ti_opencti: use extended list of expected_values for indicator type

packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-cryptocurrency-wallet.json-expected.json

@@ -70,7 +70,7 @@
                     "name": "1KqequymujeNJuyB4gH7oJSFTB3En3Hf5n",
                     "provider": "AlienVault",
                     "reference": "https://demo.opencti.io/dashboard/observations/indicators/fb7dd696-1d45-47b0-8227-cef50ba472a3",
-                    "type": "user-account"
+                    "type": "cryptocurrency-wallet"
                 }
             }
         }

packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-email-message.json-expected.json

@@ -64,7 +64,7 @@
                     "name": "Blank 2",
                     "provider": "CIRCL",
                     "reference": "https://demo.opencti.io/dashboard/observations/indicators/3c3a2209-1dbe-4f85-85b5-c284e63b2c40",
-                    "type": "artifact"
+                    "type": "email-message"
                 }
             }
         }

packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-hostname.json-expected.json

@@ -88,7 +88,7 @@
                     "name": "news.googmail.org",
                     "provider": "AlienVault",
                     "reference": "https://demo.opencti.io/dashboard/observations/indicators/21638bcf-cd6d-402b-abc9-10f782e88e58",
-                    "type": "domain-name",
+                    "type": "hostname",
                     "url": {
                         "domain": "news.googmail.org",
                         "registered_domain": "googmail.org",

packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-phone-number.json-expected.json

@@ -55,7 +55,7 @@
                     "name": "+35220880392",
                     "provider": "CIRCL",
                     "reference": "https://demo.opencti.io/dashboard/observations/indicators/422b2769-12f7-477d-bd21-7e98fe958167",
-                    "type": "user-account"
+                    "type": "phone-number"
                 }
             }
         }

packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-unknown.json-expected.json

@@ -67,7 +67,8 @@
                     "modified_at": "2023-01-17T09:30:07.427Z",
                     "name": "7b9e910b4c5b8a90669e90d182fe8a92ddf79b5c",
                     "provider": "AlienVault",
-                    "reference": "https://demo.opencti.io/dashboard/observations/indicators/d10900dc-8ac2-40b4-b05d-bafc087c2b9f"
+                    "reference": "https://demo.opencti.io/dashboard/observations/indicators/d10900dc-8ac2-40b4-b05d-bafc087c2b9f",
+                    "type": "unknown"
                 }
             }
         }

packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-user-agent.json-expected.json

@@ -55,7 +55,7 @@
                     "name": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)",
                     "provider": "CIRCL",
                     "reference": "https://demo.opencti.io/dashboard/observations/indicators/7f2928c5-c731-4562-a82d-0d39411303bb",
-                    "type": "artifact"
+                    "type": "user-agent"
                 }
             }
         }

packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml

@@ -148,31 +148,11 @@ processors:
   - script:
       description: Reformat indicator type
       lang: painless
-      params:
-        cryptocurrency-wallet: user-account
-        domain-name: domain-name
-        email-addr: email-addr
-        email-message: artifact
-        hostname: domain-name # There is no good match for this: this or 'url'?
-        ipv4-addr: ipv4-addr
-        ipv6-addr: ipv6-addr
-        mutex: mutex
-        phone-number: user-account # There is no good match for this.
-        process: process
-        stixfile: file
-        url: url
-        user-agent: artifact # There is no good match for this.
-        windows-registry-key: windows-registry-key
-        unknown: null
       source: |
         String type = ctx.threat.indicator.type;
         type = type.toLowerCase();
-        type = params[type];
-        if (type != null) {
-          ctx.threat.indicator.type = type;
-        } else {
-          ctx.threat.indicator.remove('type');
-        }
+        type = type.replace('stixfile', 'file');
+        ctx.threat.indicator.type = type;
   - rename:
       field: createdBy.name
       target_field: threat.indicator.provider

packages/ti_opencti/data_stream/indicator/fields/ecs.yml

@@ -7,6 +7,38 @@
   level: extended
   type: keyword
   description: Type of indicator as represented by Cyber Observable in STIX 2.1 or OpenCTI
+  expected_values:
+    - artifact
+    - autonomous-system
+    - bank-account
+    - cryptocurrency-wallet
+    - cryptographic-key
+    - directory
+    - domain-name
+    - email-addr
+    - email-message
+    - email-mime-part-type
+    - hostname
+    - ipv4-addr
+    - ipv6-addr
+    - mac-addr
+    - media-content
+    - mutex
+    - network-traffic
+    - payment-card
+    - phone-number
+    - process
+    - software
+    - file
+    - text
+    - url
+    - user-account
+    - user-agent
+    - windows-registry-key
+    - windows-registry-value-type
+    - x509-certificate
+    - unknown
+    - port
 # Additional file hash algorithms
 - name: threat.indicator.file.hash.sha3_256
   type: keyword