Skip to content

[ti_misp] - Fix silent loss of URL indicators when uri_parts parsing fails#18651

Merged
ShourieG merged 3 commits intoelastic:mainfrom
ShourieG:bugfix/ti_misp
Apr 28, 2026
Merged

[ti_misp] - Fix silent loss of URL indicators when uri_parts parsing fails#18651
ShourieG merged 3 commits intoelastic:mainfrom
ShourieG:bugfix/ti_misp

Conversation

@ShourieG
Copy link
Copy Markdown
Contributor

@ShourieG ShourieG commented Apr 27, 2026

Type of change

  • Bug

Proposed commit message

packages/ti_misp: Fix silent loss of URL indicators when uri_parts parsing fails

When misp.attribute.type is "url" and the value cannot be parsed by the
uri_parts processor (e.g. defanged URLs like hxxp://), the processor
silently fails due to ignore_failure: true. This leaves
threat.indicator.url.full and threat.indicator.url.original unset, and
the cleanup step then removes misp.attribute.value, resulting in the URL
being lost entirely from the document.

Add fallback set processors to both threat_attributes and threat
pipelines that copy misp.attribute.value directly into
threat.indicator.url.full and threat.indicator.url.original when
uri_parts fails to populate them.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@ShourieG ShourieG self-assigned this Apr 27, 2026
@ShourieG ShourieG added Integration:ti_misp MISP bugfix Pull request that fixes a bug issue labels Apr 27, 2026
@ShourieG ShourieG requested a review from a team as a code owner April 27, 2026 10:03
@ShourieG ShourieG added Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Security-Cloud Services Security Data Experience - Cloud Services team [elastic/cloud-services] labels Apr 27, 2026
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Apr 27, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

macroscopeapp[bot]
macroscopeapp Bot reviewed Apr 27, 2026
View reviewed changes
Comment thread packages/ti_misp/changelog.yml Outdated
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod Bot commented Apr 27, 2026

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Apr 27, 2026

💚 Build Succeeded

cc @ShourieG

@ShourieG ShourieG merged commit ec2adfe into elastic:main Apr 28, 2026
9 checks passed
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod Bot commented Apr 28, 2026

Package ti_misp - 1.41.4 containing this change is available at https://epr.elastic.co/package/ti_misp/1.41.4/

@ShourieG ShourieG deleted the bugfix/ti_misp branch April 29, 2026 11:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@macroscopeapp macroscopeapp[bot] macroscopeapp[bot] left review comments

@kcreddy kcreddy kcreddy approved these changes

Assignees

@ShourieG ShourieG

Labels

bugfix Pull request that fixes a bug issue Integration:ti_misp MISP Team:Security-Cloud Services Security Data Experience - Cloud Services team [elastic/cloud-services] Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ShourieG @elasticmachine @kcreddy