/graylog-plugin-threatintel

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix otx threat names ids not populating #99

Merged
merged 3 commits into from Mar 16, 2018

Conversation

Reviewers

@joschi joschi

Assignees

@joschi joschi

Labels
bug
Projects
None yet
Milestone
  2.4.4
2 participants
@pbr0ck3r @joschi
@pbr0ck3r
Contributor

pbr0ck3r commented Mar 15, 2018

When using the otx_lookup_ip and otx_lookup_domain in a pipeline rule. All that was being passed back was otx_threat_indicated. If a threat was indicated otx_threat_ids and otx_threat_names are currently not being returned. Just otx_threat_indicated: true. This PR fixes that.

@pbr0ck3r pbr0ck3r changed the base branch from master to 2.4 Mar 15, 2018

@pbr0ck3r
removed unused import
Loading status checks…
5b1a9d5

@pbr0ck3r pbr0ck3r referenced this pull request Mar 16, 2018

Open

otx_lookup_ip function does not provide threat details #4495

@joschi

joschi reviewed Mar 16, 2018
View changes

src/main/java/org/graylog/plugins/threatintel/functions/otx/AbstractOTXLookupFunction.java Outdated
@@ -39,9 +40,10 @@ private OTXLookupResult lookupIntel(final String key, final LookupTableService.F
if (pulseCount > 0) {
result.put("otx_threat_indicated", true);
if (lookupResult.multiValue() != null && lookupResult.multiValue() instanceof List) {
if (lookupResult.multiValue() != null && lookupResult.multiValue() instanceof LinkedHashMap) {

This comment has been minimized.

Sign in to view
Copy link
@joschi

joschi Mar 16, 2018

Contributor

Why did you decide to use a LinkedHashMap instead of the List interface?

This comment has been minimized.

Sign in to view
Copy link
@pbr0ck3r

pbr0ck3r Mar 16, 2018
edited

Contributor

The lookupResult.multiValue() is a instance of LinkedHashMap not List which was causing this check in the if statement to fail.

This comment has been minimized.

Sign in to view
Copy link
@joschi

joschi Mar 16, 2018

Contributor

Ah, it's a map and not a list! 🤦‍♂️

In this case, please use the Map interface and not List or LinkedHashMap.

This comment has been minimized.

Sign in to view
Copy link
@pbr0ck3r

pbr0ck3r Mar 16, 2018
edited

Contributor

Wiil do! Original reason I choose LindkedHashMap was because I checked the class of lookupResult.mulitValue() using getClass() and it returned LinkdedHashMap.
@pbr0ck3r
use Map instead of LinkedHashMap
Loading status checks…
a8d0078

@joschi joschi added the bug label Mar 16, 2018

@joschi joschi self-assigned this Mar 16, 2018

@joschi joschi added this to the 2.4.4 milestone Mar 16, 2018

@joschi

joschi approved these changes Mar 16, 2018
View changes

LGTM. 👍

@joschi joschi merged commit f771037 into Graylog2:2.4 Mar 16, 2018
2 checks passed

2 checks passed

graylog-project/pr Jenkins build graylog-project-pr-snapshot 1188 has succeeded
Details
license/cla Contributor License Agreement is signed.
Details

joschi added a commit that referenced this pull request Mar 16, 2018

@pbr0ck3r @joschi
Fix otx threat names ids not populating (#99) 
Fix otx_threat_names and otx_threat_ids not populating in lookupIntel when they exist

(cherry picked from commit f771037)
Unverified
The committer email address is not verified.
Learn about signing commits
11b3bfa
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment