From df11fca2d227a034eb553f81700ec380aa8802f1 Mon Sep 17 00:00:00 2001
From: Dan Kortschak <dan.kortschak@elastic.co>
Date: Mon, 3 Mar 2025 07:17:05 +1030
Subject: [PATCH] address pr comment

---
 .../elasticsearch/ingest_pipeline/default.yml | 22 +++++++++----------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/packages/ti_crowdstrike/data_stream/ioc/elasticsearch/ingest_pipeline/default.yml b/packages/ti_crowdstrike/data_stream/ioc/elasticsearch/ingest_pipeline/default.yml
index f2f5793d591..23334c12547 100644
--- a/packages/ti_crowdstrike/data_stream/ioc/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/ti_crowdstrike/data_stream/ioc/elasticsearch/ingest_pipeline/default.yml
@@ -290,24 +290,22 @@ processors:
       source: >
         String mapping = params[ctx.ti_crowdstrike.ioc.type];
         if (mapping != null) {
-            ctx.threat.indicator.type = mapping;
-            // IP values are handled below to allow conversion checks.
-            if (ctx.ti_crowdstrike.ioc.type == 'domain') {
-              ctx.threat.indicator.url = ctx.threat.indicator.url ?: [:];
-              ctx.threat.indicator.url.domain = ctx.ti_crowdstrike?.ioc.value;
-            } else if (ctx.ti_crowdstrike.ioc.type == 'md5') {
-              ctx.threat.indicator.file = ctx.threat.indicator.file ?: [:];
-              ctx.threat.indicator.file.hash = ctx.threat.indicator.file.hash ?: [:];
+          ctx.threat.indicator.type = mapping;
+          // IP values are handled below to allow conversion checks.
+          if (ctx.ti_crowdstrike.ioc.type == 'domain') {
+            ctx.threat.indicator.url = ctx.threat.indicator.url ?: [:];
+            ctx.threat.indicator.url.domain = ctx.ti_crowdstrike?.ioc.value;
+          } else if (mapping == 'file') {
+            ctx.threat.indicator.file = ctx.threat.indicator.file ?: [:];
+            ctx.threat.indicator.file.hash = ctx.threat.indicator.file.hash ?: [:];
+            if (ctx.ti_crowdstrike.ioc.type == 'md5') {
               ctx.threat.indicator.file.hash.md5 = ctx.ti_crowdstrike?.ioc.value;
             } else if (ctx.ti_crowdstrike.ioc.type == 'sha256') {
-              ctx.threat.indicator.file = ctx.threat.indicator.file ?: [:];
-              ctx.threat.indicator.file.hash = ctx.threat.indicator.file.hash ?: [:];
               ctx.threat.indicator.file.hash.sha256 = ctx.ti_crowdstrike?.ioc.value;
             } else if (ctx.ti_crowdstrike.ioc.type == 'sha1') {
-              ctx.threat.indicator.file = ctx.threat.indicator.file ?: [:];
-              ctx.threat.indicator.file.hash = ctx.threat.indicator.file.hash ?: [:];
               ctx.threat.indicator.file.hash.sha1 = ctx.ti_crowdstrike?.ioc.value;
             }
+          }
         }
       on_failure:
         - append: