From 068fa282aa086de5c670576bfc6b47262a7e2d90 Mon Sep 17 00:00:00 2001 From: moxarth-rathod Date: Fri, 10 Apr 2026 16:20:55 +0530 Subject: [PATCH 1/3] [Recorded Future] Fix mapping for primary_entity --- packages/ti_recordedfuture/changelog.yml | 5 +++++ .../_dev/test/pipeline/test-triggered-alert.log | 2 +- .../test/pipeline/test-triggered-alert.log-expected.json | 7 ++++++- .../data_stream/triggered_alert/fields/fields.yml | 9 ++++++++- packages/ti_recordedfuture/docs/README.md | 4 +++- packages/ti_recordedfuture/manifest.yml | 2 +- 6 files changed, 24 insertions(+), 5 deletions(-) diff --git a/packages/ti_recordedfuture/changelog.yml b/packages/ti_recordedfuture/changelog.yml index 673215c86ee..8456508eee2 100644 --- a/packages/ti_recordedfuture/changelog.yml +++ b/packages/ti_recordedfuture/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.4.2" + changes: + - description: Fix `primary_entity` mapping for the triggered alerts data stream by adding `primary_entity.id`, `primary_entity.name`, and `primary_entity.type` fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/1 - version: "2.4.1" changes: - description: Remove duplicate security-solution-default tag references diff --git a/packages/ti_recordedfuture/data_stream/triggered_alert/_dev/test/pipeline/test-triggered-alert.log b/packages/ti_recordedfuture/data_stream/triggered_alert/_dev/test/pipeline/test-triggered-alert.log index 6f544fcd0c0..dbd5d6f1c3f 100644 --- a/packages/ti_recordedfuture/data_stream/triggered_alert/_dev/test/pipeline/test-triggered-alert.log +++ b/packages/ti_recordedfuture/data_stream/triggered_alert/_dev/test/pipeline/test-triggered-alert.log @@ -1,4 +1,4 @@ {"review":{"note":"note","status_in_portal":"New","assignee":"John","status":"no-action"},"owner_organisation_details":{"organisations":[{"organisation_id":"uhash:abcd","organisation_name":"Elastic-Example"}],"enterprise_id":"uhash:abcd","enterprise_name":"Elastic-Example"},"url":{"api":"https:\/\/api.recordedfuture.com\/v3\/alerts\/abcd","portal":"https:\/\/app.recordedfuture.com\/live\/sc\/notification\/?id=bcd"},"rule":{"use_case_deprecation":{"description":null},"name":"Analysis from Insikt Group","id":"ABC123","url":{"portal":"https:\/\/app.recordedfuture.com\/live\/sc\/ViewIdkobra_view_report_item_alert_editor?view_opts=%7B%22reportId%22%3A%abcd%22%2C%22bTitle%22%3Atrue%2C%22title%22%3A%22Analysis+from+Insikt+Group%22%7D"}},"id":"ABCD1234XYZ","enriched_entities":[],"ai_insights":{"comment":"The Recorded Future AI requires more references in order to produce a summary.","text":"Text summary"},"log":{"note_author":null,"note_date":"2025-03-31T04:03:56.425Z","status_date":"2025-03-31T04:03:56.425Z","triggered":"2025-03-31T04:03:56.425Z","status_change_by":"admin"},"triggered_by":[],"title":"Analysis from Insikt Group - 1 reference","type":"REFERENCE","entities":[{"id":"ip:89.160.20.156","name":"89.160.20.156","type":"IpAddress"},{"id":"YOvb","name":"Webmail","type":"Product"},{"id":"url:https:\/\/carriertrucks.com","name":"https:\/\/carriertrucks.com","type":"URL"}],"document":{"source":{"id":"source:VKz42X","name":"Insikt Group","type":"Source"},"title":"Morphing Meerkat PhaaS Platform Uses DNS MX Records and DoH Protocol to Deliver Targeted Phishing Campaign","url":"https://example.com/abc/def","authors":[]},"fragment":"On March 27, 2025, Infoblox reported that the phishing-as-a-service (PhaaS) platform Morphing Meerkat uses DNS MX records and DNS-over-HTTPS (DoH) queries to deliver phishing pages tailored to victims\u2019 email providers. Threat actors initiate campaigns using spoofed spam emails impersonating over 100 brands\u2014including financial software providers. Embedded malicious links redirect users via compromised WordPress sites, public file-sharing platforms, or open redirect flaws on trusted domains like Google\u2019s DoubleClick. The phishing kits dynamically serve one of over 114 localized HTML templates by mapping MX responses to specific login pages, defaulting to generic Webmail or Roundcube pages when unrecognized. Client -side JavaScript further customizes","language":"eng","primary_entity":null,"analyst_note":{"id":"abcdef","url":{"api":"https:\/\/api.recordedfuture.com\/v2\/analystnote\/abcdef","portal":"https:\/\/app.recordedfuture.com\/portal\/analyst-note\/shared\/true\/doc:abcdef"}}} {"review":{"note":"note","status_in_portal":"In-Progress","assignee":"Admin","status":"no-action"},"owner_organisation_details":{"organisations":[{"organisation_id":"aa:abcd","organisation_name":"Elastic-Example"}],"enterprise_id":"aa:abcd","enterprise_name":"Elastic-Example"},"url":{"api":"https:\/\/api.recordedfuture.com\/v3\/alerts\/abcd","portal":"https:\/\/app.recordedfuture.com\/live\/sc\/notification\/?id=aad"},"rule":{"use_case_deprecation":{"description":null},"name":"Analysis from Diff Group","id":"ABC123","url":{"portal":"https:\/\/app.recordedfuture.com\/live\/sc\/ViewIdkobra_view_report_item_alert_editor?view_opts=%7B%22reportId%22%3A%abcd%22%2C%22bTitle%22%3Atrue%2C%22title%22%3A%22Analysis+from+Insikt+Group%22%7D"}},"id":"ABCD1234XYZ","enriched_entities":[],"ai_insights":{"comment":"The Recorded Future AI requires more references in order to produce a summary.","text":"Text summary"},"log":{"note_author":null,"note_date":"2025-03-31T04:03:56.425Z","status_date":"2025-03-31T04:03:56.425Z","triggered":"2025-04-30T04:03:56.425Z","status_change_by":"mark"},"triggered_by":[],"title":"Analysis from Secret Group - 1 reference","type":"REFERENCE","entities":[{"id":"ip:89.160.20.156","name":"89.160.20.156","type":"IpAddress"},{"id":"YOvb","name":"Webmail","type":"Product"},{"id":"url:https:\/\/carriertrucks.com","name":"https:\/\/carriertrucks.com","type":"URL"}],"document":{"source":{"id":"source:VKz42X","name":"Insikt Group","type":"Source"},"title":"Morphing Meerkat PhaaS Platform Uses DNS MX Records and DoH Protocol to Deliver Targeted Phishing Campaign","url":"https://example.com/abc/def","authors":[]},"fragment":"On March 27, 2025, Infoblox reported that the phishing-as-a-service (PhaaS) platform Morphing Meerkat uses DNS MX records and DNS-over-HTTPS (DoH) queries to deliver phishing pages tailored to victims\u2019 email providers. Threat actors initiate campaigns using spoofed spam emails impersonating over 100 brands\u2014including financial software providers. Embedded malicious links redirect users via compromised WordPress sites, public file-sharing platforms, or open redirect flaws on trusted domains like Google\u2019s DoubleClick. The phishing kits dynamically serve one of over 114 localized HTML templates by mapping MX responses to specific login pages, defaulting to generic Webmail or Roundcube pages when unrecognized. Client -side JavaScript further customizes","language":"eng","primary_entity":null,"analyst_note":{"id":"abcdef","url":{"api":"https:\/\/api.recordedfuture.com\/v2\/analystnote\/abcdef","portal":"https:\/\/app.recordedfuture.com\/portal\/analyst-note\/shared\/true\/doc:abcdef"}}} {"review":{"note":"note","status_in_portal":"New","assignee":"Mark","status":"no-action"},"owner_organisation_details":{"organisations":[{"organisation_id":"uhash:abcd","organisation_name":"Elastic-Example"}],"enterprise_id":"bd:abcd","enterprise_name":"Elastic-Example"},"url":{"api":"https:\/\/api.recordedfuture.com\/v3\/alerts\/abcd","portal":"https:\/\/app.recordedfuture.com\/live\/sc\/notification\/?id=bcm"},"rule":{"use_case_deprecation":{"description":null},"name":"Analysis from Insikt Group","id":"ABC123","url":{"portal":"https:\/\/app.recordedfuture.com\/live\/sc\/ViewIdkobra_view_report_item_alert_editor?view_opts=%7B%22reportId%22%3A%abcd%22%2C%22bTitle%22%3Atrue%2C%22title%22%3A%22Analysis+from+Insikt+Group%22%7D"}},"id":"ABCD1234XYZ","enriched_entities":[],"ai_insights":{"comment":"The Recorded Future AI requires more references in order to produce a summary.","text":"Text summary"},"log":{"note_author":null,"note_date":"2025-03-31T04:03:56.425Z","status_date":"2025-03-31T04:03:56.425Z","triggered":"2025-02-27T04:03:56.425Z","status_change_by":"john"},"triggered_by":[],"title":"Analysis from ABC Group - 1 reference","type":"REFERENCE","entities":[{"id":"ip:89.160.20.156","name":"89.160.20.156","type":"IpAddress"},{"id":"ABC12","name":"Webmail","type":"Product"},{"id":"url:https:\/\/carriertrucks.com","name":"https:\/\/carriertrucks.com","type":"URL"}],"document":{"source":{"id":"source:VKz42X","name":"Insikt Group","type":"Source"},"title":"Morphing Meerkat PhaaS Platform Uses DNS MX Records and DoH Protocol to Deliver Targeted Phishing Campaign","url":"https://example.com/abc/def","authors":[]},"fragment":"On March 27, 2025, Infoblox reported that the phishing-as-a-service (PhaaS) platform Morphing Meerkat uses DNS MX records and DNS-over-HTTPS (DoH) queries to deliver phishing pages tailored to victims\u2019 email providers. Threat actors initiate campaigns using spoofed spam emails impersonating over 100 brands\u2014including financial software providers. Embedded malicious links redirect users via compromised WordPress sites, public file-sharing platforms, or open redirect flaws on trusted domains like Google\u2019s DoubleClick. The phishing kits dynamically serve one of over 114 localized HTML templates by mapping MX responses to specific login pages, defaulting to generic Webmail or Roundcube pages when unrecognized. Client -side JavaScript further customizes","language":"eng","primary_entity":null,"analyst_note":{"id":"abcdef","url":{"api":"https:\/\/api.recordedfuture.com\/v2\/analystnote\/abcdef","portal":"https:\/\/app.recordedfuture.com\/portal\/analyst-note\/shared\/true\/doc:abcdef"}}} -{"review":{"note":"note","status_in_portal":"New","assignee":"Mark","status":"no-action"},"owner_organisation_details":{"organisations":[{"organisation_id":"uhash:abcd","organisation_name":"Elastic-Example"}],"enterprise_id":"bd:abcd","enterprise_name":"Elastic-Example"},"url":{"api":"https:\/\/api.recordedfuture.com\/v3\/alerts\/abcd","portal":"https:\/\/app.recordedfuture.com\/live\/sc\/notification\/?id=bcm"},"rule":{"use_case_deprecation":{"description":null},"name":"Analysis from Insikt Group","id":"ABC123","url":{"portal":"https:\/\/app.recordedfuture.com\/live\/sc\/ViewIdkobra_view_report_item_alert_editor?view_opts=%7B%22reportId%22%3A%abcd%22%2C%22bTitle%22%3Atrue%2C%22title%22%3A%22Analysis+from+Insikt+Group%22%7D"}},"id":"ABCD1234XYZ","enriched_entities":[],"ai_insights":{"comment":"The Recorded Future AI requires more references in order to produce a summary.","text":"Text summary"},"log":{"note_author":null,"note_date":"2025-03-31T04:03:56.425Z","status_date":"2025-03-31T04:03:56.425Z","triggered":"2025-02-27T04:03:56.425Z","status_change_by":"john"},"triggered_by":[],"title":"Analysis from ABC Group - 1 reference","type":"REFERENCE","entities":[{"id":"ip:89.160.20.0/24","name":"89.160.20.0/24","type":"IpAddress"},{"id":"ABC12","name":"Webmail","type":"Product"},{"id":"url:https:\/\/carriertrucks.com","name":"https:\/\/carriertrucks.com","type":"URL"}],"document":{"source":{"id":"source:VKz42X","name":"Insikt Group","type":"Source"},"title":"Morphing Meerkat PhaaS Platform Uses DNS MX Records and DoH Protocol to Deliver Targeted Phishing Campaign","url":"https://example.com/abc/def","authors":[]},"fragment":"On March 27, 2025, Infoblox reported that the phishing-as-a-service (PhaaS) platform Morphing Meerkat uses DNS MX records and DNS-over-HTTPS (DoH) queries to deliver phishing pages tailored to victims\u2019 email providers. Threat actors initiate campaigns using spoofed spam emails impersonating over 100 brands\u2014including financial software providers. Embedded malicious links redirect users via compromised WordPress sites, public file-sharing platforms, or open redirect flaws on trusted domains like Google\u2019s DoubleClick. The phishing kits dynamically serve one of over 114 localized HTML templates by mapping MX responses to specific login pages, defaulting to generic Webmail or Roundcube pages when unrecognized. Client -side JavaScript further customizes","language":"eng","primary_entity":null,"analyst_note":{"id":"abcdef","url":{"api":"https:\/\/api.recordedfuture.com\/v2\/analystnote\/abcdef","portal":"https:\/\/app.recordedfuture.com\/portal\/analyst-note\/shared\/true\/doc:abcdef"}}} +{"review":{"note":"note","status_in_portal":"New","assignee":"Mark","status":"no-action"},"owner_organisation_details":{"organisations":[{"organisation_id":"uhash:abcd","organisation_name":"Elastic-Example"}],"enterprise_id":"bd:abcd","enterprise_name":"Elastic-Example"},"url":{"api":"https:\/\/api.recordedfuture.com\/v3\/alerts\/abcd","portal":"https:\/\/app.recordedfuture.com\/live\/sc\/notification\/?id=bcm"},"rule":{"use_case_deprecation":{"description":null},"name":"Analysis from Insikt Group","id":"ABC123","url":{"portal":"https:\/\/app.recordedfuture.com\/live\/sc\/ViewIdkobra_view_report_item_alert_editor?view_opts=%7B%22reportId%22%3A%abcd%22%2C%22bTitle%22%3Atrue%2C%22title%22%3A%22Analysis+from+Insikt+Group%22%7D"}},"id":"ABCD1234XYZ","enriched_entities":[],"ai_insights":{"comment":"The Recorded Future AI requires more references in order to produce a summary.","text":"Text summary"},"log":{"note_author":null,"note_date":"2025-03-31T04:03:56.425Z","status_date":"2025-03-31T04:03:56.425Z","triggered":"2025-02-27T04:03:56.425Z","status_change_by":"john"},"triggered_by":[],"title":"Analysis from ABC Group - 1 reference","type":"REFERENCE","entities":[{"id":"ip:89.160.20.0/24","name":"89.160.20.0/24","type":"IpAddress"},{"id":"ABC12","name":"Webmail","type":"Product"},{"id":"url:https:\/\/carriertrucks.com","name":"https:\/\/carriertrucks.com","type":"URL"}],"document":{"source":{"id":"source:VKz42X","name":"Insikt Group","type":"Source"},"title":"Morphing Meerkat PhaaS Platform Uses DNS MX Records and DoH Protocol to Deliver Targeted Phishing Campaign","url":"https://example.com/abc/def","authors":[]},"fragment":"On March 27, 2025, Infoblox reported that the phishing-as-a-service (PhaaS) platform Morphing Meerkat uses DNS MX records and DNS-over-HTTPS (DoH) queries to deliver phishing pages tailored to victims\u2019 email providers. Threat actors initiate campaigns using spoofed spam emails impersonating over 100 brands\u2014including financial software providers. Embedded malicious links redirect users via compromised WordPress sites, public file-sharing platforms, or open redirect flaws on trusted domains like Google\u2019s DoubleClick. The phishing kits dynamically serve one of over 114 localized HTML templates by mapping MX responses to specific login pages, defaulting to generic Webmail or Roundcube pages when unrecognized. Client -side JavaScript further customizes","language":"eng","primary_entity":{"name":"Ransomware","id":"J0Nl-p","type":"MalwareCategory"},"analyst_note":{"id":"abcdef","url":{"api":"https:\/\/api.recordedfuture.com\/v2\/analystnote\/abcdef","portal":"https:\/\/app.recordedfuture.com\/portal\/analyst-note\/shared\/true\/doc:abcdef"}}} diff --git a/packages/ti_recordedfuture/data_stream/triggered_alert/_dev/test/pipeline/test-triggered-alert.log-expected.json b/packages/ti_recordedfuture/data_stream/triggered_alert/_dev/test/pipeline/test-triggered-alert.log-expected.json index e7e2b7cbd2b..45fb7c77510 100644 --- a/packages/ti_recordedfuture/data_stream/triggered_alert/_dev/test/pipeline/test-triggered-alert.log-expected.json +++ b/packages/ti_recordedfuture/data_stream/triggered_alert/_dev/test/pipeline/test-triggered-alert.log-expected.json @@ -356,7 +356,7 @@ "event": { "id": "ABCD1234XYZ", "kind": "alert", - "original": "{\"review\":{\"note\":\"note\",\"status_in_portal\":\"New\",\"assignee\":\"Mark\",\"status\":\"no-action\"},\"owner_organisation_details\":{\"organisations\":[{\"organisation_id\":\"uhash:abcd\",\"organisation_name\":\"Elastic-Example\"}],\"enterprise_id\":\"bd:abcd\",\"enterprise_name\":\"Elastic-Example\"},\"url\":{\"api\":\"https:\\/\\/api.recordedfuture.com\\/v3\\/alerts\\/abcd\",\"portal\":\"https:\\/\\/app.recordedfuture.com\\/live\\/sc\\/notification\\/?id=bcm\"},\"rule\":{\"use_case_deprecation\":{\"description\":null},\"name\":\"Analysis from Insikt Group\",\"id\":\"ABC123\",\"url\":{\"portal\":\"https:\\/\\/app.recordedfuture.com\\/live\\/sc\\/ViewIdkobra_view_report_item_alert_editor?view_opts=%7B%22reportId%22%3A%abcd%22%2C%22bTitle%22%3Atrue%2C%22title%22%3A%22Analysis+from+Insikt+Group%22%7D\"}},\"id\":\"ABCD1234XYZ\",\"enriched_entities\":[],\"ai_insights\":{\"comment\":\"The Recorded Future AI requires more references in order to produce a summary.\",\"text\":\"Text summary\"},\"log\":{\"note_author\":null,\"note_date\":\"2025-03-31T04:03:56.425Z\",\"status_date\":\"2025-03-31T04:03:56.425Z\",\"triggered\":\"2025-02-27T04:03:56.425Z\",\"status_change_by\":\"john\"},\"triggered_by\":[],\"title\":\"Analysis from ABC Group - 1 reference\",\"type\":\"REFERENCE\",\"entities\":[{\"id\":\"ip:89.160.20.0/24\",\"name\":\"89.160.20.0/24\",\"type\":\"IpAddress\"},{\"id\":\"ABC12\",\"name\":\"Webmail\",\"type\":\"Product\"},{\"id\":\"url:https:\\/\\/carriertrucks.com\",\"name\":\"https:\\/\\/carriertrucks.com\",\"type\":\"URL\"}],\"document\":{\"source\":{\"id\":\"source:VKz42X\",\"name\":\"Insikt Group\",\"type\":\"Source\"},\"title\":\"Morphing Meerkat PhaaS Platform Uses DNS MX Records and DoH Protocol to Deliver Targeted Phishing Campaign\",\"url\":\"https://example.com/abc/def\",\"authors\":[]},\"fragment\":\"On March 27, 2025, Infoblox reported that the phishing-as-a-service (PhaaS) platform Morphing Meerkat uses DNS MX records and DNS-over-HTTPS (DoH) queries to deliver phishing pages tailored to victims\\u2019 email providers. Threat actors initiate campaigns using spoofed spam emails impersonating over 100 brands\\u2014including financial software providers. Embedded malicious links redirect users via compromised WordPress sites, public file-sharing platforms, or open redirect flaws on trusted domains like Google\\u2019s DoubleClick. The phishing kits dynamically serve one of over 114 localized HTML templates by mapping MX responses to specific login pages, defaulting to generic Webmail or Roundcube pages when unrecognized. Client -side JavaScript further customizes\",\"language\":\"eng\",\"primary_entity\":null,\"analyst_note\":{\"id\":\"abcdef\",\"url\":{\"api\":\"https:\\/\\/api.recordedfuture.com\\/v2\\/analystnote\\/abcdef\",\"portal\":\"https:\\/\\/app.recordedfuture.com\\/portal\\/analyst-note\\/shared\\/true\\/doc:abcdef\"}}}" + "original": "{\"review\":{\"note\":\"note\",\"status_in_portal\":\"New\",\"assignee\":\"Mark\",\"status\":\"no-action\"},\"owner_organisation_details\":{\"organisations\":[{\"organisation_id\":\"uhash:abcd\",\"organisation_name\":\"Elastic-Example\"}],\"enterprise_id\":\"bd:abcd\",\"enterprise_name\":\"Elastic-Example\"},\"url\":{\"api\":\"https:\\/\\/api.recordedfuture.com\\/v3\\/alerts\\/abcd\",\"portal\":\"https:\\/\\/app.recordedfuture.com\\/live\\/sc\\/notification\\/?id=bcm\"},\"rule\":{\"use_case_deprecation\":{\"description\":null},\"name\":\"Analysis from Insikt Group\",\"id\":\"ABC123\",\"url\":{\"portal\":\"https:\\/\\/app.recordedfuture.com\\/live\\/sc\\/ViewIdkobra_view_report_item_alert_editor?view_opts=%7B%22reportId%22%3A%abcd%22%2C%22bTitle%22%3Atrue%2C%22title%22%3A%22Analysis+from+Insikt+Group%22%7D\"}},\"id\":\"ABCD1234XYZ\",\"enriched_entities\":[],\"ai_insights\":{\"comment\":\"The Recorded Future AI requires more references in order to produce a summary.\",\"text\":\"Text summary\"},\"log\":{\"note_author\":null,\"note_date\":\"2025-03-31T04:03:56.425Z\",\"status_date\":\"2025-03-31T04:03:56.425Z\",\"triggered\":\"2025-02-27T04:03:56.425Z\",\"status_change_by\":\"john\"},\"triggered_by\":[],\"title\":\"Analysis from ABC Group - 1 reference\",\"type\":\"REFERENCE\",\"entities\":[{\"id\":\"ip:89.160.20.0/24\",\"name\":\"89.160.20.0/24\",\"type\":\"IpAddress\"},{\"id\":\"ABC12\",\"name\":\"Webmail\",\"type\":\"Product\"},{\"id\":\"url:https:\\/\\/carriertrucks.com\",\"name\":\"https:\\/\\/carriertrucks.com\",\"type\":\"URL\"}],\"document\":{\"source\":{\"id\":\"source:VKz42X\",\"name\":\"Insikt Group\",\"type\":\"Source\"},\"title\":\"Morphing Meerkat PhaaS Platform Uses DNS MX Records and DoH Protocol to Deliver Targeted Phishing Campaign\",\"url\":\"https://example.com/abc/def\",\"authors\":[]},\"fragment\":\"On March 27, 2025, Infoblox reported that the phishing-as-a-service (PhaaS) platform Morphing Meerkat uses DNS MX records and DNS-over-HTTPS (DoH) queries to deliver phishing pages tailored to victims\\u2019 email providers. Threat actors initiate campaigns using spoofed spam emails impersonating over 100 brands\\u2014including financial software providers. Embedded malicious links redirect users via compromised WordPress sites, public file-sharing platforms, or open redirect flaws on trusted domains like Google\\u2019s DoubleClick. The phishing kits dynamically serve one of over 114 localized HTML templates by mapping MX responses to specific login pages, defaulting to generic Webmail or Roundcube pages when unrecognized. Client -side JavaScript further customizes\",\"language\":\"eng\",\"primary_entity\":{\"name\":\"Ransomware\",\"id\":\"J0Nl-p\",\"type\":\"MalwareCategory\"},\"analyst_note\":{\"id\":\"abcdef\",\"url\":{\"api\":\"https:\\/\\/api.recordedfuture.com\\/v2\\/analystnote\\/abcdef\",\"portal\":\"https:\\/\\/app.recordedfuture.com\\/portal\\/analyst-note\\/shared\\/true\\/doc:abcdef\"}}}" }, "message": "On March 27, 2025, Infoblox reported that the phishing-as-a-service (PhaaS) platform Morphing Meerkat uses DNS MX records and DNS-over-HTTPS (DoH) queries to deliver phishing pages tailored to victims’ email providers. Threat actors initiate campaigns using spoofed spam emails impersonating over 100 brands—including financial software providers. Embedded malicious links redirect users via compromised WordPress sites, public file-sharing platforms, or open redirect flaws on trusted domains like Google’s DoubleClick. The phishing kits dynamically serve one of over 114 localized HTML templates by mapping MX responses to specific login pages, defaulting to generic Webmail or Roundcube pages when unrecognized. Client -side JavaScript further customizes", "recordedfuture": { @@ -417,6 +417,11 @@ } ] }, + "primary_entity": { + "id": "J0Nl-p", + "name": "Ransomware", + "type": "MalwareCategory" + }, "review": { "assignee": "Mark", "note": "note", diff --git a/packages/ti_recordedfuture/data_stream/triggered_alert/fields/fields.yml b/packages/ti_recordedfuture/data_stream/triggered_alert/fields/fields.yml index 5bbf868a78d..56f4c99cbde 100644 --- a/packages/ti_recordedfuture/data_stream/triggered_alert/fields/fields.yml +++ b/packages/ti_recordedfuture/data_stream/triggered_alert/fields/fields.yml @@ -82,7 +82,14 @@ - name: organisation_name type: keyword - name: primary_entity - type: keyword + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: type + type: keyword - name: review type: group fields: diff --git a/packages/ti_recordedfuture/docs/README.md b/packages/ti_recordedfuture/docs/README.md index 8c2a035510d..f2bb9a65cf4 100644 --- a/packages/ti_recordedfuture/docs/README.md +++ b/packages/ti_recordedfuture/docs/README.md @@ -435,7 +435,9 @@ An example event for `triggered_alert` looks as following: | recordedfuture.triggered_alert.owner_organisation_details.enterprise_name | | keyword | | recordedfuture.triggered_alert.owner_organisation_details.organisations.organisation_id | | keyword | | recordedfuture.triggered_alert.owner_organisation_details.organisations.organisation_name | | keyword | -| recordedfuture.triggered_alert.primary_entity | | keyword | +| recordedfuture.triggered_alert.primary_entity.id | | keyword | +| recordedfuture.triggered_alert.primary_entity.name | | keyword | +| recordedfuture.triggered_alert.primary_entity.type | | keyword | | recordedfuture.triggered_alert.review.assignee | | keyword | | recordedfuture.triggered_alert.review.note | | keyword | | recordedfuture.triggered_alert.review.status | | keyword | diff --git a/packages/ti_recordedfuture/manifest.yml b/packages/ti_recordedfuture/manifest.yml index e3457de60c6..650634de3d9 100644 --- a/packages/ti_recordedfuture/manifest.yml +++ b/packages/ti_recordedfuture/manifest.yml @@ -1,6 +1,6 @@ name: ti_recordedfuture title: Recorded Future -version: "2.4.1" +version: "2.4.2" description: Ingest threat intelligence and alert data from Recorded Future with Elastic Agent. type: integration format_version: 3.3.2 From 6c928718e996888ba7324a5e7c05be025a2919cb Mon Sep 17 00:00:00 2001 From: moxarth-rathod Date: Fri, 10 Apr 2026 16:22:49 +0530 Subject: [PATCH 2/3] Add PR link to changelog --- packages/ti_recordedfuture/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/ti_recordedfuture/changelog.yml