From aa80a04ebb7077c6c81d98d6d4c4425cd542a47b Mon Sep 17 00:00:00 2001 From: Maxim Kholod Date: Tue, 1 Nov 2022 18:29:55 +0100 Subject: [PATCH] [TIP] add null check to the painless script --- .../server/utils/indicator_name.test.ts | 60 +++++++++---------- .../server/utils/indicator_name.ts | 2 +- 2 files changed, 31 insertions(+), 31 deletions(-) diff --git a/x-pack/plugins/threat_intelligence/server/utils/indicator_name.test.ts b/x-pack/plugins/threat_intelligence/server/utils/indicator_name.test.ts index df64055b489cb1..b394392c9fa96a 100644 --- a/x-pack/plugins/threat_intelligence/server/utils/indicator_name.test.ts +++ b/x-pack/plugins/threat_intelligence/server/utils/indicator_name.test.ts @@ -11,10 +11,10 @@ describe('display name generation', () => { describe('threatIndicatorNamesScript()', () => { it('should generate a valid painless script', () => { expect(threatIndicatorNamesScript()).toMatchInlineSnapshot(` - "if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='ipv4-addr') { if (doc['threat.indicator.ip'].size()!=0 && doc['threat.indicator.ip'].value!=null) { return emit(doc['threat.indicator.ip'].value) } } - if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='ipv6-addr') { if (doc['threat.indicator.ip'].size()!=0 && doc['threat.indicator.ip'].value!=null) { return emit(doc['threat.indicator.ip'].value) } } + "if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='ipv4-addr') { if (doc['threat.indicator.ip'].size()!=0 && doc['threat.indicator.ip'].value!=null) { return emit(doc['threat.indicator.ip'].value) } } + if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='ipv6-addr') { if (doc['threat.indicator.ip'].size()!=0 && doc['threat.indicator.ip'].value!=null) { return emit(doc['threat.indicator.ip'].value) } } - if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='file') { if (doc['threat.indicator.file.hash.sha256'].size()!=0 && doc['threat.indicator.file.hash.sha256'].value!=null) { return emit(doc['threat.indicator.file.hash.sha256'].value) } + if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='file') { if (doc['threat.indicator.file.hash.sha256'].size()!=0 && doc['threat.indicator.file.hash.sha256'].value!=null) { return emit(doc['threat.indicator.file.hash.sha256'].value) } if (doc['threat.indicator.file.hash.md5'].size()!=0 && doc['threat.indicator.file.hash.md5'].value!=null) { return emit(doc['threat.indicator.file.hash.md5'].value) } if (doc['threat.indicator.file.hash.sha1'].size()!=0 && doc['threat.indicator.file.hash.sha1'].value!=null) { return emit(doc['threat.indicator.file.hash.sha1'].value) } if (doc['threat.indicator.file.hash.sha224'].size()!=0 && doc['threat.indicator.file.hash.sha224'].value!=null) { return emit(doc['threat.indicator.file.hash.sha224'].value) } @@ -33,25 +33,25 @@ describe('display name generation', () => { if (doc['threat.indicator.file.pehash'].size()!=0 && doc['threat.indicator.file.pehash'].value!=null) { return emit(doc['threat.indicator.file.pehash'].value) } if (doc['threat.indicator.file.vhash'].size()!=0 && doc['threat.indicator.file.vhash'].value!=null) { return emit(doc['threat.indicator.file.vhash'].value) } } - if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='url') { if (doc['threat.indicator.url.full'].size()!=0 && doc['threat.indicator.url.full'].value!=null) { return emit(doc['threat.indicator.url.full'].value) } } + if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='url') { if (doc['threat.indicator.url.full'].size()!=0 && doc['threat.indicator.url.full'].value!=null) { return emit(doc['threat.indicator.url.full'].value) } } - if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='domain') { if (doc['threat.indicator.url.domain'].size()!=0 && doc['threat.indicator.url.domain'].value!=null) { return emit(doc['threat.indicator.url.domain'].value) } } - if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='domain-name') { if (doc['threat.indicator.url.domain'].size()!=0 && doc['threat.indicator.url.domain'].value!=null) { return emit(doc['threat.indicator.url.domain'].value) } } + if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='domain') { if (doc['threat.indicator.url.domain'].size()!=0 && doc['threat.indicator.url.domain'].value!=null) { return emit(doc['threat.indicator.url.domain'].value) } } + if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='domain-name') { if (doc['threat.indicator.url.domain'].size()!=0 && doc['threat.indicator.url.domain'].value!=null) { return emit(doc['threat.indicator.url.domain'].value) } } - if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='x509-certificate') { if (doc['threat.indicator.x509.serial_number'].size()!=0 && doc['threat.indicator.x509.serial_number'].value!=null) { return emit(doc['threat.indicator.x509.serial_number'].value) } } - if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='x509 serial') { if (doc['threat.indicator.x509.serial_number'].size()!=0 && doc['threat.indicator.x509.serial_number'].value!=null) { return emit(doc['threat.indicator.x509.serial_number'].value) } } + if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='x509-certificate') { if (doc['threat.indicator.x509.serial_number'].size()!=0 && doc['threat.indicator.x509.serial_number'].value!=null) { return emit(doc['threat.indicator.x509.serial_number'].value) } } + if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='x509 serial') { if (doc['threat.indicator.x509.serial_number'].size()!=0 && doc['threat.indicator.x509.serial_number'].value!=null) { return emit(doc['threat.indicator.x509.serial_number'].value) } } - if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='email-addr') { if (doc['threat.indicator.email.address'].size()!=0 && doc['threat.indicator.email.address'].value!=null) { return emit(doc['threat.indicator.email.address'].value) } } + if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='email-addr') { if (doc['threat.indicator.email.address'].size()!=0 && doc['threat.indicator.email.address'].value!=null) { return emit(doc['threat.indicator.email.address'].value) } } - if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='unknown') { if (doc['_id'].size()!=0 && doc['_id'].value!=null) { return emit(doc['_id'].value) } } - if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='email') { if (doc['_id'].size()!=0 && doc['_id'].value!=null) { return emit(doc['_id'].value) } } - if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='email-message') { if (doc['_id'].size()!=0 && doc['_id'].value!=null) { return emit(doc['_id'].value) } } + if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='unknown') { if (doc['_id'].size()!=0 && doc['_id'].value!=null) { return emit(doc['_id'].value) } } + if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='email') { if (doc['_id'].size()!=0 && doc['_id'].value!=null) { return emit(doc['_id'].value) } } + if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='email-message') { if (doc['_id'].size()!=0 && doc['_id'].value!=null) { return emit(doc['_id'].value) } } - if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='windows-registry-key') { if (doc['threat.indicator.registry.key'].size()!=0 && doc['threat.indicator.registry.key'].value!=null) { return emit(doc['threat.indicator.registry.key'].value) } } + if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='windows-registry-key') { if (doc['threat.indicator.registry.key'].size()!=0 && doc['threat.indicator.registry.key'].value!=null) { return emit(doc['threat.indicator.registry.key'].value) } } - if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='autonomous-system') { if (doc['threat.indicator.as.number'].size()!=0 && doc['threat.indicator.as.number'].value!=null) { return emit(doc['threat.indicator.as.number'].value) } } + if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='autonomous-system') { if (doc['threat.indicator.as.number'].size()!=0 && doc['threat.indicator.as.number'].value!=null) { return emit(doc['threat.indicator.as.number'].value) } } - if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='mac-addr') { if (doc['threat.indicator.mac'].size()!=0 && doc['threat.indicator.mac'].value!=null) { return emit(doc['threat.indicator.mac'].value) } } + if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='mac-addr') { if (doc['threat.indicator.mac'].size()!=0 && doc['threat.indicator.mac'].value!=null) { return emit(doc['threat.indicator.mac'].value) } } return emit('')" `); @@ -61,10 +61,10 @@ describe('display name generation', () => { describe('threatIndicatorNamesOriginScript()', () => { it('should generate a valid painless script', () => { expect(threatIndicatorNamesOriginScript()).toMatchInlineSnapshot(` - "if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='ipv4-addr') { if (doc['threat.indicator.ip'].size()!=0 && doc['threat.indicator.ip'].value!=null) { return emit('threat.indicator.ip') } } - if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='ipv6-addr') { if (doc['threat.indicator.ip'].size()!=0 && doc['threat.indicator.ip'].value!=null) { return emit('threat.indicator.ip') } } + "if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='ipv4-addr') { if (doc['threat.indicator.ip'].size()!=0 && doc['threat.indicator.ip'].value!=null) { return emit('threat.indicator.ip') } } + if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='ipv6-addr') { if (doc['threat.indicator.ip'].size()!=0 && doc['threat.indicator.ip'].value!=null) { return emit('threat.indicator.ip') } } - if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='file') { if (doc['threat.indicator.file.hash.sha256'].size()!=0 && doc['threat.indicator.file.hash.sha256'].value!=null) { return emit('threat.indicator.file.hash.sha256') } + if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='file') { if (doc['threat.indicator.file.hash.sha256'].size()!=0 && doc['threat.indicator.file.hash.sha256'].value!=null) { return emit('threat.indicator.file.hash.sha256') } if (doc['threat.indicator.file.hash.md5'].size()!=0 && doc['threat.indicator.file.hash.md5'].value!=null) { return emit('threat.indicator.file.hash.md5') } if (doc['threat.indicator.file.hash.sha1'].size()!=0 && doc['threat.indicator.file.hash.sha1'].value!=null) { return emit('threat.indicator.file.hash.sha1') } if (doc['threat.indicator.file.hash.sha224'].size()!=0 && doc['threat.indicator.file.hash.sha224'].value!=null) { return emit('threat.indicator.file.hash.sha224') } @@ -83,25 +83,25 @@ describe('display name generation', () => { if (doc['threat.indicator.file.pehash'].size()!=0 && doc['threat.indicator.file.pehash'].value!=null) { return emit('threat.indicator.file.pehash') } if (doc['threat.indicator.file.vhash'].size()!=0 && doc['threat.indicator.file.vhash'].value!=null) { return emit('threat.indicator.file.vhash') } } - if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='url') { if (doc['threat.indicator.url.full'].size()!=0 && doc['threat.indicator.url.full'].value!=null) { return emit('threat.indicator.url.full') } } + if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='url') { if (doc['threat.indicator.url.full'].size()!=0 && doc['threat.indicator.url.full'].value!=null) { return emit('threat.indicator.url.full') } } - if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='domain') { if (doc['threat.indicator.url.domain'].size()!=0 && doc['threat.indicator.url.domain'].value!=null) { return emit('threat.indicator.url.domain') } } - if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='domain-name') { if (doc['threat.indicator.url.domain'].size()!=0 && doc['threat.indicator.url.domain'].value!=null) { return emit('threat.indicator.url.domain') } } + if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='domain') { if (doc['threat.indicator.url.domain'].size()!=0 && doc['threat.indicator.url.domain'].value!=null) { return emit('threat.indicator.url.domain') } } + if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='domain-name') { if (doc['threat.indicator.url.domain'].size()!=0 && doc['threat.indicator.url.domain'].value!=null) { return emit('threat.indicator.url.domain') } } - if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='x509-certificate') { if (doc['threat.indicator.x509.serial_number'].size()!=0 && doc['threat.indicator.x509.serial_number'].value!=null) { return emit('threat.indicator.x509.serial_number') } } - if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='x509 serial') { if (doc['threat.indicator.x509.serial_number'].size()!=0 && doc['threat.indicator.x509.serial_number'].value!=null) { return emit('threat.indicator.x509.serial_number') } } + if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='x509-certificate') { if (doc['threat.indicator.x509.serial_number'].size()!=0 && doc['threat.indicator.x509.serial_number'].value!=null) { return emit('threat.indicator.x509.serial_number') } } + if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='x509 serial') { if (doc['threat.indicator.x509.serial_number'].size()!=0 && doc['threat.indicator.x509.serial_number'].value!=null) { return emit('threat.indicator.x509.serial_number') } } - if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='email-addr') { if (doc['threat.indicator.email.address'].size()!=0 && doc['threat.indicator.email.address'].value!=null) { return emit('threat.indicator.email.address') } } + if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='email-addr') { if (doc['threat.indicator.email.address'].size()!=0 && doc['threat.indicator.email.address'].value!=null) { return emit('threat.indicator.email.address') } } - if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='unknown') { if (doc['_id'].size()!=0 && doc['_id'].value!=null) { return emit('_id') } } - if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='email') { if (doc['_id'].size()!=0 && doc['_id'].value!=null) { return emit('_id') } } - if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='email-message') { if (doc['_id'].size()!=0 && doc['_id'].value!=null) { return emit('_id') } } + if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='unknown') { if (doc['_id'].size()!=0 && doc['_id'].value!=null) { return emit('_id') } } + if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='email') { if (doc['_id'].size()!=0 && doc['_id'].value!=null) { return emit('_id') } } + if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='email-message') { if (doc['_id'].size()!=0 && doc['_id'].value!=null) { return emit('_id') } } - if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='windows-registry-key') { if (doc['threat.indicator.registry.key'].size()!=0 && doc['threat.indicator.registry.key'].value!=null) { return emit('threat.indicator.registry.key') } } + if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='windows-registry-key') { if (doc['threat.indicator.registry.key'].size()!=0 && doc['threat.indicator.registry.key'].value!=null) { return emit('threat.indicator.registry.key') } } - if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='autonomous-system') { if (doc['threat.indicator.as.number'].size()!=0 && doc['threat.indicator.as.number'].value!=null) { return emit('threat.indicator.as.number') } } + if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='autonomous-system') { if (doc['threat.indicator.as.number'].size()!=0 && doc['threat.indicator.as.number'].value!=null) { return emit('threat.indicator.as.number') } } - if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='mac-addr') { if (doc['threat.indicator.mac'].size()!=0 && doc['threat.indicator.mac'].value!=null) { return emit('threat.indicator.mac') } } + if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='mac-addr') { if (doc['threat.indicator.mac'].size()!=0 && doc['threat.indicator.mac'].value!=null) { return emit('threat.indicator.mac') } } return emit('')" `); diff --git a/x-pack/plugins/threat_intelligence/server/utils/indicator_name.ts b/x-pack/plugins/threat_intelligence/server/utils/indicator_name.ts index 2534ddbe903e8f..4f3456308d1852 100644 --- a/x-pack/plugins/threat_intelligence/server/utils/indicator_name.ts +++ b/x-pack/plugins/threat_intelligence/server/utils/indicator_name.ts @@ -56,7 +56,7 @@ const mappingsArray: Mappings = [ * Generates Painless condition checking if given `type` is matched */ const fieldTypeCheck = (type: string) => - `if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value.toLowerCase()=='${type.toLowerCase()}')`; + `if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='${type.toLowerCase()}')`; /** * Generates Painless condition checking if given `field` has value