New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ti_crowdstrike] Add the ECS mappings to be useful for threat Intel rules #9456
Conversation
field: threat.indicator.file.hash.sha1 | ||
tag: set_threat_indicator_file_hash_sha1 | ||
value: '{{{ti_crowdstrike.intel.value}}}' | ||
if: ctx.ti_crowdstrike?.intel?.type != null && ctx.ti_crowdstrike.intel.type.contains('hash_sha1') && ctx.ti_crowdstrike?.intel?.value != null |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if: ctx.ti_crowdstrike?.intel?.type != null && ctx.ti_crowdstrike.intel.type.contains('hash_sha1') && ctx.ti_crowdstrike?.intel?.value != null | |
if: ctx.ti_crowdstrike?.intel?.type != null && ctx.ti_crowdstrike.intel.value != null && ctx.ti_crowdstrike.intel.type.contains('hash_sha1') |
Removes unnecessary null-safe operators and puts cheaper checks first; similar changes below.
value: '{{{ti_crowdstrike.intel.value}}}' | ||
if: ctx.ti_crowdstrike?.intel?.type != null && ctx.ti_crowdstrike.intel.type.contains('hash_md5') && ctx.ti_crowdstrike?.intel?.value != null | ||
- set: | ||
field: threat.indicator.url.full |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you apply uri_parts
processor on this URL?
value: '{{{ti_crowdstrike.intel.value}}}' | ||
if: ctx.ti_crowdstrike?.intel?.type != null && ctx.ti_crowdstrike.intel.type.contains('hash_sha1') && ctx.ti_crowdstrike?.intel?.value != null | ||
- set: | ||
field: threat.indicator.file.hash.md5 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add all threat.indicator.file.hash.*
values into related.hash
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All the hash values are already appended to the related.hash. hash_sha1
was missing, added that in the recent commit.
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
1. Use uri_parts for threat.indicator.url.full 2. use hash_sha1 in related.hash
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍🏼 lets wait for Dan's approval before merging
/test |
🚀 Benchmarks reportTo see the full report comment with |
value: '{{{ti_crowdstrike.intel.value}}}' | ||
if: ctx.ti_crowdstrike?.intel?.type != null && ctx.ti_crowdstrike.intel.type.contains('hash_md5') && ctx.ti_crowdstrike?.intel?.value != null | ||
- set: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we have test cases for these two changes as well? threat.indicator.url.full
and threat.indicator.ip
.
Add test data for url and ip_address indicator.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks
/test |
💚 Build Succeeded
History
|
Quality Gate passedKudos, no new issues were introduced! 0 New issues |
Package ti_crowdstrike - 0.5.4 containing this change is available at https://epr.elastic.co/search?package=ti_crowdstrike |
Type of change
What does this PR do?
Add the ECS mappings to be useful for threat Intel rules
Customer provided the below lists of ECS mappings that are required to be added to be useful for threat Intel rules, hence we supported the below list of ECS mappings in this PR:
URL:
threat.indicator.url.full
IP:
threat.indicator.ip
Hash:
threat.indicator.file.hash.md5
threat.indicator.file.hash.sha1
threat.indicator.file.hash.sha256
Checklist
changelog.yml
file.All changes
How to test this PR locally
Clone integrations repo.
Install the elastic package locally.
Start the elastic stack using the elastic package.
Move to integrations/packages/ti_crowdstrike directory.
Run the following command to run tests.
elastic-package test -v
Related issues
Automated Test
test-ti_crowdstrike-0.5.4.log