diff --git a/x-pack/plugins/security_solution/common/constants.ts b/x-pack/plugins/security_solution/common/constants.ts index 51511fad90b30..5c41e92661e58 100644 --- a/x-pack/plugins/security_solution/common/constants.ts +++ b/x-pack/plugins/security_solution/common/constants.ts @@ -61,10 +61,10 @@ export const DEFAULT_SPACE_ID = 'default'; // Document path where threat indicator fields are expected. Fields are used // to enrich signals, and are copied to threat.enrichments. -export const DEFAULT_INDICATOR_SOURCE_PATH = 'threatintel.indicator'; +export const DEFAULT_INDICATOR_SOURCE_PATH = 'threat.indicator'; export const ENRICHMENT_DESTINATION_PATH = 'threat.enrichments'; export const DEFAULT_THREAT_INDEX_KEY = 'securitySolution:defaultThreatIndex'; -export const DEFAULT_THREAT_INDEX_VALUE = ['filebeat-*']; +export const DEFAULT_THREAT_INDEX_VALUE = ['logs-ti_*']; export const DEFAULT_THREAT_MATCH_QUERY = '@timestamp >= "now-30d"'; export enum SecurityPageName { diff --git a/x-pack/plugins/security_solution/common/cti/constants.ts b/x-pack/plugins/security_solution/common/cti/constants.ts index 2c50c8e0d12ad..e63385a15062f 100644 --- a/x-pack/plugins/security_solution/common/cti/constants.ts +++ b/x-pack/plugins/security_solution/common/cti/constants.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ENRICHMENT_DESTINATION_PATH } from '../constants'; +import { ENRICHMENT_DESTINATION_PATH, DEFAULT_INDICATOR_SOURCE_PATH } from '../constants'; export const MATCHED_ATOMIC = 'matched.atomic'; export const MATCHED_FIELD = 'matched.field'; @@ -43,27 +43,27 @@ export enum ENRICHMENT_TYPES { } export const EVENT_ENRICHMENT_INDICATOR_FIELD_MAP = { - 'file.hash.md5': 'threatintel.indicator.file.hash.md5', - 'file.hash.sha1': 'threatintel.indicator.file.hash.sha1', - 'file.hash.sha256': 'threatintel.indicator.file.hash.sha256', - 'file.pe.imphash': 'threatintel.indicator.file.pe.imphash', - 'file.elf.telfhash': 'threatintel.indicator.file.elf.telfhash', - 'file.hash.ssdeep': 'threatintel.indicator.file.hash.ssdeep', - 'source.ip': 'threatintel.indicator.ip', - 'destination.ip': 'threatintel.indicator.ip', - 'url.full': 'threatintel.indicator.url.full', - 'registry.path': 'threatintel.indicator.registry.path', + 'file.hash.md5': `${DEFAULT_INDICATOR_SOURCE_PATH}.file.hash.md5`, + 'file.hash.sha1': `${DEFAULT_INDICATOR_SOURCE_PATH}.file.hash.sha1`, + 'file.hash.sha256': `${DEFAULT_INDICATOR_SOURCE_PATH}.file.hash.sha256`, + 'file.pe.imphash': `${DEFAULT_INDICATOR_SOURCE_PATH}.file.pe.imphash`, + 'file.elf.telfhash': `${DEFAULT_INDICATOR_SOURCE_PATH}.file.elf.telfhash`, + 'file.hash.ssdeep': `${DEFAULT_INDICATOR_SOURCE_PATH}.file.hash.ssdeep`, + 'source.ip': `${DEFAULT_INDICATOR_SOURCE_PATH}.ip`, + 'destination.ip': `${DEFAULT_INDICATOR_SOURCE_PATH}.ip`, + 'url.full': `${DEFAULT_INDICATOR_SOURCE_PATH}.url.full`, + 'registry.path': `${DEFAULT_INDICATOR_SOURCE_PATH}.registry.path`, }; export const DEFAULT_EVENT_ENRICHMENT_FROM = 'now-30d'; export const DEFAULT_EVENT_ENRICHMENT_TO = 'now'; export const CTI_DATASET_KEY_MAP: { [key: string]: string } = { - 'Abuse URL': 'threatintel.abuseurl', - 'Abuse Malware': 'threatintel.abusemalware', - 'AlienVault OTX': 'threatintel.otx', - Anomali: 'threatintel.anomali', - 'Malware Bazaar': 'threatintel.malwarebazaar', - MISP: 'threatintel.misp', - 'Recorded Future': 'threatintel.recordedfuture', + 'Abuse URL': 'ti_abusech.url', + 'Abuse Malware': 'ti_abusech.malware', + 'Malware Bazaar': 'ti_abusech.malwarebazaar', + 'AlienVault OTX': 'ti_otx.threat', + 'Anomali Limo': 'ti_anomali.limo', + 'Anomali ThreatStream': 'ti_anomali.threatstream', + MISP: 'ti_misp.threat', }; diff --git a/x-pack/plugins/security_solution/common/search_strategy/security_solution/cti/index.mock.ts b/x-pack/plugins/security_solution/common/search_strategy/security_solution/cti/index.mock.ts index 7898962b1a72d..4656a200ccac6 100644 --- a/x-pack/plugins/security_solution/common/search_strategy/security_solution/cti/index.mock.ts +++ b/x-pack/plugins/security_solution/common/search_strategy/security_solution/cti/index.mock.ts @@ -52,29 +52,29 @@ export const buildEventEnrichmentRawResponseMock = (): IEsSearchResponse => ({ _score: 6.0637846, fields: { 'event.category': ['threat'], - 'threatintel.indicator.file.type': ['html'], + 'threat.indicator.file.type': ['html'], 'related.hash': [ '5529de7b60601aeb36f57824ed0e1ae8', '15b012e6f626d0f88c2926d2bf4ca394d7b8ee07cc06d2ec05ea76bed3e8a05e', '768:NXSFGJ/ooP6FawrB7Bo1MWnF/jRmhJImp:1SFXIqBo1Mwj2p', ], - 'threatintel.indicator.first_seen': ['2021-05-28T18:33:29.000Z'], - 'threatintel.indicator.file.hash.tlsh': [ + 'threat.indicator.first_seen': ['2021-05-28T18:33:29.000Z'], + 'threat.indicator.file.hash.tlsh': [ 'FFB20B82F6617061C32784E2712F7A46B179B04FD1EA54A0F28CD8E9CFE4CAA1617F1C', ], 'service.type': ['threatintel'], - 'threatintel.indicator.file.hash.ssdeep': [ + 'threat.indicator.file.hash.ssdeep': [ '768:NXSFGJ/ooP6FawrB7Bo1MWnF/jRmhJImp:1SFXIqBo1Mwj2p', ], 'agent.type': ['filebeat'], 'event.module': ['threatintel'], - 'threatintel.indicator.type': ['file'], + 'threat.indicator.type': ['file'], 'agent.name': ['rylastic.local'], - 'threatintel.indicator.file.hash.sha256': [ + 'threat.indicator.file.hash.sha256': [ '15b012e6f626d0f88c2926d2bf4ca394d7b8ee07cc06d2ec05ea76bed3e8a05e', ], 'event.kind': ['enrichment'], - 'threatintel.indicator.file.hash.md5': ['5529de7b60601aeb36f57824ed0e1ae8'], + 'threat.indicator.file.hash.md5': ['5529de7b60601aeb36f57824ed0e1ae8'], 'fileset.name': ['abusemalware'], 'input.type': ['httpjson'], 'agent.hostname': ['rylastic.local'], @@ -89,9 +89,9 @@ export const buildEventEnrichmentRawResponseMock = (): IEsSearchResponse => ({ 'event.type': ['indicator'], 'event.created': ['2021-05-28T18:33:52.993Z'], 'agent.ephemeral_id': ['d6b14f65-5bf3-430d-8315-7b5613685979'], - 'threatintel.indicator.file.size': [24738], + 'threat.indicator.file.size': [24738], 'agent.version': ['8.0.0'], - 'event.dataset': ['threatintel.abusemalware'], + 'event.dataset': ['ti_abusech.malware'], }, matched_queries: ['file.hash.md5'], }, @@ -113,7 +113,7 @@ export const buildEventEnrichmentMock = ( 'ecs.version': ['1.6.0'], 'event.category': ['threat'], 'event.created': ['2021-05-28T18:33:52.993Z'], - 'event.dataset': ['threatintel.abusemalware'], + 'event.dataset': ['ti_abusech.malware'], 'event.ingested': ['2021-05-28T18:33:55.086Z'], 'event.kind': ['enrichment'], 'event.module': ['threatintel'], @@ -135,20 +135,18 @@ export const buildEventEnrichmentMock = ( ], 'service.type': ['threatintel'], tags: ['threatintel-abusemalware', 'forwarded'], - 'threatintel.indicator.file.hash.md5': ['5529de7b60601aeb36f57824ed0e1ae8'], - 'threatintel.indicator.file.hash.sha256': [ + 'threat.indicator.file.hash.md5': ['5529de7b60601aeb36f57824ed0e1ae8'], + 'threat.indicator.file.hash.sha256': [ '15b012e6f626d0f88c2926d2bf4ca394d7b8ee07cc06d2ec05ea76bed3e8a05e', ], - 'threatintel.indicator.file.hash.ssdeep': [ - '768:NXSFGJ/ooP6FawrB7Bo1MWnF/jRmhJImp:1SFXIqBo1Mwj2p', - ], - 'threatintel.indicator.file.hash.tlsh': [ + 'threat.indicator.file.hash.ssdeep': ['768:NXSFGJ/ooP6FawrB7Bo1MWnF/jRmhJImp:1SFXIqBo1Mwj2p'], + 'threat.indicator.file.hash.tlsh': [ 'FFB20B82F6617061C32784E2712F7A46B179B04FD1EA54A0F28CD8E9CFE4CAA1617F1C', ], - 'threatintel.indicator.file.size': [24738], - 'threatintel.indicator.file.type': ['html'], - 'threatintel.indicator.first_seen': ['2021-05-28T18:33:29.000Z'], - 'threatintel.indicator.type': ['file'], + 'threat.indicator.file.size': [24738], + 'threat.indicator.file.type': ['html'], + 'threat.indicator.first_seen': ['2021-05-28T18:33:29.000Z'], + 'threat.indicator.type': ['file'], ...overrides, }); diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_alerts/cti_enrichments.