b/packages/ti_recordedfuture/changelog.yml index 8456508eee2..9f3a8e9d04c 100644 --- a/packages/ti_recordedfuture/changelog.yml +++ b/packages/ti_recordedfuture/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Fix `primary_entity` mapping for the triggered alerts data stream by adding `primary_entity.id`, `primary_entity.name`, and `primary_entity.type` fields. type: bugfix - link: https://github.com/elastic/integrations/pull/1 + link: https://github.com/elastic/integrations/pull/18325 - version: "2.4.1" changes: - description: Remove duplicate security-solution-default tag references From d761ffc61b66c579989e449de869bc38a63e031f Mon Sep 17 00:00:00 2001 From: moxarth-rathod Date: Fri, 10 Apr 2026 17:58:05 +0530 Subject: [PATCH 3/3] Address PR comments --- packages/ti_recordedfuture/changelog.yml | 2 +- .../_dev/test/pipeline/test-triggered-alert.log | 2 +- .../test/pipeline/test-triggered-alert.log-expected.json | 5 ++++- .../data_stream/triggered_alert/fields/fields.yml | 5 ++++- packages/ti_recordedfuture/docs/README.md | 2 +- 5 files changed, 11 insertions(+), 5 deletions(-) diff --git a/packages/ti_recordedfuture/changelog.yml b/packages/ti_recordedfuture/changelog.yml index 9f3a8e9d04c..9bacf28bac9 100644 --- a/packages/ti_recordedfuture/changelog.yml +++ b/packages/ti_recordedfuture/changelog.yml @@ -1,7 +1,7 @@ # newer versions go on top - version: "2.4.2" changes: - - description: Fix `primary_entity` mapping for the triggered alerts data stream by adding `primary_entity.id`, `primary_entity.name`, and `primary_entity.type` fields. + - description: Fix `primary_entity` and `rule.use_case_deprecation` mapping for the triggered alerts data stream by adding `primary_entity.id`, `primary_entity.name`, `primary_entity.type` and `rule.use_case_deprecation.description` fields. type: bugfix link: https://github.com/elastic/integrations/pull/18325 - version: "2.4.1" diff --git a/packages/ti_recordedfuture/data_stream/triggered_alert/_dev/test/pipeline/test-triggered-alert.log b/packages/ti_recordedfuture/data_stream/triggered_alert/_dev/test/pipeline/test-triggered-alert.log index dbd5d6f1c3f..5807d1508e1 100644 --- a/packages/ti_recordedfuture/data_stream/triggered_alert/_dev/test/pipeline/test-triggered-alert.log +++ b/packages/ti_recordedfuture/data_stream/triggered_alert/_dev/test/pipeline/test-triggered-alert.log @@ -1,4 +1,4 @@ {"review":{"note":"note","status_in_portal":"New","assignee":"John","status":"no-action"},"owner_organisation_details":{"organisations":[{"organisation_id":"uhash:abcd","organisation_name":"Elastic-Example"}],"enterprise_id":"uhash:abcd","enterprise_name":"Elastic-Example"},"url":{"api":"https:\/\/api.recordedfuture.com\/v3\/alerts\/abcd","portal":"https:\/\/app.recordedfuture.com\/live\/sc\/notification\/?id=bcd"},"rule":{"use_case_deprecation":{"description":null},"name":"Analysis from Insikt Group","id":"ABC123","url":{"portal":"https:\/\/app.recordedfuture.com\/live\/sc\/ViewIdkobra_view_report_item_alert_editor?view_opts=%7B%22reportId%22%3A%abcd%22%2C%22bTitle%22%3Atrue%2C%22title%22%3A%22Analysis+from+Insikt+Group%22%7D"}},"id":"ABCD1234XYZ","enriched_entities":[],"ai_insights":{"comment":"The Recorded Future AI requires more references in order to produce a summary.","text":"Text summary"},"log":{"note_author":null,"note_date":"2025-03-31T04:03:56.425Z","status_date":"2025-03-31T04:03:56.425Z","triggered":"2025-03-31T04:03:56.425Z","status_change_by":"admin"},"triggered_by":[],"title":"Analysis from Insikt Group - 1 reference","type":"REFERENCE","entities":[{"id":"ip:89.160.20.156","name":"89.160.20.156","type":"IpAddress"},{"id":"YOvb","name":"Webmail","type":"Product"},{"id":"url:https:\/\/carriertrucks.com","name":"https:\/\/carriertrucks.com","type":"URL"}],"document":{"source":{"id":"source:VKz42X","name":"Insikt Group","type":"Source"},"title":"Morphing Meerkat PhaaS Platform Uses DNS MX Records and DoH Protocol to Deliver Targeted Phishing Campaign","url":"https://example.com/abc/def","authors":[]},"fragment":"On March 27, 2025, Infoblox reported that the phishing-as-a-service (PhaaS) platform Morphing Meerkat uses DNS MX records and DNS-over-HTTPS (DoH) queries to deliver phishing pages tailored to victims\u2019 email providers. Threat actors initiate campaigns using spoofed spam emails impersonating over 100 brands\u2014including financial software providers. Embedded malicious links redirect users via compromised WordPress sites, public file-sharing platforms, or open redirect flaws on trusted domains like Google\u2019s DoubleClick. The phishing kits dynamically serve one of over 114 localized HTML templates by mapping MX responses to specific login pages, defaulting to generic Webmail or Roundcube pages when unrecognized. Client -side JavaScript further customizes","language":"eng","primary_entity":null,"analyst_note":{"id":"abcdef","url":{"api":"https:\/\/api.recordedfuture.com\/v2\/analystnote\/abcdef","portal":"https:\/\/app.recordedfuture.com\/portal\/analyst-note\/shared\/true\/doc:abcdef"}}} {"review":{"note":"note","status_in_portal":"In-Progress","assignee":"Admin","status":"no-action"},"owner_organisation_details":{"organisations":[{"organisation_id":"aa:abcd","organisation_name":"Elastic-Example"}],"enterprise_id":"aa:abcd","enterprise_name":"Elastic-Example"},"url":{"api":"https:\/\/api.recordedfuture.com\/v3\/alerts\/abcd","portal":"https:\/\/app.recordedfuture.com\/live\/sc\/notification\/?id=aad"},"rule":{"use_case_deprecation":{"description":null},"name":"Analysis from Diff Group","id":"ABC123","url":{"portal":"https:\/\/app.recordedfuture.com\/live\/sc\/ViewIdkobra_view_report_item_alert_editor?view_opts=%7B%22reportId%22%3A%abcd%22%2C%22bTitle%22%3Atrue%2C%22title%22%3A%22Analysis+from+Insikt+Group%22%7D"}},"id":"ABCD1234XYZ","enriched_entities":[],"ai_insights":{"comment":"The Recorded Future AI requires more references in order to produce a summary.","text":"Text summary"},"log":{"note_author":null,"note_date":"2025-03-31T04:03:56.425Z","status_date":"2025-03-31T04:03:56.425Z","triggered":"2025-04-30T04:03:56.425Z","status_change_by":"mark"},"triggered_by":[],"title":"Analysis from Secret Group - 1 