ti_opencti: ensure field usage conforms to ECS definitions

elastic · Jun 11, 2024 · 0adbb3f · 0adbb3f
1 parent d20a5d9
commit 0adbb3f
Show file tree

Hide file tree

Showing 11 changed files with 36 additions and 12 deletions.
diff --git a/packages/ti_opencti/changelog.yml b/packages/ti_opencti/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "3.0.0"
+  changes:
+    - description: Make `threat.indicator.type` field conform to ECS field definition.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/
 - version: "2.1.1"
   changes:
     - description: Adjust field mappings for transform destination index.

diff --git a/...ti/data_stream/indicator/_dev/test/pipeline/test-cryptocurrency-wallet.json-expected.json b/...ti/data_stream/indicator/_dev/test/pipeline/test-cryptocurrency-wallet.json-expected.json
@@ -70,7 +70,7 @@
                     "name": "1KqequymujeNJuyB4gH7oJSFTB3En3Hf5n",
                     "provider": "AlienVault",
                     "reference": "https://demo.opencti.io/dashboard/observations/indicators/fb7dd696-1d45-47b0-8227-cef50ba472a3",
-                    "type": "cryptocurrency-wallet"
+                    "type": "user-account"
                 }
             }
         }

diff --git a/...ti_opencti/data_stream/indicator/_dev/test/pipeline/test-email-message.json-expected.json b/...ti_opencti/data_stream/indicator/_dev/test/pipeline/test-email-message.json-expected.json
@@ -64,7 +64,7 @@
                     "name": "Blank 2",
                     "provider": "CIRCL",
                     "reference": "https://demo.opencti.io/dashboard/observations/indicators/3c3a2209-1dbe-4f85-85b5-c284e63b2c40",
-                    "type": "email-message"
+                    "type": "artifact"
                 }
             }
         }

diff --git a/...ages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-hostname.json-expected.json b/...ages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-hostname.json-expected.json
@@ -88,7 +88,7 @@
                     "name": "news.googmail.org",
                     "provider": "AlienVault",
                     "reference": "https://demo.opencti.io/dashboard/observations/indicators/21638bcf-cd6d-402b-abc9-10f782e88e58",
-                    "type": "hostname",
+                    "type": "domain-name",
                     "url": {
                         "domain": "news.googmail.org",
                         "registered_domain": "googmail.org",

diff --git a/.../ti_opencti/data_stream/indicator/_dev/test/pipeline/test-phone-number.json-expected.json b/.../ti_opencti/data_stream/indicator/_dev/test/pipeline/test-phone-number.json-expected.json
@@ -55,7 +55,7 @@
                     "name": "+35220880392",
                     "provider": "CIRCL",
                     "reference": "https://demo.opencti.io/dashboard/observations/indicators/422b2769-12f7-477d-bd21-7e98fe958167",
-                    "type": "phone-number"
+                    "type": "user-account"
                 }
             }
         }

diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-unknown.json-expected.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-unknown.json-expected.json
@@ -67,8 +67,7 @@
                     "modified_at": "2023-01-17T09:30:07.427Z",
                     "name": "7b9e910b4c5b8a90669e90d182fe8a92ddf79b5c",
                     "provider": "AlienVault",
-                    "reference": "https://demo.opencti.io/dashboard/observations/indicators/d10900dc-8ac2-40b4-b05d-bafc087c2b9f",
-                    "type": "unknown"
+                    "reference": "https://demo.opencti.io/dashboard/observations/indicators/d10900dc-8ac2-40b4-b05d-bafc087c2b9f"
                 }
             }
         }

diff --git a/...es/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-user-agent.json-expected.json b/...es/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-user-agent.json-expected.json
@@ -55,7 +55,7 @@
                     "name": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)",
                     "provider": "CIRCL",
                     "reference": "https://demo.opencti.io/dashboard/observations/indicators/7f2928c5-c731-4562-a82d-0d39411303bb",
-                    "type": "user-agent"
+                    "type": "artifact"
                 }
             }
         }

diff --git a/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml b/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml
@@ -148,11 +148,31 @@ processors:
   - script:
       description: Reformat indicator type
       lang: painless
+      params:
+        cryptocurrency-wallet: user-account
+        domain-name: domain-name
+        email-addr: email-addr
+        email-message: artifact
+        hostname: domain-name # There is no good match for this: this or 'url'?
+        ipv4-addr: ipv4-addr
+        ipv6-addr: ipv6-addr
+        mutex: mutex
+        phone-number: user-account # There is no good match for this.
+        process: process
+        stixfile: file
+        url: url
+        user-agent: artifact # There is no good match for this.
+        windows-registry-key: windows-registry-key
+        unknown: null
       source: |
         String type = ctx.threat.indicator.type;
         type = type.toLowerCase();
-        type = type.replace('stixfile', 'file');
-        ctx.threat.indicator.type = type;
+        type = params[type];
+        if (type != null) {
+          ctx.threat.indicator.type = type;
+        } else {
+          ctx.threat.indicator.remove('type');
+        }
   - rename:
       field: createdBy.name
       target_field: threat.indicator.provider

diff --git a/packages/ti_opencti/data_stream/indicator/sample_event.json b/packages/ti_opencti/data_stream/indicator/sample_event.json
@@ -92,7 +92,7 @@
             "name": "ec2-23-21-172-164.compute-1.amazonaws.com",
             "provider": "CthulhuSPRL.be",
             "reference": "http://elastic-package-service-opencti_stub-1:8080/dashboard/observations/indicators/d019b01c-b637-4eb2-af53-6d527be3193d",
-            "type": "hostname",
+            "type": "domain-name",
             "url": {
                 "domain": "ec2-23-21-172-164.compute-1.amazonaws.com",
                 "registered_domain": "ec2-23-21-172-164.compute-1.amazonaws.com",

diff --git a/packages/ti_opencti/docs/README.md b/packages/ti_opencti/docs/README.md
@@ -146,7 +146,7 @@ An example event for `indicator` looks as following:
             "name": "ec2-23-21-172-164.compute-1.amazonaws.com",
             "provider": "CthulhuSPRL.be",
             "reference": "http://elastic-package-service-opencti_stub-1:8080/dashboard/observations/indicators/d019b01c-b637-4eb2-af53-6d527be3193d",
-            "type": "hostname",
+            "type": "domain-name",
             "url": {
                 "domain": "ec2-23-21-172-164.compute-1.amazonaws.com",
                 "registered_domain": "ec2-23-21-172-164.compute-1.amazonaws.com",

diff --git a/packages/ti_opencti/manifest.yml b/packages/ti_opencti/manifest.yml
@@ -1,7 +1,7 @@
 format_version: "3.0.2"
 name: ti_opencti
 title: OpenCTI
-version: "2.1.1"
+version: "3.0.0"
 description: "Ingest threat intelligence indicators from OpenCTI with Elastic Agent."
 type: integration
 source: