Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ti_recordedfuture] Fix the parsing of providers info from evidence fields #8350

Merged
merged 3 commits into from Nov 2, 2023
Merged

[ti_recordedfuture] Fix the parsing of providers info from evidence fields #8350

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
aa630c3
Fix the parsing of providers info from evidence fields
chemamartinez Oct 31, 2023
86b722c
Update changelog
chemamartinez Oct 31, 2023
88e5825
Fix requested changes
chemamartinez Nov 1, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/ti_recordedfuture/changelog.yml
View file
Open in desktop
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.18.1"
changes:
- description: Fix the parse of providers information.
type: bugfix
link: https://github.com/elastic/integrations/pull/8350
- version: "1.18.0"
changes:
- description: Improve 'event.original' check to avoid errors if set.
Expand Down
72 changes: 36 additions & 36 deletions ...ecordedfuture/data_stream/threat/_dev/test/pipeline/test-domain-default.log-expected.json
View file
Open in desktop

Large diffs are not rendered by default.

12 changes: 6 additions & 6 deletions ..._recordedfuture/data_stream/threat/_dev/test/pipeline/test-hash-default.log-expected.json
View file
Open in desktop

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions packages/ti_recordedfuture/data_stream/threat/_dev/test/pipeline/test-httpjson.log
View file
Open in desktop
Expand Up @@ -38,3 +38,4 @@
{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Reported as a Defanged URL\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"24 sightings on 9 sources including: Malware News - Malware Analysis, News and Indicators, microsoft.com, sociabble.com, 4-traders.com, MarketScreener.com | Stock Market News. Most recent link (Aug 13, 2021): https://www.marketscreener.com/quote/stock/MICROSOFT-CORPORATION-4835/news/Microsoft-Attackers-use-Morse-code-other-encryption-methods-in-evasive-phishing-campaign-36161110/?utm_medium=RSS&utm_content=20210813\", \"Sources\": [\"gBDK5G\", \"idn:microsoft.com\", \"idn:sociabble.com\", \"KBTQ2e\", \"dCotni\", \"g9rk5F\", \"Z7kln5\", \"idn:cda.ms\", \"idn:thewindowsupdate.com\"], \"Timestamp\": \"2021-08-13T17:03:19.000Z\", \"Name\": \"defangedURL\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Detected Malware Distribution\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Aug 13, 2021.\", \"Sources\": [\"d3Awkm\"], \"Timestamp\": \"2021-08-13T00:00:00.000Z\", \"Name\": \"malwareSiteDetected\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recently Reported by Insikt Group\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Insikt Group. 1 report: Microsoft Warns of Attacks Targeting Microsoft Office 365 Users. Most recent link (Aug 12, 2021): https://app.recordedfuture.com/live/sc/4BBhpn1ApBQR\", \"Sources\": [\"VKz42X\"], \"Timestamp\": \"2021-08-12T00:00:00.000Z\", \"Name\": \"recentAnalystNote\", \"MitigationString\": \"\", \"Criticality\": 3.0}]}", "Name": "http://coollab.jp/dir/root/p/09908.js", "Risk": "75", "RiskString": "3/24"}
{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Reported as a Defanged URL\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"23 sightings on 9 sources including: The Official Google Blog, eccouncil.org, frsecure.com, SoyaCincau, PasteBin. Most recent tweet: Actor controlled sites and accounts Research Blog https://blog.br0vvnn[.]io. Most recent link (Jan 27, 2021): https://twitter.com/techn0m4nc3r/statuses/1354296736357953539\", \"Sources\": [\"Gzt\", \"idn:eccouncil.org\", \"idn:frsecure.com\", \"J-8-Nr\", \"Jv_xrR\", \"g9rk5F\", \"cUg0pv\", \"K5LKj8\", \"fVAueu\"], \"Timestamp\": \"2021-01-27T05:14:38.000Z\", \"Name\": \"defangedURL\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Historically Detected Phishing Techniques\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on May 30, 2021.\", \"Sources\": [\"d3Awkm\"], \"Timestamp\": \"2021-05-30T00:00:00.000Z\", \"Name\": \"phishingSiteDetected\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recently Reported by Insikt Group\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Insikt Group. 1 report: Google Warns of Ongoing Attacks Targeting Security Researchers. Most recent link (Jan 25, 2021): https://app.recordedfuture.com/live/sc/5QCqZ2ZH4lwc\", \"Sources\": [\"VKz42X\"], \"Timestamp\": \"2021-01-25T00:00:00.000Z\", \"Name\": \"recentAnalystNote\", \"MitigationString\": \"\", \"Criticality\": 3.0}]}", "Name": "https://blog.br0vvnn.io", "Risk": "75", "RiskString": "3/24"}
{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Reported as a Defanged URL\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"24 sightings on 10 sources including: lnkd.in, digitalforensicsmagazineblog PH, mediosdemexico.com, Palo Alto Networks, Security Art Work. Most recent link (Mar 4, 2016): https://lnkd.in/egi-nMa\", \"Sources\": [\"idn:lnkd.in\", \"JNe6Gc\", \"idn:mediosdemexico.com\", \"JwO7jp\", \"LCN_6T\", \"KA0p6S\", \"LErKlN\", \"jjf3_B\", \"KE9Xit\", \"J4bouj\"], \"Timestamp\": \"2016-03-04T14:33:36.543Z\", \"Name\": \"defangedURL\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recently Detected Malware Distribution\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Dec 27, 2021.\", \"Sources\": [\"d3Awkm\"], \"Timestamp\": \"2021-12-27T00:00:00.000Z\", \"Name\": \"recentMalwareSiteDetected\", \"MitigationString\": \"\", \"Criticality\": 3.0}]}", "Name": "http://init.icloud-analysis.com", "Risk": "75", "RiskString": "2/24"}
{"EvidenceDetails": "{\"EvidenceDetails\": [{\"Rule\": \"Historically Reported as a Defanged URL\", \"CriticalityLabel\": \"Unusual\", \"EvidenceString\": \"Test evidence string with no providers included\", \"Sources\": [\"idn:lnkd.in\", \"JNe6Gc\", \"idn:mediosdemexico.com\", \"JwO7jp\", \"LCN_6T\", \"KA0p6S\", \"LErKlN\", \"jjf3_B\", \"KE9Xit\", \"J4bouj\"], \"Timestamp\": \"2016-03-04T14:33:36.543Z\", \"Name\": \"defangedURL\", \"MitigationString\": \"\", \"Criticality\": 1.0}, {\"Rule\": \"Recently Detected Malware Distribution\", \"CriticalityLabel\": \"Malicious\", \"EvidenceString\": \"From DNS resolution data collected by Recorded Future: Recently resolved to 7 Suspicious IP Addresses including 192.168.0.1, 192.168.0.2, 192.168.0.3, 192.168.0.4, 192.168.0.5.\", \"Sources\": [\"d3Awkm\"], \"Timestamp\": \"2021-12-27T00:00:00.000Z\", \"Name\": \"recentMalwareSiteDetected\", \"MitigationString\": \"\", \"Criticality\": 3.0}]}", "Name": "http://init.icloud-analysis.com", "Risk": "75", "RiskString": "2/24"}
297 changes: 185 additions & 112 deletions ...s/ti_recordedfuture/data_stream/threat/_dev/test/pipeline/test-httpjson.log-expected.json
View file
Open in desktop

Large diffs are not rendered by default.