New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Return matched.atomic value from indicator #132509
base: main
Are you sure you want to change the base?
Conversation
…-ref HEAD~1..HEAD --fix'
…-ref HEAD~1..HEAD --fix'
0445b86
to
6cd6642
Compare
@elasticmachine merge upstream |
@elasticmachine merge upstream |
@elasticmachine merge upstream |
@elasticmachine merge upstream |
@elasticmachine merge upstream |
💔 Build FailedFailed CI StepsMetrics [docs]
History
To update your PR or re-run it, just comment with: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This one got lost in the shuffle, I think... If we can fix the file conflicts I think this will be good to go! Just let me know and I can approve.
@@ -113,11 +117,6 @@ export const createThreatSignals = async ({ | |||
|
|||
logger.debug(buildRuleMessage(`Total indicator items: ${threatListCount}`)); | |||
|
|||
const threatListConfig = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we now have two different values for threatListConfig
, can we give them distinguishing names? It's not obvious from this level how the results of getThreatListConfig()
differ from the manually map
ped version.
@@ -169,3 +170,27 @@ export const buildExecutionIntervalValidator: (interval: string) => () => void = | |||
} | |||
}; | |||
}; | |||
|
|||
export const getThreatListConfig = ({ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few unit tests showing how this works would be helpful!
Summary
Switched back to put into
matched.atomic
value from threat indicator, not source event.How to reproduce the bug:
Create a rule like
Then you should have alert with some threat enrichments which has
matched.atomic
-127.0.0.2
which is a wrong:If you switch to this PR branch and send one more alert like
You should see
matched.atomic
value as127.0.0.1/30
Checklist
Delete any items that are not applicable to this PR.