Elasticsearch integration
ACUBETotal integrates with Elasticsearch for the searching of past submissions. Current fields supported for searching:
- file: Filename or hash (md5, sha256)
- from: Submitter or organisation
- tag: Submission tag
- before: Date
- after: Date
- string: FLOSS string segments
- imports: PE function imports
- exports: PE function exports
- network: Domain names or IP addresses
- detections: Sandbox detections
- ttp: TTP ID
An Index named submission has been created in Elasticsearch and indexes the following information:
- Submission metadata
- CAPE results
- Network
- Target
- TTPs
- Detections
- OpenCTI
- FLOSS strings
- CAPA (TTP IDs)
Ingesting of data
The JSON reports ingested from CAPA, FLOSS and CAPEv2 should be heavily trimmed to reduce excessive indexing on elasticsearch.
Only index data that is useful/strictly necessary for user-searching.
Querying of data
There is a difference between a filter context and a query context. Filters do not play a part in a search result's relevance score.
Additionally, frequently used filter queries will be cached on Elasticsearch to speed up performance.
tip
Check this Elasticsearch documentation for more information.