[Recorded Future] Fix mapping for primary_entity

packages/ti_recordedfuture/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.4.2"
+  changes:
+    - description: Fix `primary_entity` and `rule.use_case_deprecation` mapping for the triggered alerts data stream by adding `primary_entity.id`, `primary_entity.name`, `primary_entity.type` and `rule.use_case_deprecation.description` fields.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/18325
 - version: "2.4.1"
   changes:
     - description: Remove duplicate security-solution-default tag references

packages/ti_recordedfuture/data_stream/triggered_alert/_dev/test/pipeline/test-triggered-alert.log

@@ -1,4 +1,4 @@
 {"review":{"note":"note","status_in_portal":"New","assignee":"John","status":"no-action"},"owner_organisation_details":{"organisations":[{"organisation_id":"uhash:abcd","organisation_name":"Elastic-Example"}],"enterprise_id":"uhash:abcd","enterprise_name":"Elastic-Example"},"url":{"api":"https:\/\/api.recordedfuture.com\/v3\/alerts\/abcd","portal":"https:\/\/app.recordedfuture.com\/live\/sc\/notification\/?id=bcd"},"rule":{"use_case_deprecation":{"description":null},"name":"Analysis from Insikt Group","id":"ABC123","url":{"portal":"https:\/\/app.recordedfuture.com\/live\/sc\/ViewIdkobra_view_report_item_alert_editor?view_opts=%7B%22reportId%22%3A%abcd%22%2C%22bTitle%22%3Atrue%2C%22title%22%3A%22Analysis+from+Insikt+Group%22%7D"}},"id":"ABCD1234XYZ","enriched_entities":[],"ai_insights":{"comment":"The Recorded Future AI requires more references in order to produce a summary.","text":"Text summary"},"log":{"note_author":null,"note_date":"2025-03-31T04:03:56.425Z","status_date":"2025-03-31T04:03:56.425Z","triggered":"2025-03-31T04:03:56.425Z","status_change_by":"admin"},"triggered_by":[],"title":"Analysis from Insikt Group - 1 reference","type":"REFERENCE","entities":[{"id":"ip:89.160.20.156","name":"89.160.20.156","type":"IpAddress"},{"id":"YOvb","name":"Webmail","type":"Product"},{"id":"url:https:\/\/carriertrucks.com","name":"https:\/\/carriertrucks.com","type":"URL"}],"document":{"source":{"id":"source:VKz42X","name":"Insikt Group","type":"Source"},"title":"Morphing Meerkat PhaaS Platform Uses DNS MX Records and DoH Protocol to Deliver Targeted Phishing Campaign","url":"https://example.com/abc/def","authors":[]},"fragment":"On March 27, 2025, Infoblox reported that the phishing-as-a-service (PhaaS) platform Morphing Meerkat uses DNS MX records and DNS-over-HTTPS (DoH) queries to deliver phishing pages tailored to victims\u2019 email providers. Threat actors initiate campaigns using spoofed spam emails impersonating over 100 brands\u2014including financial software providers. Embedded malicious links redirect users via compromised WordPress sites, public file-sharing platforms, or open redirect flaws on trusted domains like Google\u2019s DoubleClick. The phishing kits dynamically serve one of over 114 localized HTML templates by mapping MX responses to specific login pages, defaulting to generic Webmail or Roundcube pages when unrecognized. Client -side JavaScript further customizes","language":"eng","primary_entity":null,"analyst_note":{"id":"abcdef","url":{"api":"https:\/\/api.recordedfuture.com\/v2\/analystnote\/abcdef","portal":"https:\/\/app.recordedfuture.com\/portal\/analyst-note\/shared\/true\/doc:abcdef"}}}
 {"review":{"note":"note","status_in_portal":"In-Progress","assignee":"Admin","status":"no-action"},"owner_organisation_details":{"organisations":[{"organisation_id":"aa:abcd","organisation_name":"Elastic-Example"}],"enterprise_id":"aa:abcd","enterprise_name":"Elastic-Example"},"url":{"api":"https:\/\/api.recordedfuture.com\/v3\/alerts\/abcd","portal":"https:\/\/app.recordedfuture.com\/live\/sc\/notification\/?id=aad"},"rule":{"use_case_deprecation":{"description":null},"name":"Analysis from Diff Group","id":"ABC123","url":{"portal":"https:\/\/app.recordedfuture.com\/live\/sc\/ViewIdkobra_view_report_item_alert_editor?view_opts=%7B%22reportId%22%3A%abcd%22%2C%22bTitle%22%3Atrue%2C%22title%22%3A%22Analysis+from+Insikt+Group%22%7D"}},"id":"ABCD1234XYZ","enriched_entities":[],"ai_insights":{"comment":"The Recorded Future AI requires more references in order to produce a summary.","text":"Text summary"},"log":{"note_author":null,"note_date":"2025-03-31T04:03:56.425Z","status_date":"2025-03-31T04:03:56.425Z","triggered":"2025-04-30T04:03:56.425Z","status_change_by":"mark"},"triggered_by":[],"title":"Analysis from Secret Group - 1 reference","type":"REFERENCE","entities":[{"id":"ip:89.160.20.156","name":"89.160.20.156","type":"IpAddress"},{"id":"YOvb","name":"Webmail","type":"Product"},{"id":"url:https:\/\/carriertrucks.com","name":"https:\/\/carriertrucks.com","type":"URL"}],"document":{"source":{"id":"source:VKz42X","name":"Insikt Group","type":"Source"},"title":"Morphing Meerkat PhaaS Platform Uses DNS MX Records and DoH Protocol to Deliver Targeted Phishing Campaign","url":"https://example.com/abc/def","authors":[]},"fragment":"On March 27, 2025, Infoblox reported that the phishing-as-a-service (PhaaS) platform Morphing Meerkat uses DNS MX records and DNS-over-HTTPS (DoH) queries to deliver phishing pages tailored to victims\u2019 email providers. Threat actors initiate campaigns using spoofed spam emails impersonating over 100 brands\u2014including financial software providers. Embedded malicious links redirect users via compromised WordPress sites, public file-sharing platforms, or open redirect flaws on trusted domains like Google\u2019s DoubleClick. The phishing kits dynamically serve one of over 114 localized HTML templates by mapping MX responses to specific login pages, defaulting to generic Webmail or Roundcube pages when unrecognized. Client -side JavaScript further customizes","language":"eng","primary_entity":null,"analyst_note":{"id":"abcdef","url":{"api":"https:\/\/api.recordedfuture.com\/v2\/analystnote\/abcdef","portal":"https:\/\/app.recordedfuture.com\/portal\/analyst-note\/shared\/true\/doc:abcdef"}}}
 {"review":{"note":"note","status_in_portal":"New","assignee":"Mark","status":"no-action"},"owner_organisation_details":{"organisations":[{"organisation_id":"uhash:abcd","organisation_name":"Elastic-Example"}],"enterprise_id":"bd:abcd","enterprise_name":"Elastic-Example"},"url":{"api":"https:\/\/api.recordedfuture.com\/v3\/alerts\/abcd","portal":"https:\/\/app.recordedfuture.com\/live\/sc\/notification\/?id=bcm"},"rule":{"use_case_deprecation":{"description":null},"name":"Analysis from Insikt Group","id":"ABC123","url":{"portal":"https:\/\/app.recordedfuture.com\/live\/sc\/ViewIdkobra_view_report_item_alert_editor?view_opts=%7B%22reportId%22%3A%abcd%22%2C%22bTitle%22%3Atrue%2C%22title%22%3A%22Analysis+from+Insikt+Group%22%7D"}},"id":"ABCD1234XYZ","enriched_entities":[],"ai_insights":{"comment":"The Recorded Future AI requires more references in order to produce a summary.","text":"Text summary"},"log":{"note_author":null,"note_date":"2025-03-31T04:03:56.425Z","status_date":"2025-03-31T04:03:56.425Z","triggered":"2025-02-27T04:03:56.425Z","status_change_by":"john"},"triggered_by":[],"title":"Analysis