From d45bfab7fa77fd875611ae09d74aaf422ab35b64 Mon Sep 17 00:00:00 2001 From: Khristinin Nikita Date: Wed, 29 Sep 2021 14:44:08 +0200 Subject: [PATCH 1/8] Update threatintel to threat --- .../security_solution/common/constants.ts | 2 +- .../security_solution/common/cti/constants.ts | 36 +++++++++--------- .../security_solution/cti/index.mock.ts | 38 +++++++++---------- .../security_solution/cypress/objects/rule.ts | 2 +- .../cti_details/threat_details_view.test.tsx | 6 +-- .../create_indicator_match_alert_type.test.ts | 6 +-- .../scripts/create_rule_indicator_match.sh | 2 +- .../cti/event_enrichment/helpers.test.ts | 30 +++++++-------- .../cti/event_enrichment/query.test.ts | 6 +-- .../cti/event_enrichment/response.test.ts | 6 +-- .../filebeat/threat_intel/data.json | 8 ++-- .../legacy_cti_signals/data.json | 12 +++--- .../es_archives/threat_indicator/data.json | 2 +- .../es_archives/threat_indicator2/data.json | 2 +- 14 files changed, 78 insertions(+), 80 deletions(-) diff --git a/x-pack/plugins/security_solution/common/constants.ts b/x-pack/plugins/security_solution/common/constants.ts index 092875c57fbd0..bbed3e26f94d5 100644 --- a/x-pack/plugins/security_solution/common/constants.ts +++ b/x-pack/plugins/security_solution/common/constants.ts @@ -60,7 +60,7 @@ export const DEFAULT_SPACE_ID = 'default'; // Document path where threat indicator fields are expected. Fields are used // to enrich signals, and are copied to threat.enrichments. -export const DEFAULT_INDICATOR_SOURCE_PATH = 'threatintel.indicator'; +export const DEFAULT_INDICATOR_SOURCE_PATH = 'threat.indicator'; export const ENRICHMENT_DESTINATION_PATH = 'threat.enrichments'; export const DEFAULT_THREAT_INDEX_KEY = 'securitySolution:defaultThreatIndex'; export const DEFAULT_THREAT_INDEX_VALUE = ['filebeat-*']; diff --git a/x-pack/plugins/security_solution/common/cti/constants.ts b/x-pack/plugins/security_solution/common/cti/constants.ts index 2c50c8e0d12ad..217ee912e666e 100644 --- a/x-pack/plugins/security_solution/common/cti/constants.ts +++ b/x-pack/plugins/security_solution/common/cti/constants.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ENRICHMENT_DESTINATION_PATH } from '../constants'; +import { ENRICHMENT_DESTINATION_PATH, DEFAULT_INDICATOR_SOURCE_PATH } from '../constants'; export const MATCHED_ATOMIC = 'matched.atomic'; export const MATCHED_FIELD = 'matched.field'; @@ -43,27 +43,27 @@ export enum ENRICHMENT_TYPES { } export const EVENT_ENRICHMENT_INDICATOR_FIELD_MAP = { - 'file.hash.md5': 'threatintel.indicator.file.hash.md5', - 'file.hash.sha1': 'threatintel.indicator.file.hash.sha1', - 'file.hash.sha256': 'threatintel.indicator.file.hash.sha256', - 'file.pe.imphash': 'threatintel.indicator.file.pe.imphash', - 'file.elf.telfhash': 'threatintel.indicator.file.elf.telfhash', - 'file.hash.ssdeep': 'threatintel.indicator.file.hash.ssdeep', - 'source.ip': 'threatintel.indicator.ip', - 'destination.ip': 'threatintel.indicator.ip', - 'url.full': 'threatintel.indicator.url.full', - 'registry.path': 'threatintel.indicator.registry.path', + 'file.hash.md5': `${DEFAULT_INDICATOR_SOURCE_PATH}.file.hash.md5`, + 'file.hash.sha1': `${DEFAULT_INDICATOR_SOURCE_PATH}.file.hash.sha1`, + 'file.hash.sha256': `${DEFAULT_INDICATOR_SOURCE_PATH}.file.hash.sha256`, + 'file.pe.imphash': `${DEFAULT_INDICATOR_SOURCE_PATH}.file.pe.imphash`, + 'file.elf.telfhash': `${DEFAULT_INDICATOR_SOURCE_PATH}.file.elf.telfhash`, + 'file.hash.ssdeep': `${DEFAULT_INDICATOR_SOURCE_PATH}.file.hash.ssdeep`, + 'source.ip': `${DEFAULT_INDICATOR_SOURCE_PATH}.ip`, + 'destination.ip': `${DEFAULT_INDICATOR_SOURCE_PATH}.ip`, + 'url.full': `${DEFAULT_INDICATOR_SOURCE_PATH}.url.full`, + 'registry.path': `${DEFAULT_INDICATOR_SOURCE_PATH}.registry.path`, }; export const DEFAULT_EVENT_ENRICHMENT_FROM = 'now-30d'; export const DEFAULT_EVENT_ENRICHMENT_TO = 'now'; export const CTI_DATASET_KEY_MAP: { [key: string]: string } = { - 'Abuse URL': 'threatintel.abuseurl', - 'Abuse Malware': 'threatintel.abusemalware', - 'AlienVault OTX': 'threatintel.otx', - Anomali: 'threatintel.anomali', - 'Malware Bazaar': 'threatintel.malwarebazaar', - MISP: 'threatintel.misp', - 'Recorded Future': 'threatintel.recordedfuture', + 'Abuse URL': 'threat.abuseurl', + 'Abuse Malware': 'threat.abusemalware', + 'AlienVault OTX': 'threat.otx', + Anomali: 'threat.anomali', + 'Malware Bazaar': 'threat.malwarebazaar', + MISP: 'threat.misp', + 'Recorded Future': 'threat.recordedfuture', }; diff --git a/x-pack/plugins/security_solution/common/search_strategy/security_solution/cti/index.mock.ts b/x-pack/plugins/security_solution/common/search_strategy/security_solution/cti/index.mock.ts index 7898962b1a72d..03c8ccd6886b8 100644 --- a/x-pack/plugins/security_solution/common/search_strategy/security_solution/cti/index.mock.ts +++ b/x-pack/plugins/security_solution/common/search_strategy/security_solution/cti/index.mock.ts @@ -52,29 +52,29 @@ export const buildEventEnrichmentRawResponseMock = (): IEsSearchResponse => ({ _score: 6.0637846, fields: { 'event.category': ['threat'], - 'threatintel.indicator.file.type': ['html'], + 'threat.indicator.file.type': ['html'], 