ti_misp: harmonise distribution type to long (#5908)

There was a type mapping conflict between misp.event.distribution in the two datastreams. The numeric type was chosen over the keyword since in the MISP documentation the distribution value is an ordered entity, so this make the fields use as such possible in ES.

Author: efd6

packages/ti_misp/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.12.1"
+ changes:
+ - description: Harmonise distribution fields to type long.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/5908
 - version: "1.12.0"
  changes:
  - description: Add Attributes datastream

packages/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-attributes-ndjson.log-expected.json

@@ -31,7 +31,7 @@
  "attribute_count": 1,
  "date": "2021-05-21",
  "disable_correlation": false,
- "distribution": "1",
+ "distribution": 1,
  "extends_uuid": "",
  "id": "3631",
  "info": "Test event 1 just atrributes",
@@ -108,7 +108,7 @@
  "attribute_count": 4,
  "date": "2021-05-21",
  "disable_correlation": false,
- "distribution": "1",
+ "distribution": 1,
  "extends_uuid": "",
  "id": "3632",
  "info": "Test event 2 just more atrributes",
@@ -185,7 +185,7 @@
  "attribute_count": 4,
  "date": "2021-05-21",
  "disable_correlation": false,
- "distribution": "1",
+ "distribution": 1,
  "extends_uuid": "",
  "id": "3632",
  "info": "Test event 2 just more atrributes",
@@ -260,7 +260,7 @@
  "attribute_count": 4,
  "date": "2021-05-21",
  "disable_correlation": false,
- "distribution": "1",
+ "distribution": 1,
  "extends_uuid": "",
  "id": "3632",
  "info": "Test event 2 just more atrributes",
@@ -333,7 +333,7 @@
  "attribute_count": 4,
  "date": "2021-05-21",
  "disable_correlation": false,
- "distribution": "1",
+ "distribution": 1,
  "extends_uuid": "",
  "id": "3632",
  "info": "Test event 2 just more atrributes",
@@ -426,7 +426,7 @@
  "attribute_count": 6,
  "date": "2021-05-21",
  "disable_correlation": false,
- "distribution": "1",
+ "distribution": 1,
  "extends_uuid": "",
  "id": "3633",
  "info": "Test event 3 objects and attributes",
@@ -517,7 +517,7 @@
  "attribute_count": 6,
  "date": "2021-05-21",
  "disable_correlation": false,
- "distribution": "1",
+ "distribution": 1,
  "extends_uuid": "",
  "id": "3633",
  "info": "Test event 3 objects and attributes",
@@ -607,7 +607,7 @@
  "attribute_count": 6,
  "date": "2021-05-21",
  "disable_correlation": false,
- "distribution": "1",
+ "distribution": 1,
  "extends_uuid": "",
  "id": "3633",
  "info": "Test event 3 objects and attributes",
@@ -703,7 +703,7 @@
  "attribute_count": 6,
  "date": "2021-05-21",
  "disable_correlation": false,
- "distribution": "1",
+ "distribution": 1,
  "extends_uuid": "",
  "id": "3633",
  "info": "Test event 3 objects and attributes",
@@ -799,7 +799,7 @@
  "attribute_count": 6,
  "date": "2021-05-21",
  "disable_correlation": false,
- "distribution": "1",
+ "distribution": 1,
  "extends_uuid": "",
  "id": "3633",
  "info": "Test event 3 objects and attributes",
@@ -876,7 +876,7 @@
  "attribute_count": 3,
  "date": "2021-05-21",
  "disable_correlation": false,
- "distribution": "1",
+ "distribution": 1,
  "extends_uuid": "",
  "id": "3634",
  "info": "Test event 4 with object",
@@ -948,7 +948,7 @@
  "attribute_count": 3,
  "date": "2021-05-21",
  "disable_correlation": false,
- "distribution": "1",
+ "distribution": 1,
  "extends_uuid": "",
  "id": "3634",
