-
Notifications
You must be signed in to change notification settings - Fork 392
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Rapid7] Initial Release for the Rapid7 #4904
Conversation
💚 CLA has been signed |
👍 |
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
@rajvi-crest can you confirm which Rapid7 product this integration relates to? I'm guessing Threat Command? I'd recommend adjusting the name of the integration to include the product name. We're about to work on an InsightVM integration too, and want to ensure there's no confusion. If the integration is focused on Threat Intel, we should also consider populating the log-ti-* data stream, to ensure the IOCs can be leveraged by out out-of-the-box threat intel capabilities. |
Yes @jamiehynds, This integration package is created for the Rapid7 Threat Command product which collects I understand your concern regarding the package name and we are planning to change ti_rapid7 with the ti_rapid7_threat_command. What do you think? We will also change the README and titles with the same wherever applicable. This integration package is intended to collect threat intel data and will store collected data to the We will accommodate all the suggested changes once the entire PR gets reviewed by the team. I hope that would be fine. |
/test |
🌐 Coverage report
|
|
||
## Overview | ||
|
||
The [Rapid7](https://www.rapid7.com/) integration allows users to retrieve `IOCs (Indicator of Compromises)`, organization-specific `Threat Command alerts`, and `CVEs (Common Vulnerabilities and Exposures)`. Furthermore, the correlation between data collected from the Rapid7 platform (IOCs and CVEs) and the user's environment helps to identify threats. Rapid7 platform gives protectors the tools and clarity they need to assess their attack surface, detect suspicious behavior, and respond and remediate quickly with intelligent automation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ISTM that the items here that are code formatted
should probably rather be either bold or italic.
Also some (but not all) below.
packages/ti_rapid7/_dev/deploy/docker/transform/ti_rapid7_ioc_rule_transform/fields/ecs.yml
Outdated
Show resolved
Hide resolved
...rapid7/_dev/deploy/docker/transform/ti_rapid7_unique_cve_transform/fields/overridden-ecs.yml
Outdated
Show resolved
Hide resolved
dynamic_fields: | ||
event.ingested: ".*" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not needed, we don't add event.ingested
in the pipeline.
if: ctx.json?.type == 'Urls' | ||
- script: | ||
lang: painless | ||
if: ctx.json.type != null |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if: ctx.json.type != null | |
if: ctx.json?.type != null |
dynamic_fields: | ||
event.ingested: ".*" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Delete
target_field: json | ||
ignore_failure: true | ||
- drop: | ||
if: ctx.json?.content != null && ctx.json?.content?.isEmpty() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if: ctx.json?.content != null && ctx.json?.content?.isEmpty() | |
if: ctx.json?.content != null && ctx.json.content.isEmpty() |
- set: | ||
field: '@timestamp' | ||
copy_from: rapid7.vulnerability.update_date | ||
on_failure: | ||
- set: | ||
field: '@timestamp' | ||
copy_from: _ingest.timestamp |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Move this up.
packages/ti_rapid7/data_stream/vulnerability/fields/overridden-ecs.yml
Outdated
Show resolved
Hide resolved
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please separate into different commits wholesale renames from line based changes to ease review follow-ups, less important but also helpful if you can separate large scale ~mechanical changes into their own commit (for example the rapid7 -> rapid7.tc changes).
@@ -1,4 +1,4 @@ | |||
- name: rapid7.vulnerability | |||
- name: rapid7.tc.vulnerability |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this sub-namespaced rather than rapid7_tc.vulnerability
or rapid7_threat_command.vulnerability
? (similar throughout)
Will there be future rapid7 packages that are not "Threat Command"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the elastic security team is currently working on the InsightVM Integration of Rapid7 as @jamiehynds mentioned here. So we thought to keep the field name as rapid7.tc.vulnerability because both products are of Rapid7 and we can differentiate the field name between their products. Let me know your thoughts on this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, OK. Thanks.
.github/CODEOWNERS
Outdated
@@ -185,6 +185,7 @@ | |||
/packages/ti_cybersixgill @elastic/security-external-integrations | |||
/packages/ti_misp @elastic/security-external-integrations | |||
/packages/ti_otx @elastic/security-external-integrations | |||
/packages/ti_rapid7 @elastic/security-external-integrations |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/packages/ti_rapid7 @elastic/security-external-integrations | |
/packages/ti_rapid7_threat_command @elastic/security-external-integrations |
Sure @efd6, I see there are only name changes in the fields are the major ones and a few minor changes along with this existing commit. Let me know if you still want to split the existing commit. But definitely going forwards we'll keep this in mind and keep the different code changes in different commits for making the review process easy . |
No need to split what is done here, I was just thinking for the future. Thank you. |
/test |
@efd6, We have addressed all the review comments. Hence, can you please approve and merge this PR? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks
Package ti_rapid7_threat_command - 0.1.0 containing this change is available at https://epr.elastic.co/search?package=ti_rapid7_threat_command |
What does this PR do?
Integration release checklist
This checklist is intended for integrations maintainers to ensure consistency
when creating or updating a Package, Module or Dataset for an Integration.
All changes
New Package
Dashboards changes
Log dataset changes
How to test this PR locally
Screenshots