from ABC Group - 1 reference","type":"REFERENCE","entities":[{"id":"ip:89.160.20.156","name":"89.160.20.156","type":"IpAddress"},{"id":"ABC12","name":"Webmail","type":"Product"},{"id":"url:https:\/\/carriertrucks.com","name":"https:\/\/carriertrucks.com","type":"URL"}],"document":{"source":{"id":"source:VKz42X","name":"Insikt Group","type":"Source"},"title":"Morphing Meerkat PhaaS Platform Uses DNS MX Records and DoH Protocol to Deliver Targeted Phishing Campaign","url":"https://example.com/abc/def","authors":[]},"fragment":"On March 27, 2025, Infoblox reported that the phishing-as-a-service (PhaaS) platform Morphing Meerkat uses DNS MX records and DNS-over-HTTPS (DoH) queries to deliver phishing pages tailored to victims\u2019 email providers. Threat actors initiate campaigns using spoofed spam emails impersonating over 100 brands\u2014including financial software providers. Embedded malicious links redirect users via compromised WordPress sites, public file-sharing platforms, or open redirect flaws on trusted domains like Google\u2019s DoubleClick. The phishing kits dynamically serve one of over 114 localized HTML templates by mapping MX responses to specific login pages, defaulting to generic Webmail or Roundcube pages when unrecognized. Client -side JavaScript further customizes","language":"eng","primary_entity":null,"analyst_note":{"id":"abcdef","url":{"api":"https:\/\/api.recordedfuture.com\/v2\/analystnote\/abcdef","portal":"https:\/\/app.recordedfuture.com\/portal\/analyst-note\/shared\/true\/doc:abcdef"}}}
-{"review":{"note":"note","status_in_portal":"New","assignee":"Mark","status":"no-action"},"owner_organisation_details":{"organisations":[{"organisation_id":"uhash:abcd","organisation_name":"Elastic-Example"}],"enterprise_id":"bd:abcd","enterprise_name":"Elastic-Example"},"url":{"api":"https:\/\/api.recordedfuture.com\/v3\/alerts\/abcd","portal":"https:\/\/app.recordedfuture.com\/live\/sc\/notification\/?id=bcm"},"rule":{"use_case_deprecation":{"description":null},"name":"Analysis from Insikt Group","id":"ABC123","url":{"portal":"https:\/\/app.recordedfuture.com\/live\/sc\/ViewIdkobra_view_report_item_alert_editor?view_opts=%7B%22reportId%22%3A%abcd%22%2C%22bTitle%22%3Atrue%2C%22title%22%3A%22Analysis+from+Insikt+Group%22%7D"}},"id":"ABCD1234XYZ","enriched_entities":[],"ai_insights":{"comment":"The Recorded Future AI requires more references in order to produce a summary.","text":"Text summary"},"log":{"note_author":null,"note_date":"2025-03-31T04:03:56.425Z","status_date":"2025-03-31T04:03:56.425Z","triggered":"2025-02-27T04:03:56.425Z","status_change_by":"john"},"triggered_by":[],"title":"Analysis from ABC Group - 1 reference","type":"REFERENCE","entities":[{"id":"ip:89.160.20.0/24","name":"89.160.20.0/24","type":"IpAddress"},{"id":"ABC12","name":"Webmail","type":"Product"},{"id":"url:https:\/\/carriertrucks.com","name":"https:\/\/carriertrucks.com","type":"URL"}],"document":{"source":{"id":"source:VKz42X","name":"Insikt Group","type":"Source"},"title":"Morphing Meerkat PhaaS Platform Uses DNS MX Records and DoH Protocol to Deliver Targeted Phishing Campaign","url":"https://example.com/abc/def","authors":[]},"fragment":"On March 27, 2025, Infoblox reported that the phishing-as-a-service (PhaaS) platform Morphing Meerkat uses DNS MX records and DNS-over-HTTPS (DoH) queries to deliver phishing pages tailored to victims\u2019 email