Skip to content

Commit 701130a

Browse files
kcreddykcreddy
committed
Threatq - Fix ECS date mapping on threat fields
1 parent db63812 commit 701130a

File tree

5 files changed

+31
-17
lines changed

5 files changed

+31
-17
lines changed

packages/ti_threatq/changelog.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,9 @@
11
# newer versions go on top
2+
- version: "1.28.1"
3+
changes:
4+
- description: Fix ECS date mapping on threat fields.
5+
type: bugfix
6+
link: https://github.com/elastic/integrations/pull/10674
27
- version: "1.28.0"
38
changes:
49
- description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

packages/ti_threatq/data_stream/threat/fields/ecs.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
- external: ecs
2+
name: threat.indicator.first_seen
3+
- external: ecs
4+
name: threat.indicator.last_seen
5+
- external: ecs
6+
name: threat.indicator.modified_at

packages/ti_threatq/data_stream/threat/sample_event.json

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,33 +1,33 @@
11
{
22
"@timestamp": "2019-11-15T00:00:02.000Z",
33
"agent": {
4-
"ephemeral_id": "b61f9d9a-97f7-4d8a-9ec1-535a1ca13e89",
5-
"id": "8130bdff-3530-4540-8c03-ba091c47a24f",
4+
"ephemeral_id": "9f1b0b7f-5be0-463d-9551-3d66aab12b6f",
5+
"id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb",
66
"name": "docker-fleet-agent",
77
"type": "filebeat",
8-
"version": "8.11.0"
8+
"version": "8.13.0"
99
},
1010
"data_stream": {
1111
"dataset": "ti_threatq.threat",
12-
"namespace": "ep",
12+
"namespace": "94389",
1313
"type": "logs"
1414
},
1515
"ecs": {
1616
"version": "8.11.0"
1717
},
1818
"elastic_agent": {
19-
"id": "8130bdff-3530-4540-8c03-ba091c47a24f",
19+
"id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb",
2020
"snapshot": false,
21-
"version": "8.11.0"
21+
"version": "8.13.0"
2222
},
2323
"event": {
2424
"agent_id_status": "verified",
2525
"category": [
2626
"threat"
2727
],
28-
"created": "2023-12-22T11:40:37.696Z",
28+
"created": "2024-08-02T06:46:26.556Z",
2929
"dataset": "ti_threatq.threat",
30-
"ingested": "2023-12-22T11:40:38Z",
30+
"ingested": "2024-08-02T06:46:36Z",
3131
"kind": "enrichment",
3232
"original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":3,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1877,\"indicator_id\":336,\"name\":\"Description\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Malicious Host\"},{\"attribute_id\":4,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1878,\"indicator_id\":336,\"name\":\"Country\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"MP\"}],\"class\":\"network\",\"created_at\":\"2020-09-11 14:35:51\",\"expires_calculated_at\":\"2020-10-15 14:40:03\",\"hash\":\"1ece659dcec98b1e1141160b55655c96\",\"id\":336,\"published_at\":\"2020-09-11 14:35:51\",\"score\":4,\"sources\":[{\"created_at\":\"2020-09-11 14:35:53\",\"creator_source_id\":12,\"id\":336,\"indicator_id\":336,\"indicator_status_id\":2,\"indicator_type_id\":15,\"name\":\"AlienVault OTX\",\"published_at\":\"2020-09-11 14:35:53\",\"reference_id\":1,\"source_expire_days\":\"30\",\"source_id\":12,\"source_score\":1,\"source_type\":\"connectors\",\"updated_at\":\"2020-10-15 14:36:00\"}],\"status\":{\"description\":\"Poses a threat\",\"id\":2,\"name\":\"Active\"},\"status_id\":2,\"touched_at\":\"2021-06-07 19:47:27\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2019-11-15 00:00:02\",\"value\":\"89.160.20.156\"}",
3333
"type": [

