diff --git a/packages/ti_anomali/changelog.yml b/packages/ti_anomali/changelog.yml index fe2cd13c3ae..bbdef7327d5 100644 --- a/packages/ti_anomali/changelog.yml +++ b/packages/ti_anomali/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.22.1" + changes: + - description: Fix ECS date mapping on threat fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/10674 - version: "1.22.0" changes: - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/ti_anomali/data_stream/threatstream/fields/ecs.yml b/packages/ti_anomali/data_stream/threatstream/fields/ecs.yml new file mode 100644 index 00000000000..e3ba6a4be1b --- /dev/null +++ b/packages/ti_anomali/data_stream/threatstream/fields/ecs.yml @@ -0,0 +1,6 @@ +- external: ecs + name: threat.indicator.first_seen +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.indicator.modified_at diff --git a/packages/ti_anomali/data_stream/threatstream/sample_event.json b/packages/ti_anomali/data_stream/threatstream/sample_event.json index 049546c914d..2cde432bbb5 100644 --- a/packages/ti_anomali/data_stream/threatstream/sample_event.json +++ b/packages/ti_anomali/data_stream/threatstream/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2020-10-08T12:22:11.000Z", "agent": { - "ephemeral_id": "5f5fdd12-5b96-4370-aae2-3f4ca99136eb", - "id": "8130bdff-3530-4540-8c03-ba091c47a24f", + "ephemeral_id": "2f4f6445-5077-4a66-8582-2c74e071b6dd", + "id": "36b03887-7783-4bc4-b8c5-6f8997e4cd1a", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.11.0" + "version": "8.13.0" }, "anomali": { "threatstream": { @@ -30,16 +30,16 @@ }, "data_stream": { "dataset": "ti_anomali.threatstream", - "namespace": "ep", + "namespace": "44735", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "8130bdff-3530-4540-8c03-ba091c47a24f", + "id": "36b03887-7783-4bc4-b8c5-6f8997e4cd1a", "snapshot": false, - "version": "8.11.0" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", @@ -47,7 +47,7 @@ "threat" ], "dataset": "ti_anomali.threatstream", - "ingested": "2023-12-22T11:03:22Z", + "ingested": "2024-08-01T07:49:22Z", "kind": "enrichment", "original": "{\"added_at\":\"2020-10-08T12:22:11\",\"classification\":\"public\",\"confidence\":20,\"country\":\"FR\",\"date_first\":\"2020-10-08T12:21:50\",\"date_last\":\"2020-10-08T12:24:42\",\"detail2\":\"imported by user 184\",\"domain\":\"d4xgfj.example.net\",\"id\":3135167627,\"import_session_id\":1400,\"itype\":\"mal_domain\",\"lat\":-49.1,\"lon\":94.4,\"org\":\"OVH Hosting\",\"resource_uri\":\"/api/v1/intelligence/P46279656657/\",\"severity\":\"high\",\"source\":\"Default Organization\",\"source_feed_id\":3143,\"srcip\":\"89.160.20.156\",\"state\":\"active\",\"trusted_circle_ids\":\"122\",\"update_id\":3786618776,\"value_type\":\"domain\"}", "severity": 7, diff --git a/packages/ti_anomali/docs/README.md b/packages/ti_anomali/docs/README.md index 2c496c354c8..02f9ef71307 100644 --- a/packages/ti_anomali/docs/README.md +++ b/packages/ti_anomali/docs/README.md @@ -44,11 +44,11 @@ An example event for `threatstream` looks as following: { "@timestamp": "2020-10-08T12:22:11.000Z", "agent": { - "ephemeral_id": "5f5fdd12-5b96-4370-aae2-3f4ca99136eb", - "id": "8130bdff-3530-4540-8c03-ba091c47a24f", + "ephemeral_id": "2f4f6445-5077-4a66-8582-2c74e071b6dd", + "id": "36b03887-7783-4bc4-b8c5-6f8997e4cd1a", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.11.0" + "version": "8.13.0" }, "anomali": { "threatstream": { @@ -73,16 +73,16 @@ An example event for `threatstream` looks as following: }, "data_stream": { "dataset": "ti_anomali.threatstream", - "namespace": "ep", + "namespace": "44735", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "8130bdff-3530-4540-8c03-ba091c47a24f", + "id": "36b03887-7783-4bc4-b8c5-6f8997e4cd1a", "snapshot": false, - "version": "8.11.0" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", @@ -90,7 +90,7 @@ An example event for `threatstream` looks as following: "threat" ], "dataset": "ti_anomali.threatstream", - "ingested": "2023-12-22T11:03:22Z", + "ingested": "2024-08-01T07:49:22Z", "kind": "enrichment", "original": "{\"added_at\":\"2020-10-08T12:22:11\",\"classification\":\"public\",\"confidence\":20,\"country\":\"FR\",\"date_first\":\"2020-10-08T12:21:50\",\"date_last\":\"2020-10-08T12:24:42\",\"detail2\":\"imported by user 184\",\"domain\":\"d4xgfj.example.net\",\"id\":3135167627,\"import_session_id\":1400,\"itype\":\"mal_domain\",\"lat\":-49.1,\"lon\":94.4,\"org\":\"OVH Hosting\",\"resource_uri\":\"/api/v1/intelligence/P46279656657/\",\"severity\":\"high\",\"source\":\"Default Organization\",\"source_feed_id\":3143,\"srcip\":\"89.160.20.156\",\"state\":\"active\",\"trusted_circle_ids\":\"122\",\"update_id\":3786618776,\"value_type\":\"domain\"}", "severity": 7, @@ -178,4 +178,7 @@ An example event for `threatstream` looks as following: | log.offset | Offset of the entry in the log file. | long | | threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | | threat.feed.name | Display friendly feed name | constant_keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | diff --git a/packages/ti_anomali/manifest.yml b/packages/ti_anomali/manifest.yml index 0a24809b304..df591d3e9e0 100644 --- a/packages/ti_anomali/manifest.yml +++ b/packages/ti_anomali/manifest.yml @@ -1,6 +1,6 @@ name: ti_anomali title: Anomali -version: "1.22.0" +version: "1.22.1" description: Ingest threat intelligence indicators from Anomali with Elastic Agent. type: integration format_version: 3.0.2 diff --git a/packages/ti_cif3/changelog.yml b/packages/ti_cif3/changelog.yml index 2fac90c48a9..87c801ce8c8 100644 --- a/packages/ti_cif3/changelog.yml +++ b/packages/ti_cif3/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.14.1" + changes: + - description: Fix ECS date mapping on threat fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/10674 - version: "1.14.0" changes: - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/ti_cif3/data_stream/feed/fields/ecs.yml b/packages/ti_cif3/data_stream/feed/fields/ecs.yml index 5e8cd8465f7..b7bcdc24330 100644 --- a/packages/ti_cif3/data_stream/feed/fields/ecs.yml +++ b/packages/ti_cif3/data_stream/feed/fields/ecs.yml @@ -1,3 +1,9 @@ +- name: threat.indicator.first_seen + external: ecs +- name: threat.indicator.last_seen + external: ecs +- name: threat.indicator.modified_at + external: ecs - name: threat.indicator.tls.client.ja3 level: extended type: keyword diff --git a/packages/ti_cif3/data_stream/feed/sample_event.json b/packages/ti_cif3/data_stream/feed/sample_event.json index 17073fd0730..ad73d7b10a3 100755 --- a/packages/ti_cif3/data_stream/feed/sample_event.json +++ b/packages/ti_cif3/data_stream/feed/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2024-04-10T04:46:58.281Z", + "@timestamp": "2024-08-01T08:05:14.040Z", "agent": { - "ephemeral_id": "94c530db-5c8f-407c-939b-cd1d21d547fc", - "id": "28f0e936-c71c-4f75-8919-506fed4d20e7", + "ephemeral_id": "b351d699-2fd0-49f7-99e1-a7a471a29a62", + "id": "36b03887-7783-4bc4-b8c5-6f8997e4cd1a", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.1" + "version": "8.13.0" }, "cif3": { "deleted_at": "2022-09-03T20:25:53.000Z", @@ -17,25 +17,25 @@ }, "data_stream": { "dataset": "ti_cif3.feed", - "namespace": "ep", + "namespace": "26457", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "28f0e936-c71c-4f75-8919-506fed4d20e7", + "id": "36b03887-7783-4bc4-b8c5-6f8997e4cd1a", "snapshot": false, - "version": "8.12.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "threat" ], - "created": "2024-04-10T04:46:58.281Z", + "created": "2024-08-01T08:05:14.040Z", "dataset": "ti_cif3.feed", - "ingested": "2024-04-10T04:47:10Z", + "ingested": "2024-08-01T08:05:26Z", "kind": "enrichment", "original": "{\"application\":\"https\",\"asn\":8075,\"asn_desc\":\"microsoft-corp-msn-as-block\",\"cc\":\"br\",\"city\":\"campinas\",\"confidence\":10,\"count\":1,\"firsttime\":\"2022-07-20T20:25:53.000000Z\",\"group\":[\"everyone\"],\"indicator\":\"20.206.75.106\",\"indicator_ipv4\":\"20.206.75.106\",\"itype\":\"ipv4\",\"lasttime\":\"2022-07-20T20:25:53.000000Z\",\"latitude\":-22.9035,\"location\":[-47.0565,-22.9035],\"longitude\":-47.0565,\"portlist\":\"443\",\"protocol\":\"tcp\",\"provider\":\"sslbl.abuse.ch\",\"reference\":\"https://sslbl.abuse.ch/blacklist/sslipblacklist.csv\",\"region\":\"sao paulo\",\"reporttime\":\"2022-07-21T20:33:26.585967Z\",\"tags\":[\"botnet\"],\"timezone\":\"america/sao_paulo\",\"tlp\":\"white\",\"uuid\":\"ac240898-1443-4d7e-a98a-1daed220c162\"}", "type": [ diff --git a/packages/ti_cif3/docs/README.md b/packages/ti_cif3/docs/README.md index 6dee6248430..fd578fbd2d7 100644 --- a/packages/ti_cif3/docs/README.md +++ b/packages/ti_cif3/docs/README.md @@ -79,6 +79,9 @@ CIFv3 `confidence` field values (0..10) are converted to ECS confidence (None, L | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | | threat.feed.name | Display friendly feed name | constant_keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | | threat.indicator.tls.client.ja3 | An md5 hash that identifies clients based on their TLS handshake. | keyword | @@ -86,13 +89,13 @@ An example event for `feed` looks as following: ```json { - "@timestamp": "2024-04-10T04:46:58.281Z", + "@timestamp": "2024-08-01T08:05:14.040Z", "agent": { - "ephemeral_id": "94c530db-5c8f-407c-939b-cd1d21d547fc", - "id": "28f0e936-c71c-4f75-8919-506fed4d20e7", + "ephemeral_id": "b351d699-2fd0-49f7-99e1-a7a471a29a62", + "id": "36b03887-7783-4bc4-b8c5-6f8997e4cd1a", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.1" + "version": "8.13.0" }, "cif3": { "deleted_at": "2022-09-03T20:25:53.000Z", @@ -104,25 +107,25 @@ An example event for `feed` looks as following: }, "data_stream": { "dataset": "ti_cif3.feed", - "namespace": "ep", + "namespace": "26457", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "28f0e936-c71c-4f75-8919-506fed4d20e7", + "id": "36b03887-7783-4bc4-b8c5-6f8997e4cd1a", "snapshot": false, - "version": "8.12.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "threat" ], - "created": "2024-04-10T04:46:58.281Z", + "created": "2024-08-01T08:05:14.040Z", "dataset": "ti_cif3.feed", - "ingested": "2024-04-10T04:47:10Z", + "ingested": "2024-08-01T08:05:26Z", "kind": "enrichment", "original": "{\"application\":\"https\",\"asn\":8075,\"asn_desc\":\"microsoft-corp-msn-as-block\",\"cc\":\"br\",\"city\":\"campinas\",\"confidence\":10,\"count\":1,\"firsttime\":\"2022-07-20T20:25:53.000000Z\",\"group\":[\"everyone\"],\"indicator\":\"20.206.75.106\",\"indicator_ipv4\":\"20.206.75.106\",\"itype\":\"ipv4\",\"lasttime\":\"2022-07-20T20:25:53.000000Z\",\"latitude\":-22.9035,\"location\":[-47.0565,-22.9035],\"longitude\":-47.0565,\"portlist\":\"443\",\"protocol\":\"tcp\",\"provider\":\"sslbl.abuse.ch\",\"reference\":\"https://sslbl.abuse.ch/blacklist/sslipblacklist.csv\",\"region\":\"sao paulo\",\"reporttime\":\"2022-07-21T20:33:26.585967Z\",\"tags\":[\"botnet\"],\"timezone\":\"america/sao_paulo\",\"tlp\":\"white\",\"uuid\":\"ac240898-1443-4d7e-a98a-1daed220c162\"}", "type": [ diff --git a/packages/ti_cif3/manifest.yml b/packages/ti_cif3/manifest.yml index d5a258a9f2d..366b20a32ff 100644 --- a/packages/ti_cif3/manifest.yml +++ b/packages/ti_cif3/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: ti_cif3 title: "Collective Intelligence Framework v3" -version: "1.14.0" +version: "1.14.1" description: "Ingest threat indicators from a Collective Intelligence Framework v3 instance with Elastic Agent." type: integration categories: diff --git a/packages/ti_crowdstrike/changelog.yml b/packages/ti_crowdstrike/changelog.yml index b9eaaa7ca89..d20bfde9563 100644 --- a/packages/ti_crowdstrike/changelog.yml +++ b/packages/ti_crowdstrike/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.3" + changes: + - description: Fix ECS date mapping on threat fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/10674 - version: "1.1.2" changes: - description: Fix handling of timestamps with positive time zone offsets. diff --git a/packages/ti_crowdstrike/data_stream/intel/fields/ecs.yml