'related.hash': [ '5529de7b60601aeb36f57824ed0e1ae8', '15b012e6f626d0f88c2926d2bf4ca394d7b8ee07cc06d2ec05ea76bed3e8a05e', '768:NXSFGJ/ooP6FawrB7Bo1MWnF/jRmhJImp:1SFXIqBo1Mwj2p', ], - 'threatintel.indicator.first_seen': ['2021-05-28T18:33:29.000Z'], - 'threatintel.indicator.file.hash.tlsh': [ + 'threat.indicator.first_seen': ['2021-05-28T18:33:29.000Z'], + 'threat.indicator.file.hash.tlsh': [ 'FFB20B82F6617061C32784E2712F7A46B179B04FD1EA54A0F28CD8E9CFE4CAA1617F1C', ], 'service.type': ['threatintel'], - 'threatintel.indicator.file.hash.ssdeep': [ + 'threat.indicator.file.hash.ssdeep': [ '768:NXSFGJ/ooP6FawrB7Bo1MWnF/jRmhJImp:1SFXIqBo1Mwj2p', ], 'agent.type': ['filebeat'], 'event.module': ['threatintel'], - 'threatintel.indicator.type': ['file'], + 'threat.indicator.type': ['file'], 'agent.name': ['rylastic.local'], - 'threatintel.indicator.file.hash.sha256': [ + 'threat.indicator.file.hash.sha256': [ '15b012e6f626d0f88c2926d2bf4ca394d7b8ee07cc06d2ec05ea76bed3e8a05e', ], 'event.kind': ['enrichment'], - 'threatintel.indicator.file.hash.md5': ['5529de7b60601aeb36f57824ed0e1ae8'], + 'threat.indicator.file.hash.md5': ['5529de7b60601aeb36f57824ed0e1ae8'], 'fileset.name': ['abusemalware'], 'input.type': ['httpjson'], 'agent.hostname': ['rylastic.local'], @@ -89,9 +89,9 @@ export const buildEventEnrichmentRawResponseMock = (): IEsSearchResponse => ({ 'event.type': ['indicator'], 'event.created': ['2021-05-28T18:33:52.993Z'], 'agent.ephemeral_id': ['d6b14f65-5bf3-430d-8315-7b5613685979'], - 'threatintel.indicator.file.size': [24738], + 'threat.indicator.file.size': [24738], 'agent.version': ['8.0.0'], - 'event.dataset': ['threatintel.abusemalware'], + 'event.dataset': ['threat.abusemalware'], }, matched_queries: ['file.hash.md5'], }, @@ -113,7 +113,7 @@ export const buildEventEnrichmentMock = ( 'ecs.version': ['1.6.0'], 'event.category': ['threat'], 'event.created': ['2021-05-28T18:33:52.993Z'], - 'event.dataset': ['threatintel.abusemalware'], + 'event.dataset': ['threat.abusemalware'], 'event.ingested': ['2021-05-28T18:33:55.086Z'], 'event.kind': ['enrichment'], 'event.module': ['threatintel'], @@ -135,20 +135,18 @@ export const buildEventEnrichmentMock = ( ], 'service.type': ['threatintel'], tags: ['threatintel-abusemalware', 'forwarded'], - 'threatintel.indicator.file.hash.md5': ['5529de7b60601aeb36f57824ed0e1ae8'], - 'threatintel.indicator.file.hash.sha256': [ + 'threat.indicator.file.hash.md5': ['5529de7b60601aeb36f57824ed0e1ae8'], + 'threat.indicator.file.hash.sha256': [ '15b012e6f626d0f88c2926d2bf4ca394d7b8ee07cc06d2ec05ea76bed3e8a05e', ], - 'threatintel.indicator.file.hash.ssdeep': [ - '768:NXSFGJ/ooP6FawrB7Bo1MWnF/jRmhJImp:1SFXIqBo1Mwj2p', - ], - 'threatintel.indicator.file.hash.tlsh': [ + 'threat.indicator.file.hash.ssdeep': ['768:NXSFGJ/ooP6FawrB7Bo1MWnF/jRmhJImp:1SFXIqBo1Mwj2p'], + 'threat.indicator.file.hash.tlsh': [ 'FFB20B82F6617061C32784E2712F7A46B179B04FD1EA54A0F28CD8E9CFE4CAA1617F1C', ], - 'threatintel.indicator.file.size': [24738], - 'threatintel.indicator.file.type': ['html'], - 'threatintel.indicator.first_seen': ['2021-05-28T18:33:29.000Z'], - 'threatintel.indicator.type': ['file'], + 'threat.indicator.file.size': [24738], + 'threat.indicator.file.type': ['html'], + 'threat.indicator.first_seen': ['2021-05-28T18:33:29.000Z'], + 'threat.indicator.type': ['file'], ...overrides, }); diff --git a/x-pack/plugins/security_solution/cypress/objects/rule.ts b/x-pack/plugins/security_solution/cypress/objects/rule.ts index c3eab5cc2a936..26664e9e404b9 100644 --- a/x-pack/plugins/security_solution/cypress/objects/rule.ts +++ b/x-pack/plugins/security_solution/cypress/objects/rule.ts @@ -361,7 +361,7 @@ export const getNewThreatIndicatorRule = (): ThreatIndicatorRule => ({ lookBack: getLookBack(), indicatorIndexPattern: ['filebeat-*'], indicatorMappingField: 'myhash.mysha256', - indicatorIndexField: 'threatintel.indicator.file.hash.sha256', + indicatorIndexField: 'threat.indicator.file.hash.sha256', type: 'file', atomic: 'a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3', timeline: getIndicatorMatchTimelineTemplate(), diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/threat_details_view.test.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/threat_details_view.test.tsx index ff6a72f735e77..2b1e73c1141c4 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/threat_details_view.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/threat_details_view.test.tsx @@ -37,7 +37,7 @@ describe('ThreatDetailsView', () => { it('renders an anchor link for indicator.reference', () => { const enrichments = [ buildEventEnrichmentMock({ - 'threatintel.indicator.reference': ['http://foo.baz'], + 'threat.indicator.reference': ['http://foo.baz'], }), ]; const wrapper = mount( @@ -60,10 +60,10 @@ describe('ThreatDetailsView', () => { const existingEnrichment = buildEventEnrichmentMock({ 'indicator.first_seen': [mostRecentDate], }); - delete existingEnrichment['threatintel.indicator.first_seen']; + delete existingEnrichment['threat.indicator.first_seen']; const newEnrichment = buildEventEnrichmentMock({ 'matched.id': ['other.id'], - 'threatintel.indicator.first_seen': [olderDate], + 'threat.indicator.first_seen': [olderDate], }); const enrichments = [existingEnrichment, newEnrichment]; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/create_indicator_match_alert_type.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/create_indicator_match_alert_type.test.ts index fe836c872dcad..86212a5925ffa 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/create_indicator_match_alert_type.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/create_indicator_match_alert_type.test.ts @@ -40,7 +40,7 @@ describe('Indicator Match Alerts', () => { { field: 'file.hash.md5', type: 'mapping', - value: 'threatintel.indicator.file.hash.md5', + value: 'threat.indicator.file.hash.md5', }, ], }, @@ -158,11 +158,11 @@ describe('Indicator Match Alerts', () => { ...sampleDocNoSortId(v4()), _source: { ...sampleDocNoSortId(v4())._source, - 'threatintel.indicator.file.hash.md5': 'a1b2c3', + 'threat.indicator.file.hash.md5': 'a1b2c3', }, fields: { ...sampleDocNoSortId(v4()).fields, - 'threatintel.indicator.file.hash.md5': ['a1b2c3'], + 'threat.indicator.file.hash.md5': ['a1b2c3'], }, }, ], diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/scripts/create_rule_indicator_match.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/scripts/create_rule_indicator_match.sh index f50aac30a69c5..5beaea5e14475 100755 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/scripts/create_rule_indicator_match.sh +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/scripts/create_rule_indicator_match.sh @@ -46,7 +46,7 @@ curl -X POST ${KIBANA_URL}${SPACE_URL}/api/alerts/alert \ { "field":"file.hash.md5", "type":"mapping", - "value":"threatintel.indicator.file.hash.md5" + "value":"threat.indicator.file.hash.md5" } ] } diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/helpers.test.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/helpers.test.ts index a246b66d462ce..f20c567813f7f 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/helpers.test.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/helpers.test.ts @@ -32,7 +32,7 @@ describe('buildIndicatorShouldClauses', () => { expect(buildIndicatorShouldClauses(eventFields)).toContainEqual({ match: { - 'threatintel.indicator.file.hash.md5': { + 'threat.indicator.file.hash.md5': { _name: 'file.hash.md5', query: '1eee2bf3f56d8abed72da2bc523e7431', }, @@ -44,8 +44,8 @@ describe('buildIndicatorShouldClauses', () => { const eventFields = { 'source.ip': '127.0.0.1', 'url.full': 'elastic.co' }; expect(buildIndicatorShouldClauses(eventFields)).toEqual( expect.arrayContaining([ - { match: { 'threatintel.indicator.ip': { _name: 'source.ip', query: '127.0.0.1' } } }, - { match: { 'threatintel.indicator.url.full': { _name: 'url.full', query: 'elastic.co' } } }, + { match: { 'threat.indicator.ip': { _name: 'source.ip', query: '127.0.0.1' } } }, + { match: { 'threat.indicator.url.full': { _name: 'url.full', query: 'elastic.co' } } }, ]) ); }); @@ -83,7 +83,7 @@ describe('buildIndicatorEnrichments', () => { _index: '_index', matched_queries: ['file.hash.md5'], fields: { - 'threatintel.indicator.file.hash.md5': ['indicator_value'], + 'threat.indicator.file.hash.md5': ['indicator_value'], }, }, ]; @@ -94,7 +94,7 @@ describe('buildIndicatorEnrichments', () => { 'matched.field': ['file.hash.md5'], 'matched.id': ['_id'], 'matched.index': ['_index'], - 'threatintel.indicator.file.hash.md5': ['indicator_value'], + 'threat.indicator.file.hash.md5': ['indicator_value'], }), ]); }); @@ -106,8 +106,8 @@ describe('buildIndicatorEnrichments', () => { _index: '_index', matched_queries: ['file.hash.md5', 'source.ip'], fields: { - 'threatintel.indicator.file.hash.md5': ['indicator_value'], - 'threatintel.indicator.ip': ['127.0.0.1'], + 'threat.indicator.file.hash.md5': ['indicator_value'], + 'threat.indicator.ip': ['127.0.0.1'], }, }, ]; @@ -118,16 +118,16 @@ describe('buildIndicatorEnrichments', () => { 'matched.field': ['file.hash.md5'], 'matched.id': ['_id'], 'matched.index': ['_index'], - 'threatintel.indicator.file.hash.md5': ['indicator_value'], - 'threatintel.indicator.ip': ['127.0.0.1'], + 'threat.indicator.file.hash.md5': ['indicator_value'], + 'threat.indicator.ip': ['127.0.0.1'], }), expect.objectContaining({ 'matched.atomic': ['127.0.0.1'], 'matched.field': ['source.ip'], 'matched.id': ['_id'], 'matched.index': ['_index'], - 'threatintel.indicator.file.hash.md5': ['indicator_value'], - 'threatintel.indicator.ip': ['127.0.0.1'], + 'threat.indicator.file.hash.md5': ['indicator_value'], + 'threat.indicator.ip': ['127.0.0.1'], }), ]); }); @@ -139,7 +139,7 @@ describe('buildIndicatorEnrichments', () => { _index: '_index', matched_queries: ['file.hash.md5'], fields: { - 'threatintel.indicator.file.hash.md5': ['indicator_value'], + 'threat.indicator.file.hash.md5': ['indicator_value'], }, }, { @@ -147,7 +147,7 @@ describe('buildIndicatorEnrichments', () => { _index: '_index2', matched_queries: ['source.ip'], fields: { - 'threatintel.indicator.ip': ['127.0.0.1'], + 'threat.indicator.ip': ['127.0.0.1'], }, }, ]; @@ -158,14 +158,14 @@ describe('buildIndicatorEnrichments', () => { 'matched.field': ['file.hash.md5'], 'matched.id': ['_id'], 'matched.index': ['_index'], - 'threatintel.indicator.file.hash.md5': ['indicator_value'], + 'threat.indicator.file.hash.md5': ['indicator_value'], }), expect.objectContaining({ 'matched.atomic': ['127.0.0.1'], 'matched.field': ['source.ip'], 'matched.id': ['_id2'], 'matched.index': ['_index2'], - 'threatintel.indicator.ip': ['127.0.0.1'], + 'threat.indicator.ip': ['127.0.0.1'], }), ]); }); diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/query.test.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/query.test.ts index bc96a387105c6..d953cb2979e5c 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/query.test.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/query.test.ts @@ -16,14 +16,14 @@ describe('buildEventEnrichmentQuery', () => { expect.arrayContaining([ { match: { - 'threatintel.indicator.file.hash.md5': { + 'threat.indicator.file.hash.md5': { _name: 'file.hash.md5', query: '1eee2bf3f56d8abed72da2bc523e7431', }, }, }, - { match: { 'threatintel.indicator.ip': { _name: 'source.ip', query: '127.0.0.1' } } }, - { match: { 'threatintel.indicator.url.full': { _name: 'url.full', query: 'elastic.co' } } }, + { match: { 'threat.indicator.ip': { _name: 'source.ip', query: '127.0.0.1' } } }, + { match: { 'threat.indicator.url.full': { _name: 'url.full', query: 'elastic.co' } } }, ]) ); }); diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/response.test.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/response.test.ts index 7ced866e0bb5b..11c6f4aa60265 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/response.test.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/cti/event_enrichment/response.test.ts @@ -41,16 +41,16 @@ describe('parseEventEnrichmentResponse', () => { should: [ { match: { - 'threatintel.indicator.file.hash.md5': { + 'threat.indicator.file.hash.md5': { _name: 'file.hash.md5', query: '1eee2bf3f56d8abed72da2bc523e7431', }, }, }, - { match: { 'threatintel.indicator.ip': { _name: 'source.ip', query: '127.0.0.1' } } }, + { match: { 'threat.indicator.ip': { _name: 'source.ip', query: '127.0.0.1' } } }, { match: { - 'threatintel.indicator.url.full': { _name: 'url.full', query: 'elastic.co' }, + 'threat.indicator.url.full': { _name: 'url.full', query: 'elastic.co' }, }, }, ], diff --git a/x-pack/test/functional/es_archives/filebeat/threat_intel/data.json b/x-pack/test/functional/es_archives/filebeat/threat_intel/data.json index 0cbc7f37bd519..b843371cce530 100644 --- a/x-pack/test/functional/es_archives/filebeat/threat_intel/data.json +++ b/x-pack/test/functional/es_archives/filebeat/threat_intel/data.json @@ -18,7 +18,7 @@ "event": { "category": "threat", "created": "2021-01-26T11:09:05.529Z", - "dataset": "threatintel.abuseurl", + "dataset": "threat.abuseurl", "ingested": "2021-01-26T11:09:06.595350Z", "kind": "enrichment", "module": "threatintel", @@ -87,7 +87,7 @@ "event": { "category": "threat", "created": "2021-01-26T11:09:05.529Z", - "dataset": "threatintel.abuseurl", + "dataset": "threat.abuseurl", "ingested": "2021-01-26T11:09:06.616763Z", "kind": "enrichment", "module": "threatintel", @@ -156,7 +156,7 @@ "event": { "category": "threat", "created": "2021-01-26T11:09:05.529Z", - "dataset": "threatintel.abuseurl", + "dataset": "threat.abuseurl", "ingested": "2021-01-26T11:09:06.616763Z", "kind": "enrichment", "module": "threatintel", @@ -226,7 +226,7 @@ "event": { "category": "threat", "created": "2021-01-26T11:09:05.529Z", - "dataset": "threatintel.abuseurl", + "dataset": "threat.abuseurl", "ingested": "2021-01-26T11:09:06.616763Z", "kind": "enrichment", "module": "threatintel", diff --git a/x-pack/test/functional/es_archives/security_solution/legacy_cti_signals/data.json b/x-pack/test/functional/es_archives/security_solution/legacy_cti_signals/data.json index bcc8d5f86e1d3..1a16150317bc2 100644 --- a/x-pack/test/functional/es_archives/security_solution/legacy_cti_signals/data.json +++ b/x-pack/test/functional/es_archives/security_solution/legacy_cti_signals/data.json @@ -168,12 +168,12 @@ { "field": "host.name", "type": "mapping", - "value": "threatintel.indicator.domain" + "value": "threat.indicator.domain" } ] } ], - "threat_query": "threatintel.indicator.type : \"url\"", + "threat_query": "threat.indicator.type : \"url\"", "throttle": null, "to": "now", "type": "threat_match", @@ -190,7 +190,7 @@ "event": { "category": "threat", "created": "2021-08-04T03:53:30.761Z", - "dataset": "threatintel.abuseurl", + "dataset": "threat.abuseurl", "ingested": "2021-08-04T03:53:37.514040Z", "kind": "enrichment", "module": "threatintel", @@ -412,12 +412,12 @@ { "field": "host.name", "type": "mapping", - "value": "threatintel.indicator.domain" + "value": "threat.indicator.domain" } ] } ], - "threat_query": "threatintel.indicator.type : \"url\"", + "threat_query": "threat.indicator.type : \"url\"", "throttle": null, "to": "now", "type": "threat_match", @@ -434,7 +434,7 @@ "event": { "category": "threat", "created": "2021-08-04T03:53:30.761Z", - "dataset": "threatintel.abuseurl", + "dataset": "threat.abuseurl", "ingested": "2021-08-04T03:53:37.514040Z", "kind": "enrichment", "module": "threatintel", diff --git a/x-pack/test/security_solution_cypress/es_archives/threat_indicator/data.json b/x-pack/test/security_solution_cypress/es_archives/threat_indicator/data.json index c5d382194027f..f9b9c4cc73b84 100644 --- a/x-pack/test/security_solution_cypress/es_archives/threat_indicator/data.json +++ b/x-pack/test/security_solution_cypress/es_archives/threat_indicator/data.json @@ -68,7 +68,7 @@ "module": "threatintel", "category": "threat", "type": "indicator", - "dataset": "threatintel.abusemalware" + "dataset": "threat.abusemalware" } } } diff --git a/x-pack/test/security_solution_cypress/es_archives/threat_indicator2/data.json b/x-pack/test/security_solution_cypress/es_archives/threat_indicator2/data.json index 0598fd7ba7c86..5d4946dd74042 100644 --- a/x-pack/test/security_solution_cypress/es_archives/threat_indicator2/data.json +++ b/x-pack/test/security_solution_cypress/es_archives/threat_indicator2/data.json @@ -56,7 +56,7 @@ "module": "threatintel", "category": "threat", "type": "indicator", - "dataset": "threatintel.abusemalware" + "dataset": "threat.abusemalware" } } } From 21515561353794f8f4630ff663fa5cc7302e448a Mon Sep 17 00:00:00 2001 From: Khristinin Nikita Date: Thu, 30 Sep 2021 21:30:26 +0200 Subject: [PATCH 2/8] Remove CTI mappings --- .../rule_types/field_maps/cti.ts | 154 ------------------ .../security_solution/server/plugin.ts | 6 +- 2 files changed, 1 insertion(+), 159 deletions(-) delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/cti.ts diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/cti.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/cti.ts deleted file mode 100644 index daf54e4f7cf5c..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/cti.ts +++ /dev/null @@ -1,154 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -export const ctiFieldMap = { - 'threat.indicator': { - type: 'nested', - array: false, - required: false, - }, - 'threat.indicator.as.number': { - type: 'long', - array: false, - required: false, - }, - 'threat.indicator.as.organization.name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.confidence': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.dataset': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.description': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.domain': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.email.address': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.first_seen': { - type: 'date', - array: false, - required: false, - }, - 'threat.indicator.geo.city_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.geo.continent_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.geo.country_iso_code': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.geo.country_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.geo.location': { - type: 'geo_point', - array: false, - required: false, - }, - 'threat.indicator.geo.name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.geo.region_iso_code': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.geo.region_name': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.ip': { - type: 'ip', - array: false, - required: false, - }, - 'threat.indicator.last_seen': { - type: 'date', - array: false, - required: false, - }, - 'threat.indicator.marking.tlp': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.matched.atomic': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.matched.field': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.matched.type': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.module': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.port': { - type: 'long', - array: false, - required: false, - }, - 'threat.indicator.provider': { - type: 'keyword', - array: false, - required: false, - }, - 'threat.indicator.scanner_stats': { - type: 'long', - array: false, - required: false, - }, - 'threat.indicator.sightings': { - type: 'long', - array: false, - required: false, - }, - 'threat.indicator.type': { - type: 'keyword', - array: false, - required: false, - }, -}; diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts index 59bf5057f2796..22d25686f2c96 100644 --- a/x-pack/plugins/security_solution/server/plugin.ts +++ b/x-pack/plugins/security_solution/server/plugin.ts @@ -103,7 +103,6 @@ import { RuleExecutionLogClient } from './lib/detection_engine/rule_execution_lo import { getKibanaPrivilegesFeaturePrivileges } from './features'; import { EndpointMetadataService } from './endpoint/services/metadata'; import { CreateRuleOptions } from './lib/detection_engine/rule_types/types'; -import { ctiFieldMap } from './lib/detection_engine/rule_types/field_maps/cti'; // eslint-disable-next-line no-restricted-imports import { legacyRulesNotificationAlertType } from './lib/detection_engine/notifications/legacy_rules_notification_alert_type'; // eslint-disable-next-line no-restricted-imports @@ -246,10 +245,7 @@ export class Plugin implements IPlugin Date: Tue, 12 Oct 2021 10:30:10 +0200 Subject: [PATCH 3/8] Update CTI_DATASET_KEY_MAP --- .../security_solution/common/cti/constants.ts | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/x-pack/plugins/security_solution/common/cti/constants.ts b/x-pack/plugins/security_solution/common/cti/constants.ts index 217ee912e666e..e63385a15062f 100644 --- a/x-pack/plugins/security_solution/common/cti/constants.ts +++ b/x-pack/plugins/security_solution/common/cti/constants.ts @@ -59,11 +59,11 @@ export const DEFAULT_EVENT_ENRICHMENT_FROM = 'now-30d'; export const DEFAULT_EVENT_ENRICHMENT_TO = 'now'; export const CTI_DATASET_KEY_MAP: { [key: string]: string } = { - 'Abuse URL': 'threat.abuseurl', - 'Abuse Malware': 'threat.abusemalware', - 'AlienVault OTX': 'threat.otx', - Anomali: 'threat.anomali', - 'Malware Bazaar': 'threat.malwarebazaar', - MISP: 'threat.misp', - 'Recorded Future': 'threat.recordedfuture', + 'Abuse URL': 'ti_abusech.url', + 'Abuse Malware': 'ti_abusech.malware', + 'Malware Bazaar': 'ti_abusech.malwarebazaar', + 'AlienVault OTX': 'ti_otx.threat', + 'Anomali Limo': 'ti_anomali.limo', + 'Anomali ThreatStream': 'ti_anomali.threatstream', + MISP: 'ti_misp.threat', }; From 44dfae942c7274a5df9bd8909dbe37343d1135dd Mon Sep 17 00:00:00 2001 From: Khristinin Nikita Date: Tue, 12 Oct 2021 10:30:39 +0200 Subject: [PATCH 4/8] Update default threat index --- x-pack/plugins/security_solution/common/constants.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/common/constants.ts b/x-pack/plugins/security_solution/common/constants.ts index 12f6108638c1d..84723cf63d166 100644 --- a/x-pack/plugins/security_solution/common/constants.ts +++ b/x-pack/plugins/security_solution/common/constants.ts @@ -64,7 +64,7 @@ export const DEFAULT_SPACE_ID = 'default'; export const DEFAULT_INDICATOR_SOURCE_PATH = 'threat.indicator'; export const ENRICHMENT_DESTINATION_PATH = 'threat.enrichments'; export const DEFAULT_THREAT_INDEX_KEY = 'securitySolution:defaultThreatIndex'; -export const DEFAULT_THREAT_INDEX_VALUE = ['filebeat-*']; +export const DEFAULT_THREAT_INDEX_VALUE = ['logs-ti_*']; export const DEFAULT_THREAT_MATCH_QUERY = '@timestamp >= "now-30d"'; export enum SecurityPageName { From bec5e149d3d7d8ee0747871c2472b9b7c1490c1b Mon Sep 17 00:00:00 2001 From: Khristinin Nikita Date: Tue, 12 Oct 2021 15:17:11 +0200 Subject: [PATCH 5/8] Change mapping to dataset --- .../search_strategy/security_solution/cti/index.mock.ts | 4 ++-- .../es_archives/filebeat/threat_intel/data.json | 8 ++++---- .../security_solution/legacy_cti_signals/data.json | 4 ++-- .../es_archives/threat_indicator/data.json | 2 +- .../es_archives/threat_indicator2/data.json | 2 +- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/x-pack/plugins/security_solution/common/search_strategy/security_solution/cti/index.mock.ts b/x-pack/plugins/security_solution/common/search_strategy/security_solution/cti/index.mock.ts index 03c8ccd6886b8..4656a200ccac6 100644 --- a/x-pack/plugins/security_solution/common/search_strategy/security_solution/cti/index.mock.ts +++ b/x-pack/plugins/security_solution/common/search_strategy/security_solution/cti/index.mock.ts @@ -91,7 +91,7 @@ export const buildEventEnrichmentRawResponseMock = (): IEsSearchResponse => ({ 'agent.ephemeral_id': ['d6b14f65-5bf3-430d-8315-7b5613685979'], 'threat.indicator.file.size': [24738], 'agent.version': ['8.0.0'], - 'event.dataset': ['threat.abusemalware'], + 'event.dataset': ['ti_abusech.malware'], }, matched_queries: ['file.hash.md5'], }, @@ -113,7 +113,7 @@ export const buildEventEnrichmentMock = ( 'ecs.version': ['1.6.0'], 'event.category': ['threat'], 'event.created': ['2021-05-28T18:33:52.993Z'], - 'event.dataset': ['threat.abusemalware'], + 'event.dataset': ['ti_abusech.malware'], 'event.ingested': ['2021-05-28T18:33:55.086Z'], 'event.kind': ['enrichment'], 'event.module': ['threatintel'], diff --git a/x-pack/test/functional/es_archives/filebeat/threat_intel/data.json b/x-pack/test/functional/es_archives/filebeat/threat_intel/data.json index b843371cce530..f426ffae33e1c 100644 --- a/x-pack/test/functional/es_archives/filebeat/threat_intel/data.json +++ b/x-pack/test/functional/es_archives/filebeat/threat_intel/data.json @@ -18,7 +18,7 @@ "event": { "category": "threat", "created": "2021-01-26T11:09:05.529Z", - "dataset": "threat.abuseurl", + "dataset": "ti_abusech.malware", "ingested": "2021-01-26T11:09:06.595350Z", "kind": "enrichment", "module": "threatintel", @@ -87,7 +87,7 @@ "event": { "category": "threat", "created": "2021-01-26T11:09:05.529Z", - "dataset": "threat.abuseurl", + "dataset": "ti_abusech.malware", "ingested": "2021-01-26T11:09:06.616763Z", "kind": "enrichment", "module": "threatintel", @@ -156,7 +156,7 @@ "event": { "category": "threat", "created": "2021-01-26T11:09:05.529Z", - "dataset": "threat.abuseurl", + "dataset": "ti_abusech.malware", "ingested": "2021-01-26T11:09:06.616763Z", "kind": "enrichment", "module": "threatintel", @@ -226,7 +226,7 @@ "event": { "category": "threat", "created": "2021-01-26T11:09:05.529Z", - "dataset": "threat.abuseurl", + "dataset": "ti_abusech.malware", "ingested": "2021-01-26T11:09:06.616763Z", "kind": "enrichment", "module": "threatintel", diff --git a/x-pack/test/functional/es_archives/security_solution/legacy_cti_signals/data.json b/x-pack/test/functional/es_archives/security_solution/legacy_cti_signals/data.json index 1a16150317bc2..56fa5ea6af329 100644 --- a/x-pack/test/functional/es_archives/security_solution/legacy_cti_signals/data.json +++ b/x-pack/test/functional/es_archives/security_solution/legacy_cti_signals/data.json @@ -190,7 +190,7 @@ "event": { "category": "threat", "created": "2021-08-04T03:53:30.761Z", - "dataset": "threat.abuseurl", + "dataset": "ti_abusech.malware", "ingested": "2021-08-04T03:53:37.514040Z", "kind": "enrichment", "module": "threatintel", @@ -434,7 +434,7 @@ "event": { "category": "threat", "created": "2021-08-04T03:53:30.761Z", - "dataset": "threat.abuseurl", + "dataset": "ti_abusech.malware", "ingested": "2021-08-04T03:53:37.514040Z", "kind": "enrichment", "module": "threatintel", diff --git a/x-pack/test/security_solution_cypress/es_archives/threat_indicator/data.json b/x-pack/test/security_solution_cypress/es_archives/threat_indicator/data.json index f9b9c4cc73b84..9ad51dfcdc94b 100644 --- a/x-pack/test/security_solution_cypress/es_archives/threat_indicator/data.json +++ b/x-pack/test/security_solution_cypress/es_archives/threat_indicator/data.json @@ -68,7 +68,7 @@ "module": "threatintel", "category": "threat", "type": "indicator", - "dataset": "threat.abusemalware" + "dataset": "ti_abusech.malware" } } } diff --git a/x-pack/test/security_solution_cypress/es_archives/threat_indicator2/data.json b/x-pack/test/security_solution_cypress/es_archives/threat_indicator2/data.json index 5d4946dd74042..16b6a9eb2d37f 100644 --- a/x-pack/test/security_solution_cypress/es_archives/threat_indicator2/data.json +++ b/x-pack/test/security_solution_cypress/es_archives/threat_indicator2/data.json @@ -56,7 +56,7 @@ "module": "threatintel", "category": "threat", "type": "indicator", - "dataset": "threat.abusemalware" + "dataset": "ti_abusech.malware" } } } From 752c80a5117e331d459c1d9863a3c357926e6fc2 Mon Sep 17 00:00:00 2001 From: Khristinin Nikita Date: Wed, 13 Oct 2021 17:57:39 +0200 Subject: [PATCH 6/8] Fix tests --- .../security_solution/cypress/objects/rule.ts | 2 +- .../es_archives/threat_indicator/data.json | 16 ++++++++-------- .../es_archives/threat_indicator/mappings.json | 2 +- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/x-pack/plugins/security_solution/cypress/objects/rule.ts b/x-pack/plugins/security_solution/cypress/objects/rule.ts index 028e6698fee34..4b061865d632b 100644 --- a/x-pack/plugins/security_solution/cypress/objects/rule.ts +++ b/x-pack/plugins/security_solution/cypress/objects/rule.ts @@ -108,7 +108,7 @@ export const getIndexPatterns = (): string[] => [ 'winlogbeat-*', ]; -export const getThreatIndexPatterns = (): string[] => ['filebeat-*']; +export const getThreatIndexPatterns = (): string[] => ['logs-ti_*']; const getMitre1 = (): Mitre => ({ tactic: `${getMockThreatData().tactic.name} (${getMockThreatData().tactic.id})`, diff --git a/x-pack/test/security_solution_cypress/es_archives/threat_indicator/data.json b/x-pack/test/security_solution_cypress/es_archives/threat_indicator/data.json index 9ad51dfcdc94b..95006903efa3f 100644 --- a/x-pack/test/security_solution_cypress/es_archives/threat_indicator/data.json +++ b/x-pack/test/security_solution_cypress/es_archives/threat_indicator/data.json @@ -16,7 +16,7 @@ "fileset": { "name": "abusemalware" }, - "threatintel": { + "threat": { "indicator": { "first_seen": "2021-03-10T08:02:14.000Z", "file": { @@ -31,13 +31,13 @@ } }, "type": "file" - }, - "abusemalware": { - "virustotal": { - "result": "38 / 61", - "link": "https://www.virustotal.com/gui/file/a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3/detection/f-a04ac6d", - "percent": "62.30" - } + } + }, + "abusemalware": { + "virustotal": { + "result": "38 / 61", + "link": "https://www.virustotal.com/gui/file/a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3/detection/f-a04ac6d", + "percent": "62.30" } }, "tags": [ diff --git a/x-pack/test/security_solution_cypress/es_archives/threat_indicator/mappings.json b/x-pack/test/security_solution_cypress/es_archives/threat_indicator/mappings.json index efd23c5a6bba4..55dccfbf57641 100644 --- a/x-pack/test/security_solution_cypress/es_archives/threat_indicator/mappings.json +++ b/x-pack/test/security_solution_cypress/es_archives/threat_indicator/mappings.json @@ -194,7 +194,7 @@ } } }, - "threatintel": { + "threat": { "properties": { "abusemalware": { "properties": { From 3c5a41e6fc26c1773d5fbae865263ec3a09cafe9 Mon Sep 17 00:00:00 2001 From: Khristinin Nikita Date: Thu, 14 Oct 2021 12:31:25 +0200 Subject: [PATCH 7/8] Fix tests --- .../integration/detection_alerts/cti_enrichments.spec.ts | 4 ++-- .../es_archives/threat_indicator/data.json | 2 +- .../es_archives/threat_indicator/mappings.json | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_alerts/cti_enrichments.