address pr comment

elastic · Mar 2, 2025 · df11fca · df11fca
1 parent fe4622e
commit df11fca
Showing 1 changed file with 10 additions and 12 deletions.
diff --git a/packages/ti_crowdstrike/data_stream/ioc/elasticsearch/ingest_pipeline/default.yml b/packages/ti_crowdstrike/data_stream/ioc/elasticsearch/ingest_pipeline/default.yml
@@ -290,24 +290,22 @@ processors:
       source: >
         String mapping = params[ctx.ti_crowdstrike.ioc.type];
         if (mapping != null) {
-            ctx.threat.indicator.type = mapping;
-            // IP values are handled below to allow conversion checks.
-            if (ctx.ti_crowdstrike.ioc.type == 'domain') {
-              ctx.threat.indicator.url = ctx.threat.indicator.url ?: [:];
-              ctx.threat.indicator.url.domain = ctx.ti_crowdstrike?.ioc.value;
-            } else if (ctx.ti_crowdstrike.ioc.type == 'md5') {
-              ctx.threat.indicator.file = ctx.threat.indicator.file ?: [:];
-              ctx.threat.indicator.file.hash = ctx.threat.indicator.file.hash ?: [:];
+          ctx.threat.indicator.type = mapping;
+          // IP values are handled below to allow conversion checks.
+          if (ctx.ti_crowdstrike.ioc.type == 'domain') {
+            ctx.threat.indicator.url = ctx.threat.indicator.url ?: [:];
+            ctx.threat.indicator.url.domain = ctx.ti_crowdstrike?.ioc.value;
+          } else if (mapping == 'file') {
+            ctx.threat.indicator.file = ctx.threat.indicator.file ?: [:];
+            ctx.threat.indicator.file.hash = ctx.threat.indicator.file.hash ?: [:];
+            if (ctx.ti_crowdstrike.ioc.type == 'md5') {
               ctx.threat.indicator.file.hash.md5 = ctx.ti_crowdstrike?.ioc.value;
             } else if (ctx.ti_crowdstrike.ioc.type == 'sha256') {
-              ctx.threat.indicator.file = ctx.threat.indicator.file ?: [:];
-              ctx.threat.indicator.file.hash = ctx.threat.indicator.file.hash ?: [:];
               ctx.threat.indicator.file.hash.sha256 = ctx.ti_crowdstrike?.ioc.value;
             } else if (ctx.ti_crowdstrike.ioc.type == 'sha1') {
-              ctx.threat.indicator.file = ctx.threat.indicator.file ?: [:];
-              ctx.threat.indicator.file.hash = ctx.threat.indicator.file.hash ?: [:];
               ctx.threat.indicator.file.hash.sha1 = ctx.ti_crowdstrike?.ioc.value;
             }
+          }
         }
       on_failure:
         - append: