Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ti_crowdstrike: populate required threat.intelligence fields #12915

Merged
merged 2 commits into from
Mar 3, 2025
Merged

ti_crowdstrike: populate required threat.intelligence fields #12915

merged 2 commits into from
Mar 3, 2025

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Feb 27, 2025
edited
Loading

Proposed commit message

ti_crowdstrike: populate required threat.intelligence fields

The Security Intelligence view Indicator is populated by logic in
kibana[1,2], so make sure we match that logic to make sure the relevant
value is visible.

[1]https://github.com/elastic/kibana/blob/33c18c72fa019430c6b73503dc3176e0136e3861/x-pack/solutions/security/plugins/threat_intelligence/server/utils/indicator_name.ts#L19C1-L53C1
[2]https://github.com/elastic/kibana/blob/33c18c72fa019430c6b73503dc3176e0136e3861/x-pack/solutions/security/plugins/threat_intelligence/common/types/indicator.ts#L11-L51

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

Screenshot from 2025-02-27 16-35-52

@efd6 efd6 added bugfix Pull request that fixes a bug issue Integration:ti_crowdstrike CrowdStrike Falcon Intelligence Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations] labels Feb 27, 2025
@efd6 efd6 self-assigned this Feb 27, 2025
@efd6 efd6 force-pushed the 12852-ti_crowdstrike branch 2 times, most recently from fc82ad3 to 1a6adff Compare February 27, 2025 04:51
@efd6 efd6 force-pushed the 12852-ti_crowdstrike branch from 1a6adff to fe4622e Compare February 27, 2025 05:31
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Feb 27, 2025
edited
Loading

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@efd6 efd6 marked this pull request as ready for review February 27, 2025 05:57
@efd6 efd6 requested a review from a team as a code owner February 27, 2025 05:57
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@andrewkroh andrewkroh mentioned this pull request Feb 27, 2025
Open
kcreddy
kcreddy approved these changes Feb 28, 2025
View reviewed changes
packages/ti_crowdstrike/data_stream/ioc/elasticsearch/ingest_pipeline/default.yml Outdated
Comment on lines 298 to 310
} else if (ctx.ti_crowdstrike.ioc.type == 'md5') {
ctx.threat.indicator.file = ctx.threat.indicator.file ?: [:];
ctx.threat.indicator.file.hash = ctx.threat.indicator.file.hash ?: [:];
ctx.threat.indicator.file.hash.md5 = ctx.ti_crowdstrike?.ioc.value;
} else if (ctx.ti_crowdstrike.ioc.type == 'sha256') {
ctx.threat.indicator.file = ctx.threat.indicator.file ?: [:];
ctx.threat.indicator.file.hash = ctx.threat.indicator.file.hash ?: [:];
ctx.threat.indicator.file.hash.sha256 = ctx.ti_crowdstrike?.ioc.value;
} else if (ctx.ti_crowdstrike.ioc.type == 'sha1') {
ctx.threat.indicator.file = ctx.threat.indicator.file ?: [:];
ctx.threat.indicator.file.hash = ctx.threat.indicator.file.hash ?: [:];
ctx.threat.indicator.file.hash.sha1 = ctx.ti_crowdstrike?.ioc.value;
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With this we could reduce few checks, but I will leave it to you.

if (mapping == 'file') {
  ctx.threat.indicator.file = ctx.threat.indicator.file ?: [:];
  ctx.threat.indicator.file.hash = ctx.threat.indicator.file.hash ?: [:];
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's really nice. Thanks

@efd6 efd6 requested a review from kcreddy March 2, 2025 20:47
@efd6 efd6 force-pushed the 12852-ti_crowdstrike branch from cd50948 to df11fca Compare March 2, 2025 21:51
@elasticmachine
Copy link

💚 Build Succeeded

History

cc @efd6

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@efd6 efd6 merged commit 5841a40 into elastic:main Mar 3, 2025
7 checks passed
@elastic-vault-github-plugin-prod
Copy link

Package ti_crowdstrike - 2.3.2 containing this change is available at https://epr.elastic.co/package/ti_crowdstrike/2.3.2/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kcreddy kcreddy kcreddy approved these changes

Assignees

@efd6 efd6

Labels
bugfix Pull request that fixes a bug issue Integration:ti_crowdstrike CrowdStrike Falcon Intelligence Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[CrowdStrike TI]: Indicator column in Security Intelligence not filled
3 participants
@efd6 @elasticmachine @kcreddy