[Rapid7] Initial Release for the Rapid7 #4904
Conversation
|
💚 CLA has been signed |
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
🤖 GitHub commentsExpand to view the GitHub comments
To re-run your PR in the CI, just comment with:
|
|
👍 |
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
|
@rajvi-crest can you confirm which Rapid7 product this integration relates to? I'm guessing Threat Command? I'd recommend adjusting the name of the integration to include the product name. We're about to work on an InsightVM integration too, and want to ensure there's no confusion. If the integration is focused on Threat Intel, we should also consider populating the log-ti-* data stream, to ensure the IOCs can be leveraged by out out-of-the-box threat intel capabilities. |
Yes @jamiehynds, This integration package is created for the Rapid7 Threat Command product which collects I understand your concern regarding the package name and we are planning to change ti_rapid7 with the ti_rapid7_threat_command. What do you think? We will also change the README and titles with the same wherever applicable. This integration package is intended to collect threat intel data and will store collected data to the We will accommodate all the suggested changes once the entire PR gets reviewed by the team. I hope that would be fine. |
|
/test |
🌐 Coverage report
|
|
|
||
| ## Overview | ||
|
|
||
| The [Rapid7](https://www.rapid7.com/) integration allows users to retrieve `IOCs (Indicator of Compromises)`, organization-specific `Threat Command alerts`, and `CVEs (Common Vulnerabilities and Exposures)`. Furthermore, the correlation between data collected from the Rapid7 platform (IOCs and CVEs) and the user's environment helps to identify threats. Rapid7 platform gives protectors the tools and clarity they need to assess their attack surface, detect suspicious behavior, and respond and remediate quickly with intelligent automation. |
There was a problem hiding this comment.
ISTM that the items here that are code formatted should probably rather be either bold or italic.
Also some (but not all) below.
packages/ti_rapid7/_dev/deploy/docker/transform/ti_rapid7_ioc_rule_transform/fields/ecs.yml
Outdated
Show resolved
Hide resolved
...rapid7/_dev/deploy/docker/transform/ti_rapid7_unique_cve_transform/fields/overridden-ecs.yml
Outdated
Show resolved
Hide resolved
| dynamic_fields: | ||
| event.ingested: ".*" |
There was a problem hiding this comment.
This is not needed, we don't add event.ingested in the pipeline.
| if: ctx.json?.type == 'Urls' | ||
| - script: | ||
| lang: painless | ||
| if: ctx.json.type != null |
There was a problem hiding this comment.
| if: ctx.json.type != null | |
| if: ctx.json?.type != null |
| dynamic_fields: | ||
| event.ingested: ".*" |
| target_field: json | ||
| ignore_failure: true | ||
| - drop: | ||
| if: ctx.json?.content != null && ctx.json?.content?.isEmpty() |
There was a problem hiding this comment.
| if: ctx.json?.content != null && ctx.json?.content?.isEmpty() | |
| if: ctx.json?.content != null && ctx.json.content.isEmpty() |
| - set: | ||
| field: '@timestamp' | ||
| copy_from: rapid7.vulnerability.update_date | ||
| on_failure: | ||
| - set: | ||
| field: '@timestamp' | ||
| copy_from: _ingest.timestamp |
packages/ti_rapid7/data_stream/vulnerability/fields/overridden-ecs.yml
Outdated
Show resolved
Hide resolved
|
/test |
There was a problem hiding this comment.
Please separate into different commits wholesale renames from line based changes to ease review follow-ups, less important but also helpful if you can separate large scale ~mechanical changes into their own commit (for example the rapid7 -> rapid7.tc changes).
| @@ -1,4 +1,4 @@ | |||
| - name: rapid7.vulnerability | |||
| - name: rapid7.tc.vulnerability | |||
There was a problem hiding this comment.
Why is this sub-namespaced rather than rapid7_tc.vulnerability or rapid7_threat_command.vulnerability? (similar throughout)
Will there be future rapid7 packages that are not "Threat Command"?
There was a problem hiding this comment.
Yes, the elastic security team is currently working on the InsightVM Integration of Rapid7 as @jamiehynds mentioned here. So we thought to keep the field name as rapid7.tc.vulnerability because both products are of Rapid7 and we can differentiate the field name between their products. Let me know your thoughts on this.
.github/CODEOWNERS
Outdated
| @@ -185,6 +185,7 @@ | |||
| /packages/ti_cybersixgill @elastic/security-external-integrations | |||
| /packages/ti_misp @elastic/security-external-integrations | |||
| /packages/ti_otx @elastic/security-external-integrations | |||
| /packages/ti_rapid7 @elastic/security-external-integrations | |||
There was a problem hiding this comment.
| /packages/ti_rapid7 @elastic/security-external-integrations | |
| /packages/ti_rapid7_threat_command @elastic/security-external-integrations |
Sure @efd6, I see there are only name changes in the fields are the major ones and a few minor changes along with this existing commit. Let me know if you still want to split the existing commit. But definitely going forwards we'll keep this in mind and keep the different code changes in different commits for making the review process easy . |
|
No need to split what is done here, I was just thinking for the future. Thank you. |
|
/test |
|
@efd6, We have addressed all the review comments. Hence, can you please approve and merge this PR? |
|
Package ti_rapid7_threat_command - 0.1.0 containing this change is available at https://epr.elastic.co/search?package=ti_rapid7_threat_command |
What does this PR do?
Integration release checklist
This checklist is intended for integrations maintainers to ensure consistency
when creating or updating a Package, Module or Dataset for an Integration.
All changes
New Package
Dashboards changes
Log dataset changes
How to test this PR locally
Screenshots