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_alerts/cti_enrichments.spec.ts index 8d60dc33216c0..b3c6abcd8e426 100644 --- a/x-pack/plugins/security_solution/cypress/integration/detection_alerts/cti_enrichments.spec.ts +++ b/x-pack/plugins/security_solution/cypress/integration/detection_alerts/cti_enrichments.spec.ts @@ -79,7 +79,7 @@ describe('CTI Enrichment', () => { { line: 4, text: ' "threat": {' }, { line: 3, - text: ' "enrichments": "{\\"indicator\\":{\\"first_seen\\":\\"2021-03-10T08:02:14.000Z\\",\\"file\\":{\\"size\\":80280,\\"pe\\":{},\\"type\\":\\"elf\\",\\"hash\\":{\\"sha256\\":\\"a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3\\",\\"tlsh\\":\\"6D7312E017B517CC1371A8353BED205E9128223972AE35302E97528DF957703BAB2DBE\\",\\"ssdeep\\":\\"1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL\\",\\"md5\\":\\"9b6c3518a91d23ed77504b5416bfb5b3\\"}},\\"type\\":\\"file\\"},\\"matched\\":{\\"atomic\\":\\"a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3\\",\\"field\\":\\"myhash.mysha256\\",\\"id\\":\\"84cf452c1e0375c3d4412cb550bd1783358468a3b3b777da4829d72c7d6fb74f\\",\\"index\\":\\"filebeat-7.12.0-2021.03.10-000001\\",\\"type\\":\\"indicator_match_rule\\"}}"', + text: ' "enrichments": "{\\"indicator\\":{\\"first_seen\\":\\"2021-03-10T08:02:14.000Z\\",\\"file\\":{\\"size\\":80280,\\"pe\\":{},\\"type\\":\\"elf\\",\\"hash\\":{\\"sha256\\":\\"a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3\\",\\"tlsh\\":\\"6D7312E017B517CC1371A8353BED205E9128223972AE35302E97528DF957703BAB2DBE\\",\\"ssdeep\\":\\"1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL\\",\\"md5\\":\\"9b6c3518a91d23ed77504b5416bfb5b3\\"}},\\"type\\":\\"file\\"},\\"matched\\":{\\"atomic\\":\\"a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3\\",\\"field\\":\\"myhash.mysha256\\",\\"id\\":\\"84cf452c1e0375c3d4412cb550bd1783358468a3b3b777da4829d72c7d6fb74f\\",\\"index\\":\\"logs-ti_abusech.malware\\",\\"type\\":\\"indicator_match_rule\\"}}"', }, { line: 2, text: ' }' }, ]; @@ -127,7 +127,7 @@ describe('CTI Enrichment', () => { field: 'matched.id', value: '84cf452c1e0375c3d4412cb550bd1783358468a3b3b777da4829d72c7d6fb74f', }, - { field: 'matched.index', value: 'filebeat-7.12.0-2021.03.10-000001' }, + { field: 'matched.index', value: 'logs-ti_abusech.malware' }, { field: 'matched.type', value: 'indicator_match_rule' }, ]; diff --git a/x-pack/plugins/security_solution/cypress/objects/rule.ts b/x-pack/plugins/security_solution/cypress/objects/rule.ts index 788e177fec721..4b061865d632b 100644 --- a/x-pack/plugins/security_solution/cypress/objects/rule.ts +++ b/x-pack/plugins/security_solution/cypress/objects/rule.ts @@ -108,7 +108,7 @@ export const getIndexPatterns = (): string[] => [ 'winlogbeat-*', ]; -export const getThreatIndexPatterns = (): string[] => ['filebeat-*']; +export const getThreatIndexPatterns = (): string[] => ['logs-ti_*']; const getMitre1 = (): Mitre => ({ tactic: `${getMockThreatData().tactic.name} (${getMockThreatData().tactic.id})`, @@ -380,7 +380,7 @@ export const getNewThreatIndicatorRule = (): ThreatIndicatorRule => ({ lookBack: getLookBack(), indicatorIndexPattern: ['filebeat-*'], indicatorMappingField: 'myhash.mysha256', - indicatorIndexField: 'threatintel.indicator.file.hash.sha256', + indicatorIndexField: 'threat.indicator.file.hash.sha256', type: 'file', atomic: 'a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3', timeline: getIndicatorMatchTimelineTemplate(), diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/threat_details_view.test.