[TI_MISP] Add support for EnforceWarningList filter parameter

[P1llus]

Proposed commit message

EnforceWarningList is a request body parameter that is used in the MISP API to filter out values that are believed to be false positives, as documented here: https://www.circl.lu/doc/misp/warninglists/#misp-warning-lists-introduction-the-dilemma-of-false-positive

SPEC: https://raw.githubusercontent.com/MISP/MISP/develop/app/webroot/doc/openapi.yaml

I decided to instead of setting this to true or false in the .yml.hbs file, I only actually set it once its true, in case older versions of MISP do not support this parameter. The default value is also false, to not change any behavior by default when upgrading.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-11-13T12:52:50.151+0000

• Duration: 65 min 16 sec

Test stats 🧪

Test	Results
Failed	0
Passed	15
Skipped	0
Total	15

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (2/2)	💚
Files	100.0% (2/2)	💚
Classes	100.0% (2/2)	💚
Methods	100.0% (30/30)	💚
Lines	86.831% (633/729)	👎 -5.127
Conditionals	100.0% (0/0)	💚

[LaZyDK]

enforceWarninglist should be set to "1".

[chemamartinez]

LGTM

[P1llus]

enforceWarninglist should be set to "1".

This seems to go against their docs and spec, are you sure this is not only the case when applied as a URL query parameter?

[LaZyDK]

It is an integer :)
https://github.com/MISP/MISP/blob/c15c88ed75de4c5d26388078958691b0b9a97611/docs/API_Doc.md?plain=1#L117

[LaZyDK]

It is an integer :) https://github.com/MISP/MISP/blob/c15c88ed75de4c5d26388078958691b0b9a97611/docs/API_Doc.md?plain=1#L117

Also, their logic is this:
'enforceWarninglist' => !empty($filters['enforceWarninglist']) ? $filters['enforceWarninglist'] : 0,
https://github.com/MISP/MISP/blob/c15c88ed75de4c5d26388078958691b0b9a97611/app/Model/Attribute.php#L2879

[P1llus]

It is an integer :) https://github.com/MISP/MISP/blob/c15c88ed75de4c5d26388078958691b0b9a97611/docs/API_Doc.md?plain=1#L117

I wonder if this is only when its part of URL parameters? Their OpenAPI Spec says different:

Maybe they also support both. Either way I added the change, as its what you already used.

[LaZyDK]

Let's go with the legacy option, until it doesn't work anymore 👍

[elasticmachine]

Package ti_misp - 1.26.0 containing this change is available at https://epr.elastic.co/search?package=ti_misp