providers. Threat actors initiate campaigns using spoofed spam emails impersonating over 100 brands\u2014including financial software providers. Embedded malicious links redirect users via compromised WordPress sites, public file-sharing platforms, or open redirect flaws on trusted domains like Google\u2019s DoubleClick. The phishing kits dynamically serve one of over 114 localized HTML templates by mapping MX responses to specific login pages, defaulting to generic Webmail or Roundcube pages when unrecognized. Client -side JavaScript further customizes","language":"eng","primary_entity":null,"analyst_note":{"id":"abcdef","url":{"api":"https:\/\/api.recordedfuture.com\/v2\/analystnote\/abcdef","portal":"https:\/\/app.recordedfuture.com\/portal\/analyst-note\/shared\/true\/doc:abcdef"}}}
+{"review":{"note":"note","status_in_portal":"New","assignee":"Mark","status":"no-action"},"owner_organisation_details":{"organisations":[{"organisation_id":"uhash:abcd","organisation_name":"Elastic-Example"}],"enterprise_id":"bd:abcd","enterprise_name":"Elastic-Example"},"url":{"api":"https:\/\/api.recordedfuture.com\/v3\/alerts\/abcd","portal":"https:\/\/app.recordedfuture.com\/live\/sc\/notification\/?id=bcm"},"rule":{"use_case_deprecation":{"description":"test"},"name":"Analysis from Insikt Group","id":"ABC123","url":{"portal":"https:\/\/app.recordedfuture.com\/live\/sc\/ViewIdkobra_view_report_item_alert_editor?view_opts=%7B%22reportId%22%3A%abcd%22%2C%22bTitle%22%3Atrue%2C%22title%22%3A%22Analysis+from+Insikt+Group%22%7D"}},"id":"ABCD1234XYZ","enriched_entities":[],"ai_insights":{"comment":"The Recorded Future AI requires more references in order to produce a summary.","text":"Text summary"},"log":{"note_author":null,"note_date":"2025-03-31T04:03:56.425Z","status_date":"2025-03-31T04:03:56.425Z","triggered":"2025-02-27T04:03:56.425Z","status_change_by":"john"},"triggered_by":[],"title":"Analysis from ABC Group - 1 reference","type":"REFERENCE","entities":[{"id":"ip:89.160.20.0/24","name":"89.160.20.0/24","type":"IpAddress"},{"id":"ABC12","name":"Webmail","type":"Product"},{"id":"url:https:\/\/carriertrucks.com","name":"https:\/\/carriertrucks.com","type":"URL"}],"document":{"source":{"id":"source:VKz42X","name":"Insikt Group","type":"Source"},"title":"Morphing Meerkat PhaaS Platform Uses DNS MX Records and DoH Protocol to Deliver Targeted Phishing Campaign","url":"https://example.com/abc/def","authors":[]},"fragment":"On March 27, 2025, Infoblox reported that the phishing-as-a-service (PhaaS) platform Morphing Meerkat uses DNS MX records and DNS-over-HTTPS (DoH) queries to deliver phishing pages tailored to victims\u2019 email providers. Threat actors initiate campaigns using spoofed spam emails impersonating over 100 brands\u2014including financial software providers. Embedded malicious links redirect users via compromised WordPress sites, public file-sharing platforms, or open redirect flaws on trusted domains like Google\u2019s DoubleClick. The phishing kits dynamically serve one of over 114 localized HTML templates by mapping MX responses to specific login pages, defaulting to generic Webmail or Roundcube pages when unrecognized. Client -side JavaScript further customizes","language":"eng","primary_entity":{"name":"Ransomware","id":"J0Nl-p","type":"MalwareCategory"},"analyst_note":{"id":"abcdef","url":{"api":"https:\/\/api.recordedfuture.com\/v2\/analystnote\/abcdef","portal":"https:\/\/app.recordedfuture.com\/portal\/analyst-note\/shared\/true\/doc:abcdef"}}}