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/threat_details_view.test.tsx index ff6a72f735e77..2b1e73c1141c4 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/threat_details_view.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/threat_details_view.test.tsx @@ -37,7 +37,7 @@ describe('ThreatDetailsView', () => { it('renders an anchor link for indicator.reference', () => { const enrichments = [ buildEventEnrichmentMock({ - 'threatintel.indicator.reference': ['http://foo.baz'], + 'threat.indicator.reference': ['http://foo.baz'], }), ]; const wrapper = mount( @@ -60,10 +60,10 @@ describe('ThreatDetailsView', () => { const existingEnrichment = buildEventEnrichmentMock({ 'indicator.first_seen': [mostRecentDate], }); - delete existingEnrichment['threatintel.indicator.first_seen']; + delete existingEnrichment['threat.indicator.first_seen']; const newEnrichment = buildEventEnrichmentMock({ 'matched.id': ['other.id'], - 'threatintel.indicator.first_seen': [olderDate], + 'threat.indicator.first_seen': [olderDate], }); const enrichments = [existingEnrichment, newEnrichment]; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/cti.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/cti.ts deleted file mode 100644 index daf54e4f7cf5c..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/cti.ts +++ /dev/null @@ -1,154 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -export const ctiFieldMap = { - 'threat.indicator': { - type: 'nested', - array: false, - required: false, - }, - 'threat.indicator.as.number': { - type: 'long', - array: false, - required: false, - }, - 'threat.indicator.as.organization.name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.confidence': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.dataset': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.description': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.domain': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.email.address': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.first_seen': { - type: 'date', - array: false, - required: false, - }, - 'threat.indicator.geo.city_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.geo.continent_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.geo.country_iso_code': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.geo.country_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.geo.location': { - type: 'geo_point', - array: false, - required: false, - }, - 'threat.indicator.geo.name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.geo.region_iso_code': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.geo.region_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.ip': { - type: 'ip', - array: false, - required: false, - }, - 'threat.indicator.last_seen': { - type: 'date', - array: false, - required: false, - }, - 'threat.indicator.marking.tlp': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.matched.atomic': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.matched.field': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.matched.type': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.module': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.port': { - type: 'long', - array: false, - required: false, - }, - 'threat.indicator.provider': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.scanner_stats': { - type: 'long', - array: false, - required: false, - }, - 'threat.indicator.sightings': { - type: 'long', - array: false, - required: false, - }, - 'threat.indicator.type': { - type: 'keyword', - array: false, - required: false, - }, -}; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/create_indicator_match_alert_type.