Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ti_crowdstrike] Add the ECS mappings to be useful for threat Intel rules #9456

Merged
merged 4 commits into from Apr 2, 2024
Merged

[ti_crowdstrike] Add the ECS mappings to be useful for threat Intel rules #9456

merged 4 commits into from Apr 2, 2024

Conversation

mohitjha-elastic
Copy link
Contributor

Type of change

  • Enhancement

What does this PR do?

Add the ECS mappings to be useful for threat Intel rules
Customer provided the below lists of ECS mappings that are required to be added to be useful for threat Intel rules, hence we supported the below list of ECS mappings in this PR:

URL:
threat.indicator.url.full

IP:
threat.indicator.ip

Hash:
threat.indicator.file.hash.md5
threat.indicator.file.hash.sha1
threat.indicator.file.hash.sha256

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

All changes

  • Change follows the contributing guidelines
  • Supported versions of the monitoring target are documented
  • Supported operating systems are documented (if applicable)
  • Integration or System tests exist
  • Documentation exists
  • Fields follow ECS and naming conventions
  • At least a manual test with ES / Kibana / Agent has been performed.
  • Required Kibana version set to: ^8.12.0

How to test this PR locally

Clone integrations repo.
Install the elastic package locally.
Start the elastic stack using the elastic package.
Move to integrations/packages/ti_crowdstrike directory.
Run the following command to run tests.
elastic-package test -v

Related issues

Automated Test

test-ti_crowdstrike-0.5.4.log

@mohitjha-elastic mohitjha-elastic requested a review from a team as a code owner March 27, 2024 06:04
efd6
efd6 reviewed Mar 27, 2024
View reviewed changes
packages/ti_crowdstrike/data_stream/intel/elasticsearch/ingest_pipeline/default.yml Outdated
field: threat.indicator.file.hash.sha1
tag: set_threat_indicator_file_hash_sha1
value: '{{{ti_crowdstrike.intel.value}}}'
if: ctx.ti_crowdstrike?.intel?.type != null && ctx.ti_crowdstrike.intel.type.contains('hash_sha1') && ctx.ti_crowdstrike?.intel?.value != null
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if: ctx.ti_crowdstrike?.intel?.type != null && ctx.ti_crowdstrike.intel.type.contains('hash_sha1') && ctx.ti_crowdstrike?.intel?.value != null
if: ctx.ti_crowdstrike?.intel?.type != null && ctx.ti_crowdstrike.intel.value != null && ctx.ti_crowdstrike.intel.type.contains('hash_sha1')

Removes unnecessary null-safe operators and puts cheaper checks first; similar changes below.

kcreddy
kcreddy reviewed Mar 27, 2024
View reviewed changes
packages/ti_crowdstrike/data_stream/intel/elasticsearch/ingest_pipeline/default.yml
value: '{{{ti_crowdstrike.intel.value}}}'
if: ctx.ti_crowdstrike?.intel?.type != null && ctx.ti_crowdstrike.intel.type.contains('hash_md5') && ctx.ti_crowdstrike?.intel?.value != null
- set:
field: threat.indicator.url.full
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you apply uri_parts processor on this URL?

packages/ti_crowdstrike/data_stream/intel/elasticsearch/ingest_pipeline/default.yml
value: '{{{ti_crowdstrike.intel.value}}}'
if: ctx.ti_crowdstrike?.intel?.type != null && ctx.ti_crowdstrike.intel.type.contains('hash_sha1') && ctx.ti_crowdstrike?.intel?.value != null
- set:
field: threat.indicator.file.hash.md5
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add all threat.indicator.file.hash.* values into related.hash

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All the hash values are already appended to the related.hash. hash_sha1 was missing, added that in the recent commit.

@kcreddy kcreddy added enhancement New feature or request Integration:TI Crowdstrike Team:Security-Service Integrations Security Service Integrations Team labels Mar 27, 2024
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@mohitjha-elastic
Resolve review comments.
8143c43 
1. Use uri_parts for threat.indicator.url.full
2. use hash_sha1 in related.hash
kcreddy
kcreddy approved these changes Mar 28, 2024
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍🏼 lets wait for Dan's approval before merging

@kcreddy
Copy link
Contributor

kcreddy commented Mar 28, 2024

/test

@elasticmachine
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

efd6
efd6 reviewed Apr 1, 2024
View reviewed changes
packages/ti_crowdstrike/data_stream/intel/elasticsearch/ingest_pipeline/default.yml
value: '{{{ti_crowdstrike.intel.value}}}'
if: ctx.ti_crowdstrike?.intel?.type != null && ctx.ti_crowdstrike.intel.type.contains('hash_md5') && ctx.ti_crowdstrike?.intel?.value != null
- set:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we have test cases for these two changes as well? threat.indicator.url.full and threat.indicator.ip.

@mohitjha-elastic
Resolve review comments.
a13cc60 
Add test data for url and ip_address indicator.
efd6
efd6 approved these changes Apr 2, 2024
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@efd6
Copy link
Contributor

efd6 commented Apr 2, 2024

/test

@elasticmachine
Copy link

💚 Build Succeeded

History

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
97.1% 97.1% Coverage on New Code
0.0% 0.0% Duplication on New Code

See analysis details on SonarQube

@efd6 efd6 merged commit 82d463f into elastic:main Apr 2, 2024
5 checks passed
@elasticmachine
Copy link

Package ti_crowdstrike - 0.5.4 containing this change is available at https://epr.elastic.co/search?package=ti_crowdstrike

@narph narph added the Crest label Apr 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kcreddy kcreddy kcreddy approved these changes

@efd6 efd6 efd6 approved these changes

Assignees
No one assigned
Labels
Crest enhancement New feature or request Integration:TI Crowdstrike Team:Security-Service Integrations Security Service Integrations Team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ti_crowdstrike: Add the ECS mappings required for threat Intel rules
5 participants
@mohitjha-elastic @elasticmachine @kcreddy @efd6 @narph