  "info": "Test event 4 with object",
@@ -1026,7 +1026,7 @@
  "attribute_count": 3,
  "date": "2021-05-21",
  "disable_correlation": false,
- "distribution": "1",
+ "distribution": 1,
  "extends_uuid": "",
  "id": "3634",
  "info": "Test event 4 with object",
@@ -1103,7 +1103,7 @@
  "attribute_count": 5,
  "date": "2021-05-21",
  "disable_correlation": false,
- "distribution": "1",
+ "distribution": 1,
  "extends_uuid": "",
  "id": "3635",
  "info": "Test event 5 with an object",
@@ -1176,7 +1176,7 @@
  "attribute_count": 5,
  "date": "2021-05-21",
  "disable_correlation": false,
- "distribution": "1",
+ "distribution": 1,
  "extends_uuid": "",
  "id": "3635",
  "info": "Test event 5 with an object",
@@ -1249,7 +1249,7 @@
  "attribute_count": 5,
  "date": "2021-05-21",
  "disable_correlation": false,
- "distribution": "1",
+ "distribution": 1,
  "extends_uuid": "",
  "id": "3635",
  "info": "Test event 5 with an object",
@@ -1321,7 +1321,7 @@
  "attribute_count": 5,
  "date": "2021-05-21",
  "disable_correlation": false,
- "distribution": "1",
+ "distribution": 1,
  "extends_uuid": "",
  "id": "3635",
  "info": "Test event 5 with an object",
@@ -1399,7 +1399,7 @@
  "attribute_count": 5,
  "date": "2021-05-21",
  "disable_correlation": false,
- "distribution": "1",
+ "distribution": 1,
  "extends_uuid": "",
  "id": "3635",
  "info": "Test event 5 with an object",
@@ -1494,7 +1494,7 @@
  "attribute_count": 9,
  "date": "2021-05-28",
  "disable_correlation": false,
- "distribution": "0",
+ "distribution": 0,
  "extends_uuid": "",
  "id": "3636",
  "info": "Test event 6 with multiple objects and multiple attributes",
@@ -1585,7 +1585,7 @@
  "attribute_count": 9,
  "date": "2021-05-28",
  "disable_correlation": false,
- "distribution": "0",
+ "distribution": 0,
  "extends_uuid": "",
  "id": "3636",
  "info": "Test event 6 with multiple objects and multiple attributes",
@@ -1676,7 +1676,7 @@
  "attribute_count": 9,
  "date": "2021-05-28",
  "disable_correlation": false,
- "distribution": "0",
+ "distribution": 0,
  "extends_uuid": "",
  "id": "3636",
  "info": "Test event 6 with multiple objects and multiple attributes",
@@ -1767,7 +1767,7 @@
  "attribute_count": 9,
  "date": "2021-05-28",
  "disable_correlation": false,
- "distribution": "0",
+ "distribution": 0,
  "extends_uuid": "",
  "id": "3636",
  "info": "Test event 6 with multiple objects and multiple attributes",
@@ -1858,7 +1858,7 @@
  "attribute_count": 9,
  "date": "2021-05-28",
  "disable_correlation": false,
- "distribution": "0",
+ "distribution": 0,
  "extends_uuid": "",
  "id": "3636",
  "info": "Test event 6 with multiple objects and multiple attributes",
@@ -1948,7 +1948,7 @@
  "attribute_count": 9,
  "date": "2021-05-28",
  "disable_correlation": false,
- "distribution": "0",
+ "distribution": 0,
  "extends_uuid": "",
  "id": "3636",
  "info": "Test event 6 with multiple objects and multiple attributes",
@@ -2044,7 +2044,7 @@
  "attribute_count": 9,
  "date": "2021-05-28",
  "disable_correlation": false,
- "distribution": "0",
+ "distribution": 0,
  "extends_uuid": "",
  "id": "3636",
  "info": "Test event 6 with multiple objects and multiple attributes",
@@ -2140,7 +2140,7 @@
  "attribute_count": 9,
  "date": "2021-05-28",
  "disable_correlation": false,
- "distribution": "0",
+ "distribution": 0,
  "extends_uuid": "",
  "id": "3636",
  "info": "Test event 6 with multiple objects and multiple attributes",