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/create_indicator_match_alert_type.test.ts index 576e409378213..1bd3d411adf11 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/create_indicator_match_alert_type.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/create_indicator_match_alert_type.test.ts @@ -42,7 +42,7 @@ describe('Indicator Match Alerts', () => { { field: 'file.hash.md5', type: 'mapping', - value: 'threatintel.indicator.file.hash.md5', + value: 'threat.indicator.file.hash.md5', }, ], }, @@ -156,11 +156,11 @@ describe('Indicator Match Alerts', () => { ...sampleDocNoSortId(v4()), _source: { ...sampleDocNoSortId(v4())._source, - 'threatintel.indicator.file.hash.md5': 'a1b2c3', + 'threat.indicator.file.hash.md5': 'a1b2c3', }, fields: { ...sampleDocNoSortId(v4()).fields, - 'threatintel.indicator.file.hash.md5': ['a1b2c3'], + 'threat.indicator.file.hash.md5': ['a1b2c3'], }, }, ], diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/scripts/create_rule_indicator_match.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/scripts/create_rule_indicator_match.sh index f50aac30a69c5..5beaea5e14475 100755 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/scripts/create_rule_indicator_match.sh +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/scripts/create_rule_indicator_match.sh @@ -46,7 +46,7 @@ curl -X POST ${KIBANA_URL}${SPACE_URL}/api/alerts/alert \ { "field":"file.hash.md5", "type":"mapping", - "value":"threatintel.indicator.file.hash.md5" + "value":"threat.indicator.file.hash.md5" } ] } diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts index d54ed18af01e3..4cecabe52b588 100644 --- a/x-pack/plugins/security_solution/server/plugin.ts +++ b/x-pack/plugins/security_solution/server/plugin.ts @@ -104,7 +104,6 @@ import { RuleExecutionLogClient } from './lib/detection_engine/rule_execution_lo import { getKibanaPrivilegesFeaturePrivileges, getCasesKibanaFeature } from './features'; import { EndpointMetadataService } from './endpoint/services/metadata'; import { CreateRuleOptions } from './lib/detection_engine/rule_types/types'; -import { ctiFieldMap } from './lib/detection_engine/rule_types/field_maps/cti'; // eslint-disable-next-line no-restricted-imports import { legacyRulesNotificationAlertType } from './lib/detection_engine/notifications/legacy_rules_notification_alert_type'; // eslint-disable-next-line no-restricted-imports @@ -257,10 +256,7 @@ export class Plugin implements IPlugin { expect(buildIndicatorShouldClauses(eventFields)).toContainEqual({ match: { - 'threatintel.indicator.file.hash.md5': { + 'threat.indicator.file.hash.md5': { _name: 'file.hash.md5', query: '1eee2bf3f56d8abed72da2bc523e7431', }, @@ -44,8 +44,8 @@ describe('buildIndicatorShouldClauses', () => { const eventFields = { 'source.ip': '127.0.0.1', 'url.full': 'elastic.co' }; expect(buildIndicatorShouldClauses(eventFields)).toEqual( expect.arrayContaining([ - { match: { 'threatintel.indicator.ip': { _name: 'source.ip', query: '127.0.0.1' } } }, - { match: { 'threatintel.indicator.url.full': { _name: 'url.full', query: 'elastic.co' } } }, + { match: { 'threat.indicator.ip': { _name: 'source.ip', query: '127.0.0.1' } } }, + { match: { 'threat.indicator.url.full': { _name: 'url.full', query: 'elastic.co' } } }, ]) ); }); @@ -83,7 +83,7 @@ describe('buildIndicatorEnrichments', () => { _index: '_index', matched_queries: ['file.hash.md5'], fields: { - 