reference","type":"REFERENCE","entities":[{"id":"ip:89.160.20.156","name":"89.160.20.156","type":"IpAddress"},{"id":"YOvb","name":"Webmail","type":"Product"},{"id":"url:https:\/\/carriertrucks.com","name":"https:\/\/carriertrucks.com","type":"URL"}],"document":{"source":{"id":"source:VKz42X","name":"Insikt Group","type":"Source"},"title":"Morphing Meerkat PhaaS Platform Uses DNS MX Records and DoH Protocol to Deliver Targeted Phishing Campaign","url":"https://example.com/abc/def","authors":[]},"fragment":"On March 27, 2025, Infoblox reported that the phishing-as-a-service (PhaaS) platform Morphing Meerkat uses DNS MX records and DNS-over-HTTPS (DoH) queries to deliver phishing pages tailored to victims\u2019 email providers. Threat actors initiate campaigns using spoofed spam emails impersonating over 100 brands\u2014including financial software providers. Embedded malicious links redirect users via compromised WordPress sites, public file-sharing platforms, or open redirect flaws on trusted domains like Google\u2019s DoubleClick. The phishing kits dynamically serve one of over 114 localized HTML templates by mapping MX responses to specific login pages, defaulting to generic Webmail or Roundcube pages when unrecognized. Client -side JavaScript further customizes","language":"eng","primary_entity":null,"analyst_note":{"id":"abcdef","url":{"api":"https:\/\/api.recordedfuture.com\/v2\/analystnote\/abcdef","portal":"https:\/\/app.recordedfuture.com\/portal\/analyst-note\/shared\/true\/doc:abcdef"}}} {"review":{"note":"note","status_in_portal":"New","assignee":"Mark","status":"no-action"},"owner_organisation_details":{"organisations":[{"organisation_id":"uhash:abcd","organisation_name":"Elastic-Example"}],"enterprise_id":"bd:abcd","enterprise_name":"Elastic-Example"},"url":{"api":"https:\/\/api.recordedfuture.com\/v3\/alerts\/abcd","portal":"https:\/\/app.recordedfuture.com\/live\/sc\/notification\/?id=bcm"},"rule":{"use_case_deprecation":{"description":null},"name":"Analysis from Insikt Group","id":"ABC123","url":{"portal":"https:\/\/app.recordedfuture.com\/live\/sc\/ViewIdkobra_view_report_item_alert_editor?view_opts=%7B%22reportId%22%3A%abcd%22%2C%22bTitle%22%3Atrue%2C%22title%22%3A%22Analysis+from+Insikt+Group%22%7D"}},"id":"ABCD1234XYZ","enriched_entities":[],"ai_insights":{"comment":"The Recorded Future AI requires more references in order to produce a summary.","text":"Text summary"},"log":{"note_author":null,"note_date":"2025-03-31T04:03:56.425Z","status_date":"2025-03-31T04:03:56.425Z","triggered":"2025-02-27T04:03:56.425Z","status_change_by":"john"},"triggered_by":[],"title":"Analysis from ABC Group - 1 reference","type":"REFERENCE","entities":[{"id":"ip:89.160.20.156","name":"89.160.20.156","type":"IpAddress"},{"id":"ABC12","name":"Webmail","type":"Product"},{"id":"url:https:\/\/carriertrucks.com","name":"https:\/\/carriertrucks.com","type":"URL"}],"document":{"source":{"id":"source:VKz42X","name":"Insikt Group","type":"Source"},"title":"Morphing Meerkat PhaaS Platform Uses DNS MX Records and DoH Protocol to Deliver Targeted Phishing Campaign","url":"https://example.com/abc/def","authors":[]},"fragment":"On March 27, 2025, Infoblox reported that the phishing-as-a-service (PhaaS) platform Morphing Meerkat uses DNS MX records and DNS-over-HTTPS (DoH) queries to deliver phishing pages tailored to victims\u2019 email providers. Threat actors initiate campaigns using spoofed spam emails impersonating over 100 brands\u2014including financial software providers. Embedded malicious links redirect users via compromised WordPress sites, public file-sharing platforms, or open redirect flaws on trusted domains like Google\u2019s DoubleClick. The phishing kits dynamically serve one of over 114 localized HTML templates by mapping MX responses to specific login pages, defaulting to generic Webmail or Roundcube pages when unrecognized. Client -side JavaScript further customizes","language":"eng","primary_entity":null,"analyst_note":{"id":"abcdef","url":{"api":"https:\/\/api.recordedfuture.com\/v2\/analystnote\/abcdef","portal":"https:\/\/app.recordedfuture.com\/portal\/analyst-note\/shared\/true\/doc:abcdef"}}} -{"review":{"note":"note","status_in_portal":"New","assignee":"Mark","status":"no-action"},"owner_organisation_details":{"organisations":[{"organisation_id":"uhash:abcd","organisation_name":"Elastic-Example"}],"enterprise_id":"bd:abcd","enterprise_name":"Elastic-Example"},"url":{"api":"https:\/\/api.recordedfuture.com\/v3\/alerts\/abcd","portal":"https:\/\/app.recordedfuture.com\/live\/sc\/notification\/?id=bcm"},"rule":{"use_case_deprecation":{"description":null},"name":"Analysis from Insikt Group","id":"ABC123","url":{"portal":"https:\/\/app.recordedfuture.com\/live\/sc\/ViewIdkobra_view_report_item_alert_editor?view_opts=%7B%22reportId%22%3A%abcd%22%2C%22bTitle%22%3Atrue%2C%22title%22%3A%22Analysis+from+Insikt+Group%22%7D"}},"id":"ABCD1234XYZ","enriched_entities":[],"ai_insights":{"comment":"The Recorded Future AI requires more references in order to produce a summary.","text":"Text summary"},"log":{"note_author":null,"note_date":"2025-03-31T04:03:56.425Z","status_date":"2025-03-31T04:03:56.425Z","triggered":"2025-02-27T04:03:56.425Z","status_change_by":"john"},"triggered_by":[],"title":"Analysis from ABC Group - 1 reference","type":"REFERENCE","entities":[{"id":"ip:89.160.20.0/24","name":"89.160.20.0/24","type":"IpAddress"},{"id":"ABC12","name":"Webmail","type":"Product"},{"id":"url:https:\/\/carriertrucks.com","name":"https:\/\/carriertrucks.com","type":"URL"}],"document":{"source":{"id":"source:VKz42X","name":"Insikt Group","type":"Source"},"title":"Morphing Meerkat PhaaS Platform Uses DNS MX Records and DoH Protocol to Deliver Targeted Phishing Campaign","url":"https://example.com/abc/def","authors":[]},"fragment":"On March 27, 2025, Infoblox reported that the phishing-as-a-service (PhaaS) platform Morphing Meerkat uses DNS MX records and DNS-over-HTTPS (DoH) queries to deliver phishing pages tailored to victims\u2019 email providers. Threat actors initiate campaigns using spoofed spam emails impersonating over 100 brands\u2014including financial software providers. Embedded malicious links redirect users via compromised WordPress sites, public file-sharing platforms, or open redirect flaws on trusted domains like Google\u2019s DoubleClick. The phishing kits dynamically serve one of over 114 localized HTML templates by mapping MX responses to specific login pages, defaulting to generic Webmail or Roundcube pages when unrecognized. Client -side JavaScript further customizes","language":"eng","primary_entity":{"name":"Ransomware","id":"J0Nl-p","type":"MalwareCategory"},"analyst_note":{"id":"abcdef","url":{"api":"https:\/\/api.recordedfuture.com\/v2\/analystnote\/abcdef","portal":"https:\/\/app.recordedfuture.com\/portal\/analyst-note\/shared\/true\/doc:abcdef"}}} +{"review":{"note":"note","status_in_portal":"New","assignee":"Mark","status":"no-action"},"owner_organisation_details":{"organisations":[{"organisation_id":"uhash:abcd","organisation_name":"Elastic-Example"}],"enterprise_id":"bd:abcd","enterprise_name":"Elastic-Example"},"url":{"api":"https:\/\/api.recordedfuture.com\/v3\/alerts\/abcd","portal":"https:\/\/app.recordedfuture.com\/live\/sc\/notification\/?id=bcm"},"rule":{"use_case_deprecation":{"description":"test"},"name":"Analysis from Insikt Group","id":"ABC123","url":{"portal":"https:\/\/app.recordedfuture.com\/live\/sc\/ViewIdkobra_view_report_item_alert_editor?view_opts=%7B%22reportId%22%3A%abcd%22%2C%22bTitle%22%3Atrue%2C%22title%22%3A%22Analysis+from+Insikt+Group%22%7D"}},"id":"ABCD1234XYZ","enriched_entities":[],"ai_insights":{"comment":"The Recorded Future AI requires more references in order to produce a summary.","text":"Text summary"},"log":{"note_author":null,"note_date":"2025-03-31T04:03:56.425Z","status_date":"2025-03-31T04:03:56.425Z","triggered":"2025-02-27T04:03:56.425Z","status_change_by":"john"},"triggered_by":[],"title":"Analysis from ABC Group - 1 reference","type":"REFERENCE","entities":[{"id":"ip:89.160.20.0/24","name":"89.160.20.0/24","type":"IpAddress"},{"id":"ABC12","name":"Webmail","type":"Product"},{"id":"url:https:\/\/carriertrucks.com","name":"https:\/\/carriertrucks.com","type":"URL"}],"document":{"source":{"id":"source:VKz42X","name":"Insikt Group","type":"Source"},"title":"Morphing Meerkat PhaaS Platform Uses DNS MX Records and DoH Protocol to Deliver Targeted Phishing Campaign","url":"https://example.com/abc/def","authors":[]},"fragment":"On March 27, 2025, Infoblox reported that the phishing-as-a-service (PhaaS) platform Morphing Meerkat uses DNS MX records and DNS-over-HTTPS (DoH) queries to deliver phishing pages tailored to victims\u2019 email providers. Threat actors initiate campaigns using spoofed spam emails impersonating over 100 brands\u2014including financial software providers. Embedded malicious links redirect users via compromised WordPress sites, public file-sharing platforms, or open redirect flaws on trusted domains like Google\u2019s DoubleClick. The phishing kits dynamically serve one of over 114 localized HTML templates by mapping MX responses to specific login pages, defaulting to generic Webmail or Roundcube pages when unrecognized. Client -side JavaScript further customizes","language":"eng","primary_entity":{"name":"Ransomware","id":"J0Nl-p","type":"MalwareCategory"},"analyst_note":{"id":"abcdef","url":{"api":"https:\/\/api.recordedfuture.com\/v2\/analystnote\/abcdef","portal":"https:\/\/app.recordedfuture.com\/portal\/analyst-note\/shared\/true\/doc:abcdef"}}} diff --git a/packages/ti_recordedfuture/data_stream/triggered_alert/_dev/test/pipeline/test-triggered-alert.log-expected.json b/packages/ti_recordedfuture/data_stream/triggered_alert/_dev/test/pipeline/test-triggered-alert.log-expected.json index 45fb7c77510..20b0f272272 100644 --- a/packages/ti_recordedfuture/data_stream/triggered_alert/_dev/test/pipeline/test-triggered-alert.log-expected.json +++ b/packages/ti_recordedfuture/data_stream/triggered_alert/_dev/test/pipeline/test-triggered-alert.log-expected.json @@ -356,7 +356,7 @@ "event": { "id": "ABCD1234XYZ", "kind": "alert", - "original": "{\"review\":{\"note\":\"note\",\"status_in_portal\":\"New\",\"assignee\":\"Mark\",\"status\":\"no-action\"},\"owner_organisation_details\":{\"organisations\":[{\"organisation_id\":\"uhash:abcd\",\"organisation_name\":\"Elastic-Example\"}],\"enterprise_id\":\"bd:abcd\",\"enterprise_name\":\"Elastic-Example\"},\"url\":{\"api\":\"https:\\/\\/api.recordedfuture.com\\/v3\\/alerts\\/abcd\",\"portal\":\"https:\\/\\/app.recordedfuture.com\\/live\\/sc\\/notification\\/?id=bcm\"},\"rule\":{\"use_case_deprecation\":{\"description\":null},\"name\":\"Analysis from Insikt Group\",\"id\":\"ABC123\",\"url\":{\"portal\":\"https:\\/\\/app.recordedfuture.com\\/live\\/sc\\/ViewIdkobra_view_report_item_alert_editor?view_opts=%7B%22reportId%22%3A%abcd%22%2C%22bTitle%22%3Atrue%2C%22title%22%3A%22Analysis+from+Insikt+Group%22%7D\"}},\"id\":\"ABCD1234XYZ\",\"enriched_entities\":[],\"ai_insights\":{\"comment\":\"The Recorded Future AI requires more references in order to produce a summary.\",\"text\":\"Text summary\"},\"log\":{\"note_author\":null,\"note_date\":\"2025-03-31T04:03:56.425Z\",\"status_date\":\"2025-03-31T04:03:56.425Z\",\"triggered\":\"2025-02-27T04:03:56.425Z\",\"status_change_by\":\"john\"},\"triggered_by\":[],\"title\":\"Analysis from ABC Group - 1 reference\",\"type\":\"REFERENCE\",\"entities\":[{\"id\":\"ip:89.160.20.0/24\",\"name\":\"89.160.20.0/24\",\"type\":\"IpAddress\"},{\"id\":\"ABC12\",\"name\":\"Webmail\",\"type\":\"Product\"},{\"id\":\"url:https:\\/\\/carriertrucks.com\",\"name\":\"https:\\/\\/carriertrucks.com\",\"type\":\"URL\"}],\"document\":{\"source\":{\"id\":\"source:VKz42X\",\"name\":\"Insikt Group\",\"type\":\"Source\"},\"title\":\"Morphing Meerkat PhaaS Platform Uses DNS MX Records and DoH Protocol to Deliver Targeted Phishing Campaign\",\"url\":\"https://example.com/abc/def\",\"authors\":[]},\"fragment\":\"On March 27, 2025, Infoblox reported that the phishing-as-a-service (PhaaS) platform Morphing Meerkat uses DNS MX records and DNS-over-HTTPS (DoH) queries to deliver phishing pages tailored to victims\\u2019 email providers. Threat actors initiate campaigns using spoofed spam emails impersonating over 100 brands\\u2014including financial software providers. Embedded malicious links redirect users via compromised WordPress