Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TI CIF3] Add IOC Expiration #9550

Merged
merged 6 commits into from
Apr 10, 2024
Merged

[TI CIF3] Add IOC Expiration #9550

merged 6 commits into from
Apr 10, 2024

Conversation

kcreddy
Copy link
Contributor

@kcreddy kcreddy commented Apr 8, 2024
edited
Loading

Proposed commit message

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

elastic-package stack down && elastic-package build && elastic-package stack up -d -v && eval "$(elastic-package stack shellinit)" && elastic-package test system --generate -v

--- Test results for package: ti_cif3 - START ---
╭─────────┬─────────────┬───────────┬──────────────────────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME                                                        │ RESULT │ TIME ELAPSED │
├─────────┼─────────────┼───────────┼──────────────────────────────────────────────────────────────────┼────────┼──────────────┤
│ ti_cif3 │             │ asset     │ dashboard ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3 is loaded │ PASS   │        500ns │
│ ti_cif3 │             │ asset     │ dashboard ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3 is loaded │ PASS   │         83ns │
│ ti_cif3 │             │ asset     │ dashboard ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3 is loaded │ PASS   │         42ns │
│ ti_cif3 │             │ asset     │ dashboard ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3 is loaded │ PASS   │         83ns │
│ ti_cif3 │             │ asset     │ dashboard ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3 is loaded │ PASS   │         42ns │
│ ti_cif3 │             │ asset     │ dashboard ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3 is loaded │ PASS   │         83ns │
│ ti_cif3 │ feed        │ asset     │ index_template logs-ti_cif3.feed is loaded                       │ PASS   │        125ns │
│ ti_cif3 │ feed        │ asset     │ ingest_pipeline logs-ti_cif3.feed-1.12.0 is loaded               │ PASS   │         84ns │
╰─────────┴─────────────┴───────────┴──────────────────────────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: ti_cif3 - END   ---
Done
Run pipeline tests for the package
--- Test results for package: ti_cif3 - START ---
╭─────────┬─────────────┬───────────┬──────────────────────────────────┬────────┬──────────────╮
│ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME                        │ RESULT │ TIME ELAPSED │
├─────────┼─────────────┼───────────┼──────────────────────────────────┼────────┼──────────────┤
│ ti_cif3 │ feed        │ pipeline  │ test-cif3-no-preserve-ndjson.log │ PASS   │  21.984334ms │
│ ti_cif3 │ feed        │ pipeline  │ test-cif3-sample-ndjson.log      │ PASS   │   3.065291ms │
╰─────────┴─────────────┴───────────┴──────────────────────────────────┴────────┴──────────────╯
--- Test results for package: ti_cif3 - END   ---
Done
Run static tests for the package
--- Test results for package: ti_cif3 - START ---
╭─────────┬─────────────┬───────────┬──────────────────────────┬────────┬──────────────╮
│ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME                │ RESULT │ TIME ELAPSED │
├─────────┼─────────────┼───────────┼──────────────────────────┼────────┼──────────────┤
│ ti_cif3 │ feed        │ static    │ Verify sample_event.json │ PASS   │  53.611292ms │
╰─────────┴─────────────┴───────────┴──────────────────────────┴────────┴──────────────╯
--- Test results for package: ti_cif3 - END   ---
Done
Run system tests for the package
--- Test results for package: ti_cif3 - START ---
╭─────────┬─────────────┬───────────┬───────────┬────────┬───────────────╮
│ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME │ RESULT │  TIME ELAPSED │
├─────────┼─────────────┼───────────┼───────────┼────────┼───────────────┤
│ ti_cif3 │ feed        │ system    │ default   │ PASS   │ 39.578945416s │
╰─────────┴─────────────┴───────────┴───────────┴────────┴───────────────╯
--- Test results for package: ti_cif3 - END   ---
Done

Related issues

Screenshots

Updated with filter NOT labels.is_ioc_transform_source: true
Screenshot 2024-04-09 at 12 09 42 AM
Screenshot 2024-04-09 at 12 09 21 AM
Screenshot 2024-04-09 at 12 09 10 AM

@kcreddy kcreddy added enhancement New feature or request Integration:ti_cif3 Collective Intelligence Framework v3 labels Apr 8, 2024
@elasticmachine
Copy link

elasticmachine commented Apr 8, 2024
edited
Loading

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@kcreddy kcreddy marked this pull request as ready for review April 9, 2024 04:42
@kcreddy kcreddy requested a review from a team as a code owner April 9, 2024 04:42
@kcreddy kcreddy added the Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations] label Apr 9, 2024
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@kcreddy kcreddy self-assigned this Apr 9, 2024
efd6
efd6 reviewed Apr 9, 2024
View reviewed changes
packages/ti_cif3/_dev/build/docs/README.md Outdated Show resolved Hide resolved
packages/ti_cif3/data_stream/feed/fields/ecs.yml Outdated
@@ -98,3 +100,10 @@
name: threat.indicator.geo.region_name
- external: ecs
name: threat.indicator.geo.timezone
# Manually define this as a workaround for failing tests and validation
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the test that fails without this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There was validation check that fails to import this ECS field if defined with external: ecs. It doesn't seem to be failing now. Looks like it might have been fixed in newer versions of elastic-package.
Modified to external: ecs

@kcreddy kcreddy requested a review from efd6 April 9, 2024 07:46
efd6
efd6 approved these changes Apr 9, 2024
View reviewed changes
packages/ti_cif3/data_stream/feed/elasticsearch/ingest_pipeline/default.yml Outdated
Comment on lines 34 to 49
- date:
field: cif3.firsttime
target_field: threat.indicator.first_seen
ignore_missing: true
- rename:
formats:
- "ISO8601"
if: ctx.cif3?.firsttime != null
- date:
field: cif3.lasttime
target_field: threat.indicator.last_seen
ignore_missing: true
formats:
- "ISO8601"
if: ctx.cif3?.lasttime != null
- set:
field: threat.indicator.name
copy_from: cif3.indicator
if: ctx.cif3?.indicator != null
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens if these fail? Do we just except that the world has stopped working? (probably reasonable)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added on_failure clause for date processor with error.message.

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
94.7% 94.7% Coverage on New Code
0.0% 0.0% Duplication on New Code

See analysis details on SonarQube

@elasticmachine
Copy link

💚 Build Succeeded

History

cc @kcreddy

efd6
efd6 approved these changes Apr 10, 2024
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still LGTM

@kcreddy kcreddy merged commit 09370a0 into elastic:main Apr 10, 2024
5 checks passed
@elasticmachine
Copy link

Package ti_cif3 - 1.12.0 containing this change is available at https://epr.elastic.co/search?package=ti_cif3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@efd6 efd6 efd6 approved these changes

Assignees

@kcreddy kcreddy

Labels
enhancement New feature or request Integration:ti_cif3 Collective Intelligence Framework v3 Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[TI_CIF3] Add support for IOC expiration
3 participants
@kcreddy @elasticmachine @efd6