'threatintel.indicator.file.hash.md5': ['indicator_value'], + 'threat.indicator.file.hash.md5': ['indicator_value'], }, }, ]; @@ -94,7 +94,7 @@ describe('buildIndicatorEnrichments', () => { 'matched.field': ['file.hash.md5'], 'matched.id': ['_id'], 'matched.index': ['_index'], - 'threatintel.indicator.file.hash.md5': ['indicator_value'], + 'threat.indicator.file.hash.md5': ['indicator_value'], }), ]); }); @@ -106,8 +106,8 @@ describe('buildIndicatorEnrichments', () => { _index: '_index', matched_queries: ['file.hash.md5', 'source.ip'], fields: { - 'threatintel.indicator.file.hash.md5': ['indicator_value'], - 'threatintel.indicator.ip': ['127.0.0.1'], + 'threat.indicator.file.hash.md5': ['indicator_value'], + 'threat.indicator.ip': ['127.0.0.1'], }, }, ]; @@ -118,16 +118,16 @@ describe('buildIndicatorEnrichments', () => { 'matched.field': ['file.hash.md5'], 'matched.id': ['_id'], 'matched.index': ['_index'], - 'threatintel.indicator.file.hash.md5': ['indicator_value'], - 'threatintel.indicator.ip': ['127.0.0.1'], + 'threat.indicator.file.hash.md5': ['indicator_value'], + 'threat.indicator.ip': ['127.0.0.1'], }), expect.objectContaining({ 'matched.atomic': ['127.0.0.1'], 'matched.field': ['source.ip'], 'matched.id': ['_id'], 'matched.index': ['_index'], - 'threatintel.indicator.file.hash.md5': ['indicator_value'], - 'threatintel.indicator.ip': ['127.0.0.1'], + 'threat.indicator.file.hash.md5': ['indicator_value'], + 'threat.indicator.ip': ['127.0.0.1'], }), ]); }); @@ -139,7 +139,7 @@ describe('buildIndicatorEnrichments', () => { _index: '_index', matched_queries: ['file.hash.md5'], fields: { - 'threatintel.indicator.file.hash.md5': ['indicator_value'], + 'threat.indicator.file.hash.md5': ['indicator_value'], }, }, { @@ -147,7 +147,7 @@ describe('buildIndicatorEnrichments', () => { _index: '_index2', matched_queries: ['source.ip'], fields: { - 'threatintel.indicator.ip': ['127.0.0.1'], + 'threat.indicator.ip': ['127.0.0.1'], }, }, ]; @@ -158,14 +158,14 @@ describe('buildIndicatorEnrichments', () => { 'matched.field': ['file.hash.md5'], 'matched.id': ['_id'], 'matched.index': ['_index'], - 'threatintel.indicator.file.hash.md5': ['indicator_value'], + 'threat.indicator.file.hash.md5': ['indicator_value'], }), expect.objectContaining({ 'matched.atomic': ['127.0.0.1'], 'matched.field': ['source.ip'], 'matched.id': ['_id2'], 'matched.index': ['_index2'], - 'threatintel.indicator.ip': ['127.0.0.1'], + 'threat.indicator.ip': ['127.0.0.1'], }), ]); }); diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/query.test.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/query.test.ts index bc96a387105c6..d953cb2979e5c 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/query.test.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/query.test.ts @@ -16,14 +16,14 @@ describe('buildEventEnrichmentQuery', () => { expect.arrayContaining([ { match: { - 'threatintel.indicator.file.hash.md5': { + 'threat.indicator.file.hash.md5': { _name: 'file.hash.md5', query: '1eee2bf3f56d8abed72da2bc523e7431', }, }, }, - { match: { 'threatintel.indicator.ip': { _name: 'source.ip', query: '127.0.0.1' } } }, - { match: { 'threatintel.indicator.url.full': { _name: 'url.full', query: 'elastic.co' } } }, + { match: { 'threat.indicator.ip': { _name: 'source.ip', query: '127.0.0.1' } } }, + { match: { 'threat.indicator.url.full': { _name: 'url.full', query: 'elastic.co' } } }, ]) ); }); diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/response.test.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/response.test.ts index 7ced866e0bb5b..11c6f4aa60265 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/response.test.