New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ti_misp] Pagination fixes #9073
[ti_misp] Pagination fixes #9073
Conversation
… and require correct timestamps after the first.
…the starting point shift even if initial response are empty.
…n sequences and require correct timestamps after the first.
… don't let the starting point shift even if initial response are empty.
🚀 Benchmarks reportTo see the full report comment with |
💚 Build Succeeded
|
Quality Gate passedKudos, no new issues were introduced! 0 New issues |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great! Thanks for such a detailed PR and test description!
No comments from me, only thing I noticed was that while .Unix was removed from one part, the default value still uses it, I assume thats intended since the original value is not Unix?
Yes, it's intended. |
Package ti_misp - 1.31.0 containing this change is available at https://epr.elastic.co/search?package=ti_misp |
Update the HTTP JSON input configuration for the Threat Intel module's misp fileset with pagination fixes that were done earlier in the Agent-based MISP integration, in these PRs: - Fix timestamp format sent to API elastic/integrations#6482 - Fix duplicate requests for page 1 elastic/integrations#6495 - Keep the same timestamp for later pages elastic/integrations#6649 - Pagination fixes elastic/integrations#9073
Update the HTTP JSON input configuration for the Threat Intel module's misp fileset with pagination fixes that were done earlier in the Agent-based MISP integration, in these PRs: - Fix timestamp format sent to API elastic/integrations#6482 - Fix duplicate requests for page 1 elastic/integrations#6495 - Keep the same timestamp for later pages elastic/integrations#6649 - Pagination fixes elastic/integrations#9073 (cherry picked from commit b7fc69a)
Update the HTTP JSON input configuration for the Threat Intel module's misp fileset with pagination fixes that were done earlier in the Agent-based MISP integration, in these PRs: - Fix timestamp format sent to API elastic/integrations#6482 - Fix duplicate requests for page 1 elastic/integrations#6495 - Keep the same timestamp for later pages elastic/integrations#6649 - Pagination fixes elastic/integrations#9073 (cherry picked from commit b7fc69a)
…#37923) [filebeat][threatintel] MISP pagination fixes (#37898) Update the HTTP JSON input configuration for the Threat Intel module's misp fileset with pagination fixes that were done earlier in the Agent-based MISP integration, in these PRs: - Fix timestamp format sent to API elastic/integrations#6482 - Fix duplicate requests for page 1 elastic/integrations#6495 - Keep the same timestamp for later pages elastic/integrations#6649 - Pagination fixes elastic/integrations#9073
…#37924) [filebeat][threatintel] MISP pagination fixes (#37898) Update the HTTP JSON input configuration for the Threat Intel module's misp fileset with pagination fixes that were done earlier in the Agent-based MISP integration, in these PRs: - Fix timestamp format sent to API elastic/integrations#6482 - Fix duplicate requests for page 1 elastic/integrations#6495 - Keep the same timestamp for later pages elastic/integrations#6649 - Pagination fixes elastic/integrations#9073
Proposed commit message
Discussion
While the system tests do now require that later page sequences use the correct timestamp values, I relied on manual checks to validate that the timestamp value won't be reinitialized following an empty page before data arrives. I used MISP v2.4.183, via
misp-docker
, as described below.Adding the
order
parameter changes the SQL query generated by MISP as follows (for events):SELECT `Event`.`id`, `Event`.`attribute_count` FROM `misp`.`events` AS `Event` WHERE `Event`.`timestamp` >= 1707200151 +ORDER BY `Event`.`timestamp` asc LIMIT 10
The
order
parameter is mentioned in MISP's main documentation but not in it's OpenAI documentation. The documentation says it's "Only available for/events/restSearch
", but in fact therestSearch
code is shared and it works for/attributes/restSearch
as well.Checklist
changelog.yml
file.How to test this PR locally
The following is a guide for how to run MISP locally, observe its interactions with the database and run the Elastic MISP integration against that local instance.
MISP: Configure, run and generate an API token
docker-compse.yml
and underservices.db
addcommand: --general-log --general-log-file=general.log
.misp-docker
README's Getting Started instructions.MISP: Load data and query
--insecure
option).SQL logs
Tail the MariaDB log and highlight queries of interest (
SELECT
s with aLIMIT
that's not1
), as follows:MISP integration in Elastic
When adding a MISP integration policy use the following settings:
MISP: other settings (optional)
Additional settings can be added to
misp-docker/core/files/configure_misp.sh
, for example:Setting
debug
to2
will show a summary of SQL queries at the bottom of the page in the browser, but to see all queries, including those generated by API requests, use MariaDB's general log as above.Check live settings as follows:
Change a live setting as follows:
Related issues