
	ignore_missing: true
	- rename:
	fields:
	- from: "or_addresses"
	to: "tor.routing.addresses"
	ignore_missing: true
	- rename:
	fields:
	- from: "overload_general_timestamp"
	to: "tor.overload"
	ignore_missing: true
	- rename:
	fields:
	- from: "platform"
	to: "tor.platform"
	ignore_missing: true
	- rename:
	fields:
	- from: "recommended_version"
	to: "tor.recommended_version"
	ignore_missing: true
	- rename:
	fields:
	- from: "running"
	to: "tor.running"
	ignore_missing: true
	- rename:
	fields:
	- from: "unverified_host_names"
	to: "tor.hostname.unverified"
	ignore_missing: true
	- rename:
	fields:
	- from: "verified_host_names"
	to: "tor.hostname.verified"
	ignore_missing: true
	- rename:
	fields:
	- from: "version"
	to: "tor.version"
	ignore_missing: true
	- rename:
	fields:
	- from: "version_status"
	to: "tor.version_status"
	ignore_missing: true
	- add_fields:
	target: event
	fields:
	module: "ti_tor"
	category: "threat"
	type: "indicator"
	kind: "enrichment"
	dataset: "node_activity"
	- copy_fields:
	fields:
	- from: tor.exit.ip
	to: threat.indicator.ip
	fail_on_error: false
	ignore_missing: true