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/response.test.ts @@ -41,16 +41,16 @@ describe('parseEventEnrichmentResponse', () => { should: [ { match: { - 'threatintel.indicator.file.hash.md5': { + 'threat.indicator.file.hash.md5': { _name: 'file.hash.md5', query: '1eee2bf3f56d8abed72da2bc523e7431', }, }, }, - { match: { 'threatintel.indicator.ip': { _name: 'source.ip', query: '127.0.0.1' } } }, + { match: { 'threat.indicator.ip': { _name: 'source.ip', query: '127.0.0.1' } } }, { match: { - 'threatintel.indicator.url.full': { _name: 'url.full', query: 'elastic.co' }, + 'threat.indicator.url.full': { _name: 'url.full', query: 'elastic.co' }, }, }, ], diff --git a/x-pack/test/functional/es_archives/filebeat/threat_intel/data.json b/x-pack/test/functional/es_archives/filebeat/threat_intel/data.json index 0cbc7f37bd519..f426ffae33e1c 100644 --- a/x-pack/test/functional/es_archives/filebeat/threat_intel/data.json +++ b/x-pack/test/functional/es_archives/filebeat/threat_intel/data.json @@ -18,7 +18,7 @@ "event": { "category": "threat", "created": "2021-01-26T11:09:05.529Z", - "dataset": "threatintel.abuseurl", + "dataset": "ti_abusech.malware", "ingested": "2021-01-26T11:09:06.595350Z", "kind": "enrichment", "module": "threatintel", @@ -87,7 +87,7 @@ "event": { "category": "threat", "created": "2021-01-26T11:09:05.529Z", - "dataset": "threatintel.abuseurl", + "dataset": "ti_abusech.malware", "ingested": "2021-01-26T11:09:06.616763Z", "kind": "enrichment", "module": "threatintel", @@ -156,7 +156,7 @@ "event": { "category": "threat", "created": "2021-01-26T11:09:05.529Z", - "dataset": "threatintel.abuseurl", + "dataset": "ti_abusech.malware", "ingested": "2021-01-26T11:09:06.616763Z", "kind": "enrichment", "module": "threatintel", @@ -226,7 +226,7 @@ "event": { "category": "threat", "created": "2021-01-26T11:09:05.529Z", - "dataset": "threatintel.abuseurl", + "dataset": "ti_abusech.malware", "ingested": "2021-01-26T11:09:06.616763Z", "kind": "enrichment", "module": "threatintel", diff --git a/x-pack/test/functional/es_archives/security_solution/legacy_cti_signals/data.json b/x-pack/test/functional/es_archives/security_solution/legacy_cti_signals/data.json index bcc8d5f86e1d3..56fa5ea6af329 100644 --- a/x-pack/test/functional/es_archives/security_solution/legacy_cti_signals/data.json +++ b/x-pack/test/functional/es_archives/security_solution/legacy_cti_signals/data.json @@ -168,12 +168,12 @@ { "field": "host.name", "type": "mapping", - "value": "threatintel.indicator.domain" + "value": "threat.indicator.domain" } ] } ], - "threat_query": "threatintel.indicator.type : \"url\"", + "threat_query": "threat.indicator.type : \"url\"", "throttle": null, "to": "now", "type": "threat_match", @@ -190,7 +190,7 @@ "event": { "category": "threat", "created": "2021-08-04T03:53:30.761Z", - "dataset": "threatintel.abuseurl", + "dataset": "ti_abusech.malware", "ingested": "2021-08-04T03:53:37.514040Z", "kind": "enrichment", "module": "threatintel", @@ -412,12 +412,12 @@ { "field": "host.name", "type": "mapping", - "value": "threatintel.indicator.domain" + "value": "threat.indicator.domain" } ] } ], - "threat_query": "threatintel.indicator.type : \"url\"", + "threat_query": "threat.indicator.type : \"url\"", "throttle": null, "to": "now", "type": "threat_match", @@ -434,7 +434,7 @@ "event": { "category": "threat", "created": "2021-08-04T03:53:30.761Z", - "dataset": "threatintel.abuseurl", + "dataset": "ti_abusech.malware", "ingested": "2021-08-04T03:53:37.514040Z", "kind": "enrichment", "module": "threatintel", diff --git a/x-pack/test/security_solution_cypress/es_archives/threat_indicator/data.json b/x-pack/test/security_solution_cypress/es_archives/threat_indicator/data.json index