sites, public file-sharing platforms, or open redirect flaws on trusted domains like Google\\u2019s DoubleClick. The phishing kits dynamically serve one of over 114 localized HTML templates by mapping MX responses to specific login pages, defaulting to generic Webmail or Roundcube pages when unrecognized. Client -side JavaScript further customizes\",\"language\":\"eng\",\"primary_entity\":{\"name\":\"Ransomware\",\"id\":\"J0Nl-p\",\"type\":\"MalwareCategory\"},\"analyst_note\":{\"id\":\"abcdef\",\"url\":{\"api\":\"https:\\/\\/api.recordedfuture.com\\/v2\\/analystnote\\/abcdef\",\"portal\":\"https:\\/\\/app.recordedfuture.com\\/portal\\/analyst-note\\/shared\\/true\\/doc:abcdef\"}}}" + "original": "{\"review\":{\"note\":\"note\",\"status_in_portal\":\"New\",\"assignee\":\"Mark\",\"status\":\"no-action\"},\"owner_organisation_details\":{\"organisations\":[{\"organisation_id\":\"uhash:abcd\",\"organisation_name\":\"Elastic-Example\"}],\"enterprise_id\":\"bd:abcd\",\"enterprise_name\":\"Elastic-Example\"},\"url\":{\"api\":\"https:\\/\\/api.recordedfuture.com\\/v3\\/alerts\\/abcd\",\"portal\":\"https:\\/\\/app.recordedfuture.com\\/live\\/sc\\/notification\\/?id=bcm\"},\"rule\":{\"use_case_deprecation\":{\"description\":\"test\"},\"name\":\"Analysis from Insikt Group\",\"id\":\"ABC123\",\"url\":{\"portal\":\"https:\\/\\/app.recordedfuture.com\\/live\\/sc\\/ViewIdkobra_view_report_item_alert_editor?view_opts=%7B%22reportId%22%3A%abcd%22%2C%22bTitle%22%3Atrue%2C%22title%22%3A%22Analysis+from+Insikt+Group%22%7D\"}},\"id\":\"ABCD1234XYZ\",\"enriched_entities\":[],\"ai_insights\":{\"comment\":\"The Recorded Future AI requires more references in order to produce a summary.\",\"text\":\"Text summary\"},\"log\":{\"note_author\":null,\"note_date\":\"2025-03-31T04:03:56.425Z\",\"status_date\":\"2025-03-31T04:03:56.425Z\",\"triggered\":\"2025-02-27T04:03:56.425Z\",\"status_change_by\":\"john\"},\"triggered_by\":[],\"title\":\"Analysis from ABC Group - 1 reference\",\"type\":\"REFERENCE\",\"entities\":[{\"id\":\"ip:89.160.20.0/24\",\"name\":\"89.160.20.0/24\",\"type\":\"IpAddress\"},{\"id\":\"ABC12\",\"name\":\"Webmail\",\"type\":\"Product\"},{\"id\":\"url:https:\\/\\/carriertrucks.com\",\"name\":\"https:\\/\\/carriertrucks.com\",\"type\":\"URL\"}],\"document\":{\"source\":{\"id\":\"source:VKz42X\",\"name\":\"Insikt Group\",\"type\":\"Source\"},\"title\":\"Morphing Meerkat PhaaS Platform Uses DNS MX Records and DoH Protocol to Deliver Targeted Phishing Campaign\",\"url\":\"https://example.com/abc/def\",\"authors\":[]},\"fragment\":\"On March 27, 2025, Infoblox reported that the phishing-as-a-service (PhaaS) platform Morphing Meerkat uses DNS MX records and DNS-over-HTTPS (DoH) queries to deliver phishing pages tailored to victims\\u2019 email providers. Threat actors initiate campaigns using spoofed spam emails impersonating over 100 brands\\u2014including financial software providers. Embedded malicious links redirect users via compromised WordPress sites, public file-sharing platforms, or open redirect flaws on trusted domains like Google\\u2019s DoubleClick. The phishing kits dynamically serve one of over 114 localized HTML templates by mapping MX responses to specific login pages, defaulting to generic Webmail or Roundcube pages when unrecognized. Client -side JavaScript further customizes\",\"language\":\"eng\",\"primary_entity\":{\"name\":\"Ransomware\",\"id\":\"J0Nl-p\",\"type\":\"MalwareCategory\"},\"analyst_note\":{\"id\":\"abcdef\",\"url\":{\"api\":\"https:\\/\\/api.recordedfuture.com\\/v2\\/analystnote\\/abcdef\",\"portal\":\"https:\\/\\/app.recordedfuture.com\\/portal\\/analyst-note\\/shared\\/true\\/doc:abcdef\"}}}" }, "message": "On March 27, 2025, Infoblox reported that the phishing-as-a-service (PhaaS) platform Morphing Meerkat uses DNS MX records and DNS-over-HTTPS (DoH) queries to deliver phishing pages tailored to victims’ email providers. Threat actors initiate campaigns using spoofed spam emails impersonating over 100 brands—including financial software providers. Embedded malicious links redirect users via compromised WordPress sites, public file-sharing platforms, or open redirect flaws on trusted domains like Google’s DoubleClick. The phishing kits dynamically serve one of over 114 localized HTML templates by mapping MX responses to specific login pages, defaulting to generic Webmail or Roundcube pages when unrecognized. Client -side JavaScript further customizes", "recordedfuture": { @@ -433,6 +433,9 @@ "name": "Analysis from Insikt Group", "url": { "portal": "https://app.recordedfuture.com/live/sc/ViewIdkobra_view_report_item_alert_editor?view_opts=%7B%22reportId%22%3A%abcd%22%2C%22bTitle%22%3Atrue%2C%22title%22%3A%22Analysis+from+Insikt+Group%22%7D" + }, + "use_case_deprecation": { + "description": "test" } }, "title": "Analysis from ABC Group - 1 reference", diff --git a/packages/ti_recordedfuture/data_stream/triggered_alert/fields/fields.yml b/packages/ti_recordedfuture/data_stream/triggered_alert/fields/fields.yml index 56f4c99cbde..a5d2b7d02ac 100644 --- a/packages/ti_recordedfuture/data_stream/triggered_alert/fields/fields.yml +++ b/packages/ti_recordedfuture/data_stream/triggered_alert/fields/fields.yml @@ -114,7 +114,10 @@ - name: portal type: keyword - name: use_case_deprecation - type: keyword + type: group + fields: + - name: description + type: keyword - name: title type: keyword - name: type diff --git a/packages/ti_recordedfuture/docs/README.md b/packages/ti_recordedfuture/docs/README.md index f2bb9a65cf4..55bed84857c 100644 --- a/packages/ti_recordedfuture/docs/README.md +++ b/packages/ti_recordedfuture/docs/README.md @@ -445,7 +445,7 @@ An example event for `triggered_alert` looks as following: | recordedfuture.triggered_alert.rule.id | | keyword | | recordedfuture.triggered_alert.rule.name | | keyword | | recordedfuture.triggered_alert.rule.url.portal | | keyword | -| recordedfuture.triggered_alert.rule.use_case_deprecation | | keyword | +| recordedfuture.triggered_alert.rule.use_case_deprecation.description | | keyword | | recordedfuture.triggered_alert.title | | keyword | | recordedfuture.triggered_alert.type | | keyword | | recordedfuture.triggered_alert.url.api | | keyword |