b/packages/ti_crowdstrike/data_stream/intel/fields/ecs.yml new file mode 100644 index 00000000000..e3ba6a4be1b --- /dev/null +++ b/packages/ti_crowdstrike/data_stream/intel/fields/ecs.yml @@ -0,0 +1,6 @@ +- external: ecs + name: threat.indicator.first_seen +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.indicator.modified_at diff --git a/packages/ti_crowdstrike/data_stream/intel/sample_event.json b/packages/ti_crowdstrike/data_stream/intel/sample_event.json index 243719823f2..fc45d089801 100644 --- a/packages/ti_crowdstrike/data_stream/intel/sample_event.json +++ b/packages/ti_crowdstrike/data_stream/intel/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2023-11-21T06:16:01.000Z", "agent": { - "ephemeral_id": "ee250a38-ef6d-486c-a245-6d0dd0785a11", - "id": "803f2aef-a6c1-47c8-b64d-e484bb967db4", + "ephemeral_id": "6d3e7b87-a3f6-47b1-81a5-0264e901b3f9", + "id": "36b03887-7783-4bc4-b8c5-6f8997e4cd1a", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.0" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_crowdstrike.intel", - "namespace": "ep", + "namespace": "36922", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "803f2aef-a6c1-47c8-b64d-e484bb967db4", + "id": "36b03887-7783-4bc4-b8c5-6f8997e4cd1a", "snapshot": false, - "version": "8.12.0" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", @@ -27,7 +27,7 @@ ], "dataset": "ti_crowdstrike.intel", "id": "hash_sha256_c98e1a7f563824cd448b47613743dcd1c853742b78f42b000192b83d", - "ingested": "2024-03-28T10:49:11Z", + "ingested": "2024-08-01T08:31:15Z", "kind": "enrichment", "original": "{\"_marker\":\"17005473618d17ae6353d123235e4158c5c81f25f0\",\"actors\":[\"SALTYSPIDER\"],\"deleted\":false,\"domain_types\":[\"abc.com\"],\"id\":\"hash_sha256_c98e1a7f563824cd448b47613743dcd1c853742b78f42b000192b83d\",\"indicator\":\"c98e192bf71a7f97563824cd448b47613743dcd1c853742b78f42b000192b83d\",\"ip_address_types\":[\"81.2.69.192\"],\"kill_chains\":[\"Installation\",\"C2\"],\"labels\":[{\"created_on\":1700547356,\"last_valid_on\":1700547360,\"name\":\"MaliciousConfidence/High\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"Malware/Mofksys\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"ThreatType/Commodity\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"ThreatType/CredentialHarvesting\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"ThreatType/InformationStealer\"}],\"last_updated\":1700547361,\"malicious_confidence\":\"high\",\"malware_families\":[\"Mofksys\"],\"published_date\":1700547356,\"relations\":[{\"created_date\":1700547339,\"id\":\"domain.com.yy\",\"indicator\":\"domain.ds\",\"last_valid_date\":1700547339,\"type\":\"domain\"},{\"created_date\":1700547339,\"id\":\"domain.xx.yy\",\"indicator\":\"domain.xx.fd\",\"last_valid_date\":1700547339,\"type\":\"domain\"}],\"reports\":[\"reports\"],\"targets\":[\"abc\"],\"threat_types\":[\"Commodity\",\"CredentialHarvesting\",\"InformationStealer\"],\"type\":\"hash_sha256\",\"vulnerabilities\":[\"vuln\"]}", "type": [ diff --git a/packages/ti_crowdstrike/data_stream/ioc/fields/ecs.yml b/packages/ti_crowdstrike/data_stream/ioc/fields/ecs.yml new file mode 100644 index 00000000000..e3ba6a4be1b --- /dev/null +++ b/packages/ti_crowdstrike/data_stream/ioc/fields/ecs.yml @@ -0,0 +1,6 @@ +- external: ecs + name: threat.indicator.first_seen +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.indicator.modified_at diff --git a/packages/ti_crowdstrike/data_stream/ioc/sample_event.json b/packages/ti_crowdstrike/data_stream/ioc/sample_event.json index b6ce8f6728e..2d1a7121be0 100644 --- a/packages/ti_crowdstrike/data_stream/ioc/sample_event.json +++ b/packages/ti_crowdstrike/data_stream/ioc/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2023-11-01T10:22:23.106Z", "agent": { - "ephemeral_id": "ca4c5a70-0aa1-4cb3-867c-3c099798eef4", - "id": "803f2aef-a6c1-47c8-b64d-e484bb967db4", + "ephemeral_id": "6b69edbe-1d0f-4094-80d6-12915b7784ed", + "id": "36b03887-7783-4bc4-b8c5-6f8997e4cd1a", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.0" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_crowdstrike.ioc", - "namespace": "ep", + "namespace": "60867", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "803f2aef-a6c1-47c8-b64d-e484bb967db4", + "id": "36b03887-7783-4bc4-b8c5-6f8997e4cd1a", "snapshot": false, - "version": "8.12.0" + "version": "8.13.0" }, "event": { "action": "detect-again", @@ -28,7 +28,7 @@ ], "dataset": "ti_crowdstrike.ioc", "id": "34874a88935860cf6yyfc856d6abb6f35a29d8c077195ed6291aa8373696b44", - "ingested": "2024-03-28T10:50:10Z", + "ingested": "2024-08-01T08:32:09Z", "kind": "enrichment", "original": "{\"action\":\"detect again\",\"applied_globally\":true,\"created_by\":\"abc.it@example.com\",\"created_on\":\"2023-11-01T10:22:23.10607613Z\",\"deleted\":false,\"description\":\"IS-38887\",\"expired\":false,\"from_parent\":false,\"id\":\"34874a88935860cf6yyfc856d6abb6f35a29d8c077195ed6291aa8373696b44\",\"metadata\":{\"filename\":\"High_Serverity_Heuristic_Sandbox_Threat.docx\"},\"modified_by\":\"example.it@ex.com\",\"modified_on\":\"2023-11-01T10:22:23.10607613Z\",\"platforms\":[\"windows\",\"mac\",\"linux\"],\"severity\":\"critical\",\"tags\":[\"IS-38887\"],\"type\":\"ipv4\",\"value\":\"81.2.69.192\"}", "type": [ diff --git a/packages/ti_crowdstrike/docs/README.md b/packages/ti_crowdstrike/docs/README.md index cb47ece75ef..63b0f4edb61 100644 --- a/packages/ti_crowdstrike/docs/README.md +++ b/packages/ti_crowdstrike/docs/README.md @@ -94,24 +94,24 @@ An example event for `intel` looks as following: { "@timestamp": "2023-11-21T06:16:01.000Z", "agent": { - "ephemeral_id": "ee250a38-ef6d-486c-a245-6d0dd0785a11", - "id": "803f2aef-a6c1-47c8-b64d-e484bb967db4", + "ephemeral_id": "6d3e7b87-a3f6-47b1-81a5-0264e901b3f9", + "id": "36b03887-7783-4bc4-b8c5-6f8997e4cd1a", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.0" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_crowdstrike.intel", - "namespace": "ep", + "namespace": "36922", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "803f2aef-a6c1-47c8-b64d-e484bb967db4", + "id": "36b03887-7783-4bc4-b8c5-6f8997e4cd1a", "snapshot": false, - "version": "8.12.0" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", @@ -120,7 +120,7 @@ An example event for `intel` looks as following: ], "dataset": "ti_crowdstrike.intel", "id": "hash_sha256_c98e1a7f563824cd448b47613743dcd1c853742b78f42b000192b83d", - "ingested": "2024-03-28T10:49:11Z", + "ingested": "2024-08-01T08:31:15Z", "kind": "enrichment", "original": "{\"_marker\":\"17005473618d17ae6353d123235e4158c5c81f25f0\",\"actors\":[\"SALTYSPIDER\"],\"deleted\":false,\"domain_types\":[\"abc.com\"],\"id\":\"hash_sha256_c98e1a7f563824cd448b47613743dcd1c853742b78f42b000192b83d\",\"indicator\":\"c98e192bf71a7f97563824cd448b47613743dcd1c853742b78f42b000192b83d\",\"ip_address_types\":[\"81.2.69.192\"],\"kill_chains\":[\"Installation\",\"C2\"],\"labels\":[{\"created_on\":1700547356,\"last_valid_on\":1700547360,\"name\":\"MaliciousConfidence/High\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"Malware/Mofksys\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"ThreatType/Commodity\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"ThreatType/CredentialHarvesting\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"ThreatType/InformationStealer\"}],\"last_updated\":1700547361,\"malicious_confidence\":\"high\",\"malware_families\":[\"Mofksys\"],\"published_date\":1700547356,\"relations\":[{\"created_date\":1700547339,\"id\":\"domain.com.yy\",\"indicator\":\"domain.ds\",\"last_valid_date\":1700547339,\"type\":\"domain\"},{\"created_date\":1700547339,\"id\":\"domain.xx.yy\",\"indicator\":\"domain.xx.fd\",\"last_valid_date\":1700547339,\"type\":\"domain\"}],\"reports\":[\"reports\"],\"targets\":[\"abc\"],\"threat_types\":[\"Commodity\",\"CredentialHarvesting\",\"InformationStealer\"],\"type\":\"hash_sha256\",\"vulnerabilities\":[\"vuln\"]}", "type": [ @@ -266,6 +266,9 @@ An example event for `intel` looks as following: | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | | log.offset | Log offset. | long | | threat.feed.name | Display friendly feed name. | constant_keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | | ti_crowdstrike.intel._marker | A special marker associated with the Intel Indicator. | keyword | | ti_crowdstrike.intel.actors | Information related to actors associated with the Intel Indicator. | keyword | | ti_crowdstrike.intel.deleted | Indicates whether the Intel Indicator has been deleted. | boolean | @@ -307,24 +310,24 @@ An example event for `ioc` looks as following: { "@timestamp": "2023-11-01T10:22:23.106Z", "agent": { - "ephemeral_id": "ca4c5a70-0aa1-4cb3-867c-3c099798eef4", - "id": "803f2aef-a6c1-47c8-b64d-e484bb967db4", + "ephemeral_id": "6b69edbe-1d0f-4094-80d6-12915b7784ed", + "id": "36b03887-7783-4bc4-b8c5-6f8997e4cd1a", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.0" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_crowdstrike.ioc", - "namespace": "ep", + "namespace": "60867", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "803f2aef-a6c1-47c8-b64d-e484bb967db4", + "id": "36b03887-7783-4bc4-b8c5-6f8997e4cd1a", "snapshot": false, - "version": "8.12.0" + "version": "8.13.0" }, "event": { "action": "detect-again", @@ -334,7 +337,7 @@ An example event for `ioc` looks as following: ], "dataset": "ti_crowdstrike.ioc", "id": "34874a88935860cf6yyfc856d6abb6f35a29d8c077195ed6291aa8373696b44", - "ingested": "2024-03-28T10:50:10Z", + "ingested": "2024-08-01T08:32:09Z", "kind": "enrichment", "original": "{\"action\":\"detect again\",\"applied_globally\":true,\"created_by\":\"abc.it@example.com\",\"created_on\":\"2023-11-01T10:22:23.10607613Z\",\"deleted\":false,\"description\":\"IS-38887\",\"expired\":false,\"from_parent\":false,\"id\":\"34874a88935860cf6yyfc856d6abb6f35a29d8c077195ed6291aa8373696b44\",\"metadata\":{\"filename\":\"High_Serverity_Heuristic_Sandbox_Threat.docx\"},\"modified_by\":\"example.it@ex.com\",\"modified_on\":\"2023-11-01T10:22:23.10607613Z\",\"platforms\":[\"windows\",\"mac\",\"linux\"],\"severity\":\"critical\",\"tags\":[\"IS-38887\"],\"type\":\"ipv4\",\"value\":\"81.2.69.192\"}", "type": [ @@ -424,6 +427,9 @@ An example event for `ioc` looks as following: | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | | log.offset | Log offset. | long | | threat.feed.name | Display friendly feed name. | constant_keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | | ti_crowdstrike.ioc.action | Describes the action taken when the IOC is detected. | keyword | | ti_crowdstrike.ioc.applied_globally | Indicates whether the IOC is applied globally. | boolean | | ti_crowdstrike.ioc.created_by | Indicates the entity or user who created the IOC. | keyword | diff --git a/packages/ti_crowdstrike/manifest.yml b/packages/ti_crowdstrike/manifest.yml index 835cd3f3e40..9292febf9a9 100644 --- a/packages/ti_crowdstrike/manifest.yml +++ b/packages/ti_crowdstrike/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: ti_crowdstrike title: CrowdStrike Falcon Intelligence -version: "1.1.2" +version: "1.1.3" description: Collect logs from CrowdStrike Falcon Intelligence with Elastic Agent. type: integration categories: diff --git a/packages/ti_cybersixgill/changelog.yml b/packages/ti_cybersixgill/changelog.yml index 2947ecc9b5a..a358f11fdd3 100644 --- a/packages/ti_cybersixgill/changelog.yml +++ b/packages/ti_cybersixgill/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.30.1" + changes: + - description: Fix ECS date mapping on threat fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/10674 - version: "1.30.0" changes: - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/ti_cybersixgill/data_stream/threat/fields/ecs.yml b/packages/ti_cybersixgill/data_stream/threat/fields/ecs.yml new file mode 100644 index 00000000000..e3ba6a4be1b --- /dev/null +++ b/packages/ti_cybersixgill/data_stream/threat/fields/ecs.yml @@ -0,0 +1,6 @@ +- external: ecs + name: threat.indicator.first_seen +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.indicator.modified_at diff --git a/packages/ti_cybersixgill/data_stream/threat/sample_event.json b/packages/ti_cybersixgill/data_stream/threat/sample_event.json index 5bff494972c..6306d3b4479 100644 --- a/packages/ti_cybersixgill/data_stream/threat/sample_event.json +++ b/packages/ti_cybersixgill/data_stream/threat/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2021-12-07T13:58:01.596Z", "agent": { - "ephemeral_id": "70f5e8ea-8e32-4560-8e0f-3f3438fe9958", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "ephemeral_id": "9c2e1e11-18ae-413f-9523-290c561a4b61", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" @@ -23,14 +23,14 @@ }, "data_stream": { "dataset": "ti_cybersixgill.threat", - "namespace": "39285", + "namespace": "78677", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, "version": "8.13.0" }, @@ -39,9 +39,9 @@ "category": [ "threat" ], - "created": "2024-06-12T03:26:26.797Z", + "created": "2024-08-02T04:14:26.522Z", "dataset": "ti_cybersixgill.threat", - "ingested": "2024-06-12T03:26:27Z", + "ingested": "2024-08-02T04:14:27Z", "kind": "enrichment", "original": "{\"confidence\":70,\"created\":\"2021-12-07T13:58:01.596Z\",\"description\":\"Hash attributed to malware that was discovered in the dark and deep web\",\"extensions\":{\"extension-definition--3de9ff00-174d-4d41-87c9-05a27a7e117c\":{\"extension_type\":\"toplevel-property-extension\"}},\"external_references\":[{\"positive_rate\":\"medium\",\"source_name\":\"VirusTotal\",\"url\":\"https://virustotal.com/#/file/7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\"},{\"description\":\"Mitre attack tactics and technique reference\",\"mitre_attack_tactic\":\"Build Capabilities\",\"mitre_attack_tactic_id\":\"TA0024\",\"mitre_attack_tactic_url\":\"https://attack.mitre.org/tactics/TA0024/\",\"source_name\":\"mitre-attack\"}],\"id\":\"indicator--302dab0f-64dc-42f5-b99e-702b28c1aaa9\",\"indicator_types\":[\"malicious-activity\"],\"lang\":\"en\",\"modified\":\"2021-12-07T13:58:01.596Z\",\"name\":\"4d0f21919d623bd1631ee15ca7429f28;5ce39ef0700b64bd0c71b55caf64ae45d8400965;7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\",\"pattern\":\"[file:hashes.MD5 = '4d0f21919d623bd1631ee15ca7429f28' OR file:hashes.'SHA-1' = '5ce39ef0700b64bd0c71b55caf64ae45d8400965' OR file:hashes.'SHA-256' = '7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d']\",\"pattern_type\":\"stix\",\"sixgill_actor\":\"vaedzy\",\"sixgill_confidence\":70,\"sixgill_feedid\":\"darkfeed_012\",\"sixgill_feedname\":\"dark_web_hashes\",\"sixgill_post_virustotallink\":\"https://virustotal.com/#/file/7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\",\"sixgill_postid\":\"c0c9a0085fb5281cfb40a0ddb62e1d2c6a53eb7a\",\"sixgill_posttitle\":\"[病毒样本] #Trickbot (2021-12-07)\",\"sixgill_severity\":70,\"sixgill_source\":\"forum_kafan\",\"spec_version\":\"2.1\",\"type\":\"indicator\",\"valid_from\":\"2021-12-07T02:55:17Z\"}", "severity": 70, diff --git a/packages/ti_cybersixgill/docs/README.md b/packages/ti_cybersixgill/docs/README.md index ef1b83205a0..5292ce9c5dd 100644 --- a/packages/ti_cybersixgill/docs/README.md +++ b/packages/ti_cybersixgill/docs/README.md @@ -44,6 +44,9 @@ To facilitate IOC expiration, source datastream-backed indices `.ds-logs-ti_cybe | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | | threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | | threat.feed.name | Display friendly feed name | constant_keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | An example event for `threat` looks as following: @@ -52,8 +55,8 @@ An example event for `threat` looks as following: { "@timestamp": "2021-12-07T13:58:01.596Z", "agent": { - "ephemeral_id": "70f5e8ea-8e32-4560-8e0f-3f3438fe9958", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "ephemeral_id": "9c2e1e11-18ae-413f-9523-290c561a4b61", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" @@ -74,14 +77,14 @@ An example event for `threat` looks as following: }, "data_stream": { "dataset": "ti_cybersixgill.threat", - "namespace": "39285", + "namespace": "78677", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, "version": "8.13.0" }, @@ -90,9 +93,9 @@ An example event for `threat` looks as following: "category": [ "threat" ], - "created": "2024-06-12T03:26:26.797Z", + "created": "2024-08-02T04:14:26.522Z", "dataset": "ti_cybersixgill.threat", - "ingested": "2024-06-12T03:26:27Z", + "ingested": "2024-08-02T04:14:27Z", "kind": "enrichment", "original": "{\"confidence\":70,\"created\":\"2021-12-07T13:58:01.596Z\",\"description\":\"Hash attributed to malware that was discovered in the dark and deep web\",\"extensions\":{\"extension-definition--3de9ff00-174d-4d41-87c9-05a27a7e117c\":{\"extension_type\":\"toplevel-property-extension\"}},\"external_references\":[{\"positive_rate\":\"medium\",\"source_name\":\"VirusTotal\",\"url\":\"https://virustotal.com/#/file/7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\"},{\"description\":\"Mitre attack tactics and technique reference\",\"mitre_attack_tactic\":\"Build Capabilities\",\"mitre_attack_tactic_id\":\"TA0024\",\"mitre_attack_tactic_url\":\"https://attack.mitre.org/tactics/TA0024/\",\"source_name\":\"mitre-attack\"}],\"id\":\"indicator--302dab0f-64dc-42f5-b99e-702b28c1aaa9\",\"indicator_types\":[\"malicious-activity\"],\"lang\":\"en\",\"modified\":\"2021-12-07T13:58:01.596Z\",\"name\":\"4d0f21919d623bd1631ee15ca7429f28;5ce39ef0700b64bd0c71b55caf64ae45d8400965;7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\",\"pattern\":\"[file:hashes.MD5 = '4d0f21919d623bd1631ee15ca7429f28' OR file:hashes.'SHA-1' = '5ce39ef0700b64bd0c71b55caf64ae45d8400965' OR file:hashes.'SHA-256' = '7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d']\",\"pattern_type\":\"stix\",\"sixgill_actor\":\"vaedzy\",\"sixgill_confidence\":70,\"sixgill_feedid\":\"darkfeed_012\",\"sixgill_feedname\":\"dark_web_hashes\",\"sixgill_post_virustotallink\":\"https://virustotal.com/#/file/7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\",\"sixgill_postid\":\"c0c9a0085fb5281cfb40a0ddb62e1d2c6a53eb7a\",\"sixgill_posttitle\":\"[病毒样本] #Trickbot (2021-12-07)\",\"sixgill_severity\":70,\"sixgill_source\":\"forum_kafan\",\"spec_version\":\"2.1\",\"type\":\"indicator\",\"valid_from\":\"2021-12-07T02:55:17Z\"}", "severity": 70, diff --git a/packages/ti_cybersixgill/manifest.yml b/packages/ti_cybersixgill/manifest.yml index 14458999d3c..c80ec32605d 100644 --- a/packages/ti_cybersixgill/manifest.yml +++ b/packages/ti_cybersixgill/manifest.yml @@ -1,6 +1,6 @@ name: ti_cybersixgill title: Cybersixgill -version: "1.30.0" +version: "1.30.1" description: Ingest threat intelligence indicators from Cybersixgill with Elastic Agent. type: integration format_version: "3.0.2" diff --git a/packages/ti_eclecticiq/changelog.yml b/packages/ti_eclecticiq/changelog.yml index cf0d1667eb9..3ca16267d33 100644 --- a/packages/ti_eclecticiq/changelog.yml +++ b/packages/ti_eclecticiq/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.1" + changes: + - description: Fix ECS date mapping on threat fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/10674 - version: "1.2.0" changes: - description: Increase CEL resource.tracer.maxsize to prevent loss of trace responses. diff --git a/packages/ti_eclecticiq/data_stream/threat/fields/ecs.yml b/packages/ti_eclecticiq/data_stream/threat/fields/ecs.yml new file mode 100644 index 00000000000..e3ba6a4be1b --- /dev/null +++ b/packages/ti_eclecticiq/data_stream/threat/fields/ecs.yml @@ -0,0 +1,6 @@ +- external: ecs + name: threat.indicator.first_seen +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.indicator.modified_at diff --git a/packages/ti_eclecticiq/data_stream/threat/sample_event.json b/packages/ti_eclecticiq/data_stream/threat/sample_event.json index 0f530dde506..7575cf9c240 100644 --- a/packages/ti_eclecticiq/data_stream/threat/sample_event.json +++ b/packages/ti_eclecticiq/data_stream/threat/sample_event.json @@ -1,36 +1,75 @@ { - "@timestamp": "2023-06-20T18:06:10.126Z", + "@timestamp": "2023-01-01T00:00:00.000Z", + "agent": { + "ephemeral_id": "cf201e4c-c043-4a07-baa4-2227c8fbb4c3", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.13.0" + }, + "data_stream": { + "dataset": "ti_eclecticiq.threat", + "namespace": "14085", + "type": "logs" + }, "eclecticiq": { "threat": { - "observable_id": "AyGp2BbK9uP5CeLPYv/uuQlDxC8=" + "observable_id": "OwWGOybxVeL+USaXvDQSNonD5eU=" } }, "ecs": { "version": "8.11.0" }, + "elastic_agent": { + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", + "snapshot": false, + "version": "8.13.0" + }, "event": { + "agent_id_status": "verified", "category": [ "threat" ], - "created": "2023-06-08T12:00:30.187Z", + "created": "2023-06-08T12:00:30.028Z", "dataset": "ti_eclecticiq.threat", - "id": "XugasX/Bvu/150lNyQjzIGR0zZ8=", + "id": "ZgAq/IXlrjc2J5AdLsDMWhENshI=", + "ingested": "2024-08-02T04:24:34Z", "kind": "enrichment", - "original": "{\"calculated.relevancy\": \"0.68\", \"calculated.source_reliability\": \"A\", \"calculated.tlp\": \"GREEN\", \"diff\": \"add\", \"entity.id\": \"5e814485-012d-423d-b769-026bfed0f451\", \"entity.title\": \"Example\", \"entity.type\": \"malware\", \"meta.classification\": \"\", \"meta.confidence\": \"\", \"meta.entity_url\": \"https://test.com/entity/5e814485-012d-423d-b769-026bfed0f451\", \"meta.estimated_observed_time\": \"2019-07-09T17:42:44.777000+00:00\", \"meta.estimated_threat_end_time\": \"\", \"meta.estimated_threat_start_time\": \"2022-05-11T14:00:00.188000+00:00\", \"meta.ingest_time\": \"2023-06-08T12:00:30.187097+00:00\", \"meta.relevancy\": \"0.68\", \"meta.source_reliability\": \"A\", \"meta.tags\": \"tag1;tag2\", \"meta.taxonomy\": \"\", \"meta.terms_of_use\": \"\", \"meta.tlp\": \"GREEN\", \"source.ids\": \"47ec245c-9e7b-467e-a016-77a22ff12dd5\", \"source.names\": \"Test Source\", \"timestamp\": \"2023-06-20 18:06:10.126780+00:00\", \"type\": \"domain\", \"value\": \"example.com\", \"value_url\": \"https://test.com/main/extracts/domain/test\"}", - "provider": "Test Source", - "start": "2022-05-11T14:00:00.188Z", + "provider": "Test", + "start": "2021-12-19T00:27:19.108Z", "type": [ "indicator" ], "url": "https://www.test.com/" }, - "tags": [ - "tag1", - "tag2" - ], + "host": { + "architecture": "aarch64", + "containerized": false, + "hostname": "docker-fleet-agent", + "id": "8269eab9370b4429947d2a16c3058fcb", + "ip": [ + "172.29.0.7" + ], + "mac": [ + "02-42-AC-1D-00-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "6.4.16-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.6 LTS (Focal Fossa)" + } + }, + "input": { + "type": "cel" + }, "threat": { "indicator": { - "first_seen": "2019-07-09T17:42:44.777Z", + "first_seen": "2021-12-19T00:27:19.108Z", "marking": { "tlp": "GREEN" }, diff --git a/packages/ti_eclecticiq/docs/README.md b/packages/ti_eclecticiq/docs/README.md index e49747ffd0e..fdf39898341 100644 --- a/packages/ti_eclecticiq/docs/README.md +++ b/packages/ti_eclecticiq/docs/README.md @@ -179,38 +179,77 @@ An example event for `threat` looks as following: ```json { - "@timestamp": "2023-06-20T18:06:10.126Z", + "@timestamp": "2023-01-01T00:00:00.000Z", + "agent": { + "ephemeral_id": "cf201e4c-c043-4a07-baa4-2227c8fbb4c3", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.13.0" + }, + "data_stream": { + "dataset": "ti_eclecticiq.threat", + "namespace": "14085", + "type": "logs" + }, "eclecticiq": { "threat": { - "observable_id": "AyGp2BbK9uP5CeLPYv/uuQlDxC8=" + "observable_id": "OwWGOybxVeL+USaXvDQSNonD5eU=" } }, "ecs": { "version": "8.11.0" }, + "elastic_agent": { + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", + "snapshot": false, + "version": "8.13.0" + }, "event": { + "agent_id_status": "verified", "category": [ "threat" ], - "created": "2023-06-08T12:00:30.187Z", + "created": "2023-06-08T12:00:30.028Z", "dataset": "ti_eclecticiq.threat", - "id": "XugasX/Bvu/150lNyQjzIGR0zZ8=", + "id": "ZgAq/IXlrjc2J5AdLsDMWhENshI=", + "ingested": "2024-08-02T04:24:34Z", "kind": "enrichment", - "original": "{\"calculated.relevancy\": \"0.68\", \"calculated.source_reliability\": \"A\", \"calculated.tlp\": \"GREEN\", \"diff\": \"add\", \"entity.id\": \"5e814485-012d-423d-b769-026bfed0f451\", \"entity.title\": \"Example\", \"entity.type\": \"malware\", \"meta.classification\": \"\", \"meta.confidence\": \"\", \"meta.entity_url\": \"https://test.com/entity/5e814485-012d-423d-b769-026bfed0f451\", \"meta.estimated_observed_time\": \"2019-07-09T17:42:44.777000+00:00\", \"meta.estimated_threat_end_time\": \"\", \"meta.estimated_threat_start_time\": \"2022-05-11T14:00:00.188000+00:00\", \"meta.ingest_time\": \"2023-06-08T12:00:30.187097+00:00\", \"meta.relevancy\": \"0.68\", \"meta.source_reliability\": \"A\", \"meta.tags\": \"tag1;tag2\", \"meta.taxonomy\": \"\", \"meta.terms_of_use\": \"\", \"meta.tlp\": \"GREEN\", \"source.ids\": \"47ec245c-9e7b-467e-a016-77a22ff12dd5\", \"source.names\": \"Test Source\", \"timestamp\": \"2023-06-20 18:06:10.126780+00:00\", \"type\": \"domain\", \"value\": \"example.com\", \"value_url\": \"https://test.com/main/extracts/domain/test\"}", - "provider": "Test Source", - "start": "2022-05-11T14:00:00.188Z", + "provider": "Test", + "start": "2021-12-19T00:27:19.108Z", "type": [ "indicator" ], "url": "https://www.test.com/" }, - "tags": [ - "tag1", - "tag2" - ], + "host": { + "architecture": "aarch64", + "containerized": false, + "hostname": "docker-fleet-agent", + "id": "8269eab9370b4429947d2a16c3058fcb", + "ip": [ + "172.29.0.7" + ], + "mac": [ + "02-42-AC-1D-00-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "6.4.16-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.6 LTS (Focal Fossa)" + } + }, + "input": { + "type": "cel" + }, "threat": { "indicator": { - "first_seen": "2019-07-09T17:42:44.777Z", + "first_seen": "2021-12-19T00:27:19.108Z", "marking": { "tlp": "GREEN" }, @@ -241,4 +280,7 @@ An example event for `threat` looks as following: | input.type | Input type | keyword | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | | threat.feed.name | Display friendly feed name | constant_keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | diff --git a/packages/ti_eclecticiq/manifest.yml b/packages/ti_eclecticiq/manifest.yml index 25b5407d454..ac4ec5380a4 100644 --- a/packages/ti_eclecticiq/manifest.yml +++ b/packages/ti_eclecticiq/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: ti_eclecticiq title: EclecticIQ -version: "1.2.0" +version: "1.2.1" description: Ingest threat intelligence from EclecticIQ with Elastic Agent type: integration categories: diff --git a/packages/ti_eset/LICENSE.txt b/packages/ti_eset/LICENSE.txt deleted file mode 100644 index 809108b857f..00000000000 --- a/packages/ti_eset/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/ti_eset/changelog.yml b/packages/ti_eset/changelog.yml index a8a539f1f0e..31ce5b0186d 100644 --- a/packages/ti_eset/changelog.yml +++ b/packages/ti_eset/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.2" + changes: + - description: Fix ECS date mapping on threat fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/10674 - version: "1.2.1" changes: - description: Remove reference to a Kibana version from the README. diff --git a/packages/ti_eset/data_stream/apt/fields/ecs.yml b/packages/ti_eset/data_stream/apt/fields/ecs.yml new file mode 100644 index 00000000000..e3ba6a4be1b --- /dev/null +++ b/packages/ti_eset/data_stream/apt/fields/ecs.yml @@ -0,0 +1,6 @@ +- external: ecs + name: threat.indicator.first_seen +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.indicator.modified_at diff --git a/packages/ti_eset/data_stream/apt/sample_event.json b/packages/ti_eset/data_stream/apt/sample_event.json index fb1a68be57d..2110598b83a 100644 --- a/packages/ti_eset/data_stream/apt/sample_event.json +++ b/packages/ti_eset/data_stream/apt/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2023-09-29T08:48:42.000Z", "agent": { - "ephemeral_id": "aca3c3ca-0233-4da9-aa4d-67883702e60b", - "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "ephemeral_id": "bd2c939d-5911-4c25-b463-5e05b9c631d1", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.1" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_eset.apt", - "namespace": "ep", + "namespace": "69523", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, - "version": "8.12.1" + "version": "8.13.0" }, "eset": { "id": "indicator--a4cb9aa8-b12e-4141-ae33-509dfd9dd382", @@ -31,9 +31,9 @@ "category": [ "threat" ], - "created": "2024-03-27T14:17:00.528Z", + "created": "2024-08-02T04:59:53.515Z", "dataset": "ti_eset.apt", - "ingested": "2024-03-27T14:17:10Z", + "ingested": "2024-08-02T05:00:03Z", "kind": "enrichment", "original": "{\"created\":\"2023-09-29T08:48:42.000Z\",\"created_by_ref\":\"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\",\"id\":\"indicator--a4cb9aa8-b12e-4141-ae33-509dfd9dd382\",\"kill_chain_phases\":[{\"kill_chain_name\":\"misp-category\",\"phase_name\":\"file\"}],\"labels\":[\"misp:name=\\\"file\\\"\",\"misp:meta-category=\\\"file\\\"\",\"misp:to_ids=\\\"True\\\"\"],\"modified\":\"2023-09-29T08:48:42.000Z\",\"pattern\":\"[file:hashes.MD5 = '7196b26572d2c357a17599b9a0d71d33' AND file:hashes.SHA1 = 'a3ee3d4bc8057cfde073a7acf3232cfb3cbb10c0' AND file:hashes.SHA256 = '6c9eab41d2e06702313ee6513a8b98adc083ee7bcd2c85821a8a3136c20d687e' AND file:name = 'KihqQGHs7zYOxqqNE0b9zO4w6d7ysXUWrfDf6vLOAW4MU3Fs.mp3' AND file:parent_directory_ref.path = 'Comchit ltr no 4200 dt 23-09-2023' AND file:x_misp_fullpath = 'Comchit ltr no 4200 dt 23-09-2023/KihqQGHs7zYOxqqNE0b9zO4w6d7ysXUWrfDf6vLOAW4MU3Fs.mp3' AND file:extensions.'windows-pebinary-ext'.imphash = 'fcab131627362db5898b1bcc15d7fd72' AND file:extensions.'windows-pebinary-ext'.pe_type = 'dll' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2023-09-25 07:03:56+00:00' AND file:extensions.'windows-pebinary-ext'.x_misp_authentihash = '6c744b262dbf76fb20346a93cbedbb0668c90b5bb5027485109e3cfb41f48d8c']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-09-26T07:00:04Z\"}", "type": [ diff --git