c5d382194027f..a2e0c2d2921dc 100644 --- a/x-pack/test/security_solution_cypress/es_archives/threat_indicator/data.json +++ b/x-pack/test/security_solution_cypress/es_archives/threat_indicator/data.json @@ -2,7 +2,7 @@ "type": "doc", "value": { "id": "84cf452c1e0375c3d4412cb550bd1783358468a3b3b777da4829d72c7d6fb74f", - "index": "filebeat-7.12.0-2021.03.10-000001", + "index": "logs-ti_abusech.malware", "source": { "@timestamp": "2021-03-10T14:51:05.766Z", "agent": { @@ -16,7 +16,7 @@ "fileset": { "name": "abusemalware" }, - "threatintel": { + "threat": { "indicator": { "first_seen": "2021-03-10T08:02:14.000Z", "file": { @@ -31,13 +31,13 @@ } }, "type": "file" - }, - "abusemalware": { - "virustotal": { - "result": "38 / 61", - "link": "https://www.virustotal.com/gui/file/a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3/detection/f-a04ac6d", - "percent": "62.30" - } + } + }, + "abusemalware": { + "virustotal": { + "result": "38 / 61", + "link": "https://www.virustotal.com/gui/file/a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3/detection/f-a04ac6d", + "percent": "62.30" } }, "tags": [ @@ -68,7 +68,7 @@ "module": "threatintel", "category": "threat", "type": "indicator", - "dataset": "threatintel.abusemalware" + "dataset": "ti_abusech.malware" } } } diff --git a/x-pack/test/security_solution_cypress/es_archives/threat_indicator/mappings.json b/x-pack/test/security_solution_cypress/es_archives/threat_indicator/mappings.json index efd23c5a6bba4..8840cd4bee0dd 100644 --- a/x-pack/test/security_solution_cypress/es_archives/threat_indicator/mappings.json +++ b/x-pack/test/security_solution_cypress/es_archives/threat_indicator/mappings.json @@ -6,7 +6,7 @@ "is_write_index": true } }, - "index": "filebeat-7.12.0-2021.03.10-000001", + "index": "logs-ti_abusech.malware", "mappings": { "_meta": { "beat": "filebeat", @@ -194,7 +194,7 @@ } } }, - "threatintel": { + "threat": { "properties": { "abusemalware": { "properties": { diff --git a/x-pack/test/security_solution_cypress/es_archives/threat_indicator2/data.json b/x-pack/test/security_solution_cypress/es_archives/threat_indicator2/data.json index 0598fd7ba7c86..1a8d3ff5a309a 100644 --- a/x-pack/test/security_solution_cypress/es_archives/threat_indicator2/data.json +++ b/x-pack/test/security_solution_cypress/es_archives/threat_indicator2/data.json @@ -2,7 +2,7 @@ "type": "doc", "value": { "id": "a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3", - "index": "filebeat-7.12.0-2021.03.11-000001", + "index": "logs-ti_abusech.malware", "source": { "@timestamp": "2021-06-27T14:51:05.766Z", "agent": { @@ -16,7 +16,7 @@ "fileset": { "name": "abusemalware" }, - "threatintel": { + "threat": { "indicator": { "first_seen": "2021-03-11T08:02:14.000Z", "ip": "192.168.1.1", @@ -56,7 +56,7 @@ "module": "threatintel", "category": "threat", "type": "indicator", - "dataset": "threatintel.abusemalware" + "dataset": "ti_abusech.malware" } } } diff --git a/x-pack/test/security_solution_cypress/es_archives/threat_indicator2/mappings.json b/x-pack/test/security_solution_cypress/es_archives/threat_indicator2/mappings.json index 072318f7f4fc4..cba4263f32b69 100644 --- a/x-pack/test/security_solution_cypress/es_archives/threat_indicator2/mappings.json +++ b/x-pack/test/security_solution_cypress/es_archives/threat_indicator2/mappings.json @@ -2,11 +2,11 @@ "type": "index", "value": { "aliases": { - "filebeat-7.12.0": { + "logs-ti": { "is_write_index": false } }, - "index": "filebeat-7.12.0-2021.03.11-000001", + "index": "logs-ti_abusech.malware", "mappings": { "_meta": { "beat": "filebeat", @@ -194,7 +194,7 @@ } } }, - "threatintel": { + "threat": { "properties": { "abusemalware": { "properties": {