packages/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-long-ndjson.log-expected.json

@@ -50,7 +50,7 @@
  "attribute_count": 9,
  "date": "2021-05-28",
  "disable_correlation": false,
- "distribution": "0",
+ "distribution": 0,
  "extends_uuid": "",
  "id": "3636",
  "info": "Test event 6 with multiple objects and multiple attributes",
@@ -136,7 +136,7 @@
  "attribute_count": 9,
  "date": "2021-05-28",
  "disable_correlation": false,
- "distribution": "0",
+ "distribution": 0,
  "extends_uuid": "",
  "id": "3636",
  "info": "Test event 6 with multiple objects and multiple attributes",

packages/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log-expected.json

@@ -31,7 +31,7 @@
  "attribute_count": 7,
  "date": "2017-08-25",
  "disable_correlation": false,
- "distribution": "3",
+ "distribution": 3,
  "extends_uuid": "",
  "id": "5",
  "info": "OSINT - New Arena Crysis Ransomware Variant Released",
@@ -112,7 +112,7 @@
  "attribute_count": 7,
  "date": "2017-08-25",
  "disable_correlation": false,
- "distribution": "3",
+ "distribution": 3,
  "extends_uuid": "",
  "id": "5",
  "info": "OSINT - New Arena Crysis Ransomware Variant Released",
@@ -192,7 +192,7 @@
  "attribute_count": 100,
  "date": "2017-03-30",
  "disable_correlation": false,
- "distribution": "3",
+ "distribution": 3,
  "extends_uuid": "",
  "id": "4",
  "info": "OSINT - Carbon Paper: Peering into Turla’s second stage backdoor",
@@ -272,7 +272,7 @@
  "attribute_count": 29,
  "date": "2014-10-03",
  "disable_correlation": false,
- "distribution": "3",
+ "distribution": 3,
  "extends_uuid": "",
  "id": "2",
  "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks",
@@ -350,7 +350,7 @@
  "attribute_count": 29,
  "date": "2014-10-03",
  "disable_correlation": false,
- "distribution": "3",
+ "distribution": 3,
  "extends_uuid": "",
  "id": "2",
  "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks",
@@ -424,7 +424,7 @@
  "attribute_count": 29,
  "date": "2014-10-03",
  "disable_correlation": false,
- "distribution": "3",
+ "distribution": 3,
  "extends_uuid": "",
  "id": "2",
  "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks",
@@ -501,7 +501,7 @@
  "attribute_count": 29,
  "date": "2014-10-03",
  "disable_correlation": false,
- "distribution": "3",
+ "distribution": 3,
  "extends_uuid": "",
  "id": "2",
  "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks",
@@ -573,7 +573,7 @@
  "attribute_count": 29,
  "date": "2014-10-03",
  "disable_correlation": false,
- "distribution": "3",
+ "distribution": 3,
  "extends_uuid": "",
  "id": "2",
  "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks",
@@ -651,7 +651,7 @@
  "attribute_count": 29,
  "date": "2014-10-03",
  "disable_correlation": false,
- "distribution": "3",
+ "distribution": 3,
  "extends_uuid": "",
  "id": "2",
  "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks",
@@ -727,7 +727,7 @@
  "attribute_count": 61,
  "date": "2018-01-08",
  "disable_correlation": false,
- "distribution": "3",
+ "distribution": 3,
  "extends_uuid": "",
  "id": "158",
  "info": "Turla: Mosquito Whitepaper",
@@ -809,7 +809,7 @@
  "attribute_count": 61,
  "date": "2018-01-08",
  "disable_correlation": false,
- "distribution": "3",
+ "distribution": 3,
  "extends_uuid": "",
  "id": "158",
  "info": "Turla: Mosquito Whitepaper",
@@ -883,7 +883,7 @@
  "attribute_count": 61,
  "date": "2018-01-08",
  "disable_correlation": false,
- "distribution": "3",
+ "distribution": 3,
  "extends_uuid": "",
  "id": "158",
  "info": "Turla: Mosquito Whitepaper",
@@ -963,7 +963,7 @@
  "attribute_count": 133,
  "date": "2015-12-08",
  "disable_correlation": false,
- "distribution": "3",
+ "distribution": 3,
  "extends_uuid": "",
  "id": "22",
  "info": "Packrat: Seven Years of a South American Threat Actor",
@@ -1038,7 +1038,7 @@
  "attribute_count": 133,
  "date": "2015-12-08",
  "disable_correlation": false,
- "distribution": "3",
+ "distribution": 3,
  "extends_uuid": "",
  "id": "22",
  "info": "Packrat: Seven Years of a South American Threat Actor",
@@ -1113,7 +1113,7 @@
  "attribute_count": 15,
  "date": "2020-12-09",
  "disable_correlation": false,
- "distribution": "3",
+ "distribution": 3,
  "extends_uuid": "",
  "id": "10",
  "info": "Recent Qakbot (Qbot) activity",