Merge pull request #5915 from Security-Onion-Solutions/feature/ti_module

Add TI module

salt/common/tools/sbin/so-filebeat-module-setup

@@ -54,7 +54,7 @@ PIPELINES=$({{ ELASTICCURL }} -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_
 if [[ "$PIPELINES" -lt 5 ]]; then
   echo "Setting up ingest pipeline(s)"
 
-  for MODULE in activemq apache auditd aws azure barracuda bluecoat cef checkpoint cisco coredns crowdstrike cyberark cylance elasticsearch envoyproxy f5 fortinet gcp google_workspace googlecloud gsuite haproxy ibmmq icinga iis imperva infoblox iptables juniper kafka kibana logstash microsoft misp mongodb mssql mysql nats netscout nginx o365 okta osquery panw postgresql rabbitmq radware redis santa snort snyk sonicwall sophos squid suricata system tomcat traefik zeek zscaler
+  for MODULE in activemq apache auditd aws azure barracuda bluecoat cef checkpoint cisco coredns crowdstrike cyberark cylance elasticsearch envoyproxy f5 fortinet gcp google_workspace googlecloud gsuite haproxy ibmmq icinga iis imperva infoblox iptables juniper kafka kibana logstash microsoft mongodb mssql mysql nats netscout nginx o365 okta osquery panw postgresql rabbitmq radware redis santa snort snyk sonicwall sophos squid suricata system threatintel tomcat traefik zeek zscaler
   do
     echo "Loading $MODULE"
     docker exec -i so-filebeat filebeat setup modules -pipelines -modules $MODULE -c $FB_MODULE_YML

salt/filebeat/thirdpartydefaults.yaml

@@ -244,6 +244,23 @@ third_party_filebeat:
         var.input: udp
         var.syslog_host: 0.0.0.0
         var.syslog_port: 9501
+    threatintel:
+      abuseurl:
+        enabled: false
+      abusemalware:
+        enabled: false
+      misp:
+        enabled: false
+      malwarebazaar:
+        enabled: false
+      otx:
+        enabled: false
+      anomali:
+        enabled: false
+      anomalithreatstream:
+        enabled: false
+      recordedfuture:
+        enabled: false
     zscaler:
       zia:
         enabled: false