[ti_maltiverse] Add new Maltiverse threat intelligence integration #6741
Conversation
|
💚 CLA has been signed |
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
🤖 GitHub commentsExpand to view the GitHub comments
To re-run your PR in the CI, just comment with:
|
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
|
/cla |
1 similar comment
|
/cla |
andrewkroh
changed the title
andrewkroh
added
Integration:ti_maltiverse
|
/test |
packages/ti_maltiverse/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/ti_maltiverse/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
| fields: ["threat.indicator"] | ||
| - set: | ||
| field: _id | ||
| value: "{{ event.id }}" |
There was a problem hiding this comment.
Add if: ctx.event?.id != null. Also please verify this in one of the document in Kibana
packages/ti_maltiverse/data_stream/indicator/_dev/test/system/test-default-config.yml
Show resolved
Hide resolved
|
Also the CI is failing on tests because tests are not run after the changes are made. So, once you are done with above changes, please run: and then |
|
/test |
|
Hey @jlopezzarza The pipeline tests are failing. Are they successful on your end? If so, I think maybe some files are missing to be committed. |
|
/test |
This reverts commit 8d02aae.
|
/test |
|
Hey @jlopezzarza Tests are now successful. There's field conflicts between source and destination (latest) indices. It seems like a bug in To fix the issue, we will need to define their types explicitly. Please follow below steps to fix the mapping issue:
|
| - name: input.type | ||
| type: keyword | ||
| description: Input type. | ||
| - name: data_stream.type | ||
| type: constant_keyword | ||
| description: Data stream type. | ||
| - name: data_stream.dataset | ||
| type: constant_keyword | ||
| description: Data stream dataset. | ||
| - name: data_stream.namespace | ||
| type: constant_keyword | ||
| description: Data stream namespace. | ||
| - name: '@timestamp' | ||
| type: date | ||
| description: Event timestamp. |
There was a problem hiding this comment.
You will need to keep these above fields. Its just the fields defined as external are what needs to be replaced with full definition.
| - description: |- | ||
| Custom key/value pairs. | ||
| Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. | ||
| Example: `docker` and `k8s` labels. | ||
| name: labels | ||
| type: object |
There was a problem hiding this comment.
You can remove labels field since its not going to be present in the destination index.
|
/test |
1 similar comment
|
/test |
|
Package ti_maltiverse - 0.1.0 containing this change is available at https://epr.elastic.co/search?package=ti_maltiverse |
What does this PR do?
Add Maltiverse as a source of data for Elastic Intelligence
Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
The changes can be tested in a local environment by adding the new integration to the stack. You will need to register in Maltiverse to generate an API key in order to request data.
Related issues
Screenshots