packages/ti_threatq/docs/README.md

Lines changed: 11 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,9 @@ To facilitate IOC expiration, source datastream-backed indices `.ds-logs-ti_thre
4545
| log.flags | Flags for the log file. | keyword |
4646
| log.offset | Offset of the entry in the log file. | long |
4747
| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword |
48+
| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date |
49+
| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date |
50+
| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date |
4851
| threatq.adversaries | Adversaries that are linked to the object | keyword |
4952
| threatq.attributes | These provide additional context about an object | flattened |
5053
| threatq.created_at | Object creation time | date |
@@ -67,33 +70,33 @@ An example event for `threat` looks as following:
6770
{
6871
"@timestamp": "2019-11-15T00:00:02.000Z",
6972
"agent": {
70-
"ephemeral_id": "b61f9d9a-97f7-4d8a-9ec1-535a1ca13e89",
71-
"id": "8130bdff-3530-4540-8c03-ba091c47a24f",
73+
"ephemeral_id": "9f1b0b7f-5be0-463d-9551-3d66aab12b6f",
74+
"id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb",
7275
"name": "docker-fleet-agent",
7376
"type": "filebeat",
74-
"version": "8.11.0"
77+
"version": "8.13.0"
7578
},
7679
"data_stream": {
7780
"dataset": "ti_threatq.threat",
78-
"namespace": "ep",
81+
"namespace": "94389",
7982
"type": "logs"
8083
},
8184
"ecs": {
8285
"version": "8.11.0"
8386
},
8487
"elastic_agent": {
85-
"id": "8130bdff-3530-4540-8c03-ba091c47a24f",
88+
"id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb",
8689
"snapshot": false,
87-
"version": "8.11.0"
90+
"version": "8.13.0"
8891
},
8992
"event": {
9093
"agent_id_status": "verified",
9194
"category": [
9295
"threat"
9396
],
94-
"created": "2023-12-22T11:40:37.696Z",
97+
"created": "2024-08-02T06:46:26.556Z",
9598
"dataset": "ti_threatq.threat",
96-
"ingested": "2023-12-22T11:40:38Z",
99+
"ingested": "2024-08-02T06:46:36Z",
97100
"kind": "enrichment",
98101
"original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":3,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1877,\"indicator_id\":336,\"name\":\"Description\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Malicious Host\"},{\"attribute_id\":4,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1878,\"indicator_id\":336,\"name\":\"Country\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"MP\"}],\"class\":\"network\",\"created_at\":\"2020-09-11 14:35:51\",\"expires_calculated_at\":\"2020-10-15 14:40:03\",\"hash\":\"1ece659dcec98b1e1141160b55655c96\",\"id\":336,\"published_at\":\"2020-09-11 14:35:51\",\"score\":4,\"sources\":[{\"created_at\":\"2020-09-11 14:35:53\",\"creator_source_id\":12,\"id\":336,\"indicator_id\":336,\"indicator_status_id\":2,\"indicator_type_id\":15,\"name\":\"AlienVault OTX\",\"published_at\":\"2020-09-11 14:35:53\",\"reference_id\":1,\"source_expire_days\":\"30\",\"source_id\":12,\"source_score\":1,\"source_type\":\"connectors\",\"updated_at\":\"2020-10-15 14:36:00\"}],\"status\":{\"description\":\"Poses a threat\",\"id\":2,\"name\":\"Active\"},\"status_id\":2,\"touched_at\":\"2021-06-07 19:47:27\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2019-11-15 00:00:02\",\"value\":\"89.160.20.156\"}",
99102
"type": [

packages/ti_threatq/manifest.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
name: ti_threatq
22
title: ThreatQuotient
3-
version: "1.28.0"
3+
version: "1.28.1"
44
description: Ingest threat intelligence indicators from ThreatQuotient with Elastic Agent.
55
type: integration
66
format_version: "3.0.2"

0 commit comments

Comments
 (0)