-
Notifications
You must be signed in to change notification settings - Fork 407
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[TI_MISP] Add support for EnforceWarningList filter parameter #8475
[TI_MISP] Add support for EnforceWarningList filter parameter #8475
Conversation
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
🌐 Coverage report
|
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
This seems to go against their docs and spec, are you sure this is not only the case when applied as a URL query parameter? |
Also, their logic is this: |
I wonder if this is only when its part of URL parameters? Their OpenAPI Spec says different: Maybe they also support both. Either way I added the change, as its what you already used. |
Let's go with the legacy option, until it doesn't work anymore 👍 |
Package ti_misp - 1.26.0 containing this change is available at https://epr.elastic.co/search?package=ti_misp |
Proposed commit message
EnforceWarningList is a request body parameter that is used in the MISP API to filter out values that are believed to be false positives, as documented here: https://www.circl.lu/doc/misp/warninglists/#misp-warning-lists-introduction-the-dilemma-of-false-positive
SPEC: https://raw.githubusercontent.com/MISP/MISP/develop/app/webroot/doc/openapi.yaml
I decided to instead of setting this to true or false in the .yml.hbs file, I only actually set it once its true, in case older versions of MISP do not support this parameter. The default value is also false, to not change any behavior by default when upgrading.
Checklist
changelog.yml
file.