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_alerts/cti_enrichments.spec.ts index 8d60dc33216c0..b3c6abcd8e426 100644 --- a/x-pack/plugins/security_solution/cypress/integration/detection_alerts/cti_enrichments.spec.ts +++ b/x-pack/plugins/security_solution/cypress/integration/detection_alerts/cti_enrichments.spec.ts @@ -79,7 +79,7 @@ describe('CTI Enrichment', () => { { line: 4, text: ' "threat": {' }, { line: 3, - text: ' "enrichments": "{\\"indicator\\":{\\"first_seen\\":\\"2021-03-10T08:02:14.000Z\\",\\"file\\":{\\"size\\":80280,\\"pe\\":{},\\"type\\":\\"elf\\",\\"hash\\":{\\"sha256\\":\\"a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3\\",\\"tlsh\\":\\"6D7312E017B517CC1371A8353BED205E9128223972AE35302E97528DF957703BAB2DBE\\",\\"ssdeep\\":\\"1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL\\",\\"md5\\":\\"9b6c3518a91d23ed77504b5416bfb5b3\\"}},\\"type\\":\\"file\\"},\\"matched\\":{\\"atomic\\":\\"a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3\\",\\"field\\":\\"myhash.mysha256\\",\\"id\\":\\"84cf452c1e0375c3d4412cb550bd1783358468a3b3b777da4829d72c7d6fb74f\\",\\"index\\":\\"filebeat-7.12.0-2021.03.10-000001\\",\\"type\\":\\"indicator_match_rule\\"}}"', + text: ' "enrichments": "{\\"indicator\\":{\\"first_seen\\":\\"2021-03-10T08:02:14.000Z\\",\\"file\\":{\\"size\\":80280,\\"pe\\":{},\\"type\\":\\"elf\\",\\"hash\\":{\\"sha256\\":\\"a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3\\",\\"tlsh\\":\\"6D7312E017B517CC1371A8353BED205E9128223972AE35302E97528DF957703BAB2DBE\\",\\"ssdeep\\":\\"1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL\\",\\"md5\\":\\"9b6c3518a91d23ed77504b5416bfb5b3\\"}},\\"type\\":\\"file\\"},\\"matched\\":{\\"atomic\\":\\"a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3\\",\\"field\\":\\"myhash.mysha256\\",\\"id\\":\\"84cf452c1e0375c3d4412cb550bd1783358468a3b3b777da4829d72c7d6fb74f\\",\\"index\\":\\"logs-ti_abusech.malware\\",\\"type\\":\\"indicator_match_rule\\"}}"', }, { line: 2, text: ' }' }, ]; @@ -127,7 +127,7 @@ describe('CTI Enrichment', () => { field: 'matched.id', value: '84cf452c1e0375c3d4412cb550bd1783358468a3b3b777da4829d72c7d6fb74f', }, - { field: 'matched.index', value: 'filebeat-7.12.0-2021.03.10-000001' }, + { field: 'matched.index', value: 'logs-ti_abusech.malware' }, { field: 'matched.type', value: 'indicator_match_rule' }, ]; diff --git a/x-pack/test/security_solution_cypress/es_archives/threat_indicator/data.json b/x-pack/test/security_solution_cypress/es_archives/threat_indicator/data.json index 95006903efa3f..a2e0c2d2921dc 100644 --- a/x-pack/test/security_solution_cypress/es_archives/threat_indicator/data.json +++ b/x-pack/test/security_solution_cypress/es_archives/threat_indicator/data.json @@ -2,7 +2,7 @@ "type": "doc", "value": { "id": "84cf452c1e0375c3d4412cb550bd1783358468a3b3b777da4829d72c7d6fb74f", - "index": "filebeat-7.12.0-2021.03.10-000001", + "index": "logs-ti_abusech.malware", "source": { "@timestamp": "2021-03-10T14:51:05.766Z", "agent": { diff --git a/x-pack/test/security_solution_cypress/es_archives/threat_indicator/mappings.json b/x-pack/test/security_solution_cypress/es_archives/threat_indicator/mappings.json index 55dccfbf57641..8840cd4bee0dd 100644 --- a/x-pack/test/security_solution_cypress/es_archives/threat_indicator/mappings.json +++ b/x-pack/test/security_solution_cypress/es_archives/threat_indicator/mappings.json @@ -6,7 +6,7 @@ "is_write_index": true } }, - "index": "filebeat-7.12.0-2021.03.10-000001", + "index": "logs-ti_abusech.malware", "mappings": { "_meta": { "beat": "filebeat", From 301908269ac89d8b815052a2e4335b0a1b1c334a Mon Sep 17 00:00:00 2001 From: Khristinin Nikita Date: Thu, 14 Oct 2021 16:51:15 +0200 Subject: [PATCH 8/8] Fix test --- .../es_archives/threat_indicator2/data.json | 4 ++-- .../es_archives/threat_indicator2/mappings.json | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/x-pack/test/security_solution_cypress/es_archives/threat_indicator2/data.json b/x-pack/test/security_solution_cypress/es_archives/threat_indicator2/data.json index 16b6a9eb2d37f..1a8d3ff5a309a 100644 --- a/x-pack/test/security_solution_cypress/es_archives/threat_indicator2/data.json +++ b/x-pack/test/security_solution_cypress/es_archives/threat_indicator2/data.json @@ -2,7 +2,7 @@ "type": "doc", "value": { "id": "a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3", - "index": "filebeat-7.12.0-2021.03.11-000001", + "index": "logs-ti_abusech.malware", "source": { "@timestamp": "2021-06-27T14:51:05.766Z", "agent": { @@ -16,7 +16,7 @@ "fileset": { "name": "abusemalware" }, - "threatintel": { + "threat": { "indicator": { "first_seen": "2021-03-11T08:02:14.000Z", "ip": "192.168.1.1", diff --git a/x-pack/test/security_solution_cypress/es_archives/threat_indicator2/mappings.json b/x-pack/test/security_solution_cypress/es_archives/threat_indicator2/mappings.json index 072318f7f4fc4..cba4263f32b69 100644 --- a/x-pack/test/security_solution_cypress/es_archives/threat_indicator2/mappings.json +++ b/x-pack/test/security_solution_cypress/es_archives/threat_indicator2/mappings.json @@ -2,11 +2,11 @@ "type": "index", "value": { "aliases": { - "filebeat-7.12.0": { + "logs-ti": { "is_write_index": false } }, - "index": "filebeat-7.12.0-2021.03.11-000001", + "index": "logs-ti_abusech.malware", "mappings": { "_meta": { "beat": "filebeat", @@ -194,7 +194,7 @@ } } }, - "threatintel": { + "threat": { "properties": { "abusemalware": { "properties": {