a/packages/ti_eset/data_stream/botnet/fields/ecs.yml b/packages/ti_eset/data_stream/botnet/fields/ecs.yml new file mode 100644 index 00000000000..e3ba6a4be1b --- /dev/null +++ b/packages/ti_eset/data_stream/botnet/fields/ecs.yml @@ -0,0 +1,6 @@ +- external: ecs + name: threat.indicator.first_seen +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.indicator.modified_at diff --git a/packages/ti_eset/data_stream/botnet/sample_event.json b/packages/ti_eset/data_stream/botnet/sample_event.json index f886d4a570b..b0b51a20f0b 100644 --- a/packages/ti_eset/data_stream/botnet/sample_event.json +++ b/packages/ti_eset/data_stream/botnet/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2023-10-18T02:05:09.000Z", "agent": { - "ephemeral_id": "29211d59-f061-4b27-a169-6db0193f8177", - "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "ephemeral_id": "e3582713-6bf8-43c3-af56-ccec81f7e8f4", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.1" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_eset.botnet", - "namespace": "ep", + "namespace": "22700", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, - "version": "8.12.1" + "version": "8.13.0" }, "eset": { "id": "indicator--80dc09fa-563f-4a9c-ad1d-655d8dffa37f", @@ -32,9 +32,9 @@ "category": [ "threat" ], - "created": "2024-03-27T14:18:01.686Z", + "created": "2024-08-02T05:02:05.881Z", "dataset": "ti_eset.botnet", - "ingested": "2024-03-27T14:18:13Z", + "ingested": "2024-08-02T05:02:17Z", "kind": "enrichment", "original": "{\"created\":\"2023-10-18T02:05:09.000Z\",\"description\":\"Each of these file hashes indicates that a variant of Win32/Rescoms.B backdoor is present.\",\"id\":\"indicator--80dc09fa-563f-4a9c-ad1d-655d8dffa37f\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-18T02:05:09.000Z\",\"name\":\"373d34874d7bc89fd4cefa6272ee80bf\",\"pattern\":\"[file:hashes.'SHA-256'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7'] OR [file:hashes.'SHA-1'='373d34874d7bc89fd4cefa6272ee80bf'] OR [file:hashes.'MD5'='373d34874d7bc89fd4cefa6272ee80bf']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-18T02:05:09Z\",\"valid_until\":\"2023-10-20T02:05:09Z\"}", "type": [ diff --git a/packages/ti_eset/data_stream/cc/fields/ecs.yml b/packages/ti_eset/data_stream/cc/fields/ecs.yml new file mode 100644 index 00000000000..e3ba6a4be1b --- /dev/null +++ b/packages/ti_eset/data_stream/cc/fields/ecs.yml @@ -0,0 +1,6 @@ +- external: ecs + name: threat.indicator.first_seen +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.indicator.modified_at diff --git a/packages/ti_eset/data_stream/cc/sample_event.json b/packages/ti_eset/data_stream/cc/sample_event.json index 93ec62905b3..e8a18fff4bd 100644 --- a/packages/ti_eset/data_stream/cc/sample_event.json +++ b/packages/ti_eset/data_stream/cc/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2023-10-19T02:00:09.000Z", "agent": { - "ephemeral_id": "f8b54ae9-959e-4ef4-b706-1bea093aaf7e", - "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "ephemeral_id": "95cbae2d-d7d2-4290-85f5-52760bcda80a", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.1" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_eset.cc", - "namespace": "ep", + "namespace": "98813", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, - "version": "8.12.1" + "version": "8.13.0" }, "eset": { "id": "indicator--34e0eaa0-d35d-4039-b801-8f05d4e16bea", @@ -32,9 +32,9 @@ "category": [ "threat" ], - "created": "2024-03-27T14:19:06.534Z", + "created": "2024-08-02T05:04:32.167Z", "dataset": "ti_eset.cc", - "ingested": "2024-03-27T14:19:18Z", + "ingested": "2024-08-02T05:04:44Z", "kind": "enrichment", "original": "{\"created\":\"2023-10-19T02:00:09.000Z\",\"description\":\"C\\u0026C of Win32/Smokeloader.H trojan\",\"id\":\"indicator--34e0eaa0-d35d-4039-b801-8f05d4e16bea\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-19T02:00:09.000Z\",\"name\":\"https://example.com/some/path\",\"pattern\":\"[url:value='https://example.com/some/path']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:00:09Z\",\"valid_until\":\"2023-10-21T02:00:09Z\"}", "type": [ diff --git a/packages/ti_eset/data_stream/domains/fields/ecs.yml b/packages/ti_eset/data_stream/domains/fields/ecs.yml new file mode 100644 index 00000000000..e3ba6a4be1b --- /dev/null +++ b/packages/ti_eset/data_stream/domains/fields/ecs.yml @@ -0,0 +1,6 @@ +- external: ecs + name: threat.indicator.first_seen +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.indicator.modified_at diff --git a/packages/ti_eset/data_stream/domains/sample_event.json b/packages/ti_eset/data_stream/domains/sample_event.json index 77c5ae1097a..f8e1ab633d9 100644 --- a/packages/ti_eset/data_stream/domains/sample_event.json +++ b/packages/ti_eset/data_stream/domains/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2023-10-19T02:00:28.000Z", "agent": { - "ephemeral_id": "6f2d8296-ddcf-4634-867b-00b524eb387c", - "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "ephemeral_id": "76bad86d-2d9f-43d9-aa2b-f14fd7fc62ca", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.1" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_eset.domains", - "namespace": "ep", + "namespace": "67132", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, - "version": "8.12.1" + "version": "8.13.0" }, "eset": { "id": "indicator--dfb05726-f2be-43c8-a5b2-48e78cc05286", @@ -32,9 +32,9 @@ "category": [ "threat" ], - "created": "2024-03-27T14:20:11.664Z", + "created": "2024-08-02T05:06:46.514Z", "dataset": "ti_eset.domains", - "ingested": "2024-03-27T14:20:23Z", + "ingested": "2024-08-02T05:06:58Z", "kind": "enrichment", "original": "{\"created\":\"2023-10-19T02:00:28.000Z\",\"description\":\"Host is known to be actively distributing adware or other medium-risk software.\",\"id\":\"indicator--dfb05726-f2be-43c8-a5b2-48e78cc05286\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-19T02:00:28.000Z\",\"name\":\"example.com\",\"pattern\":\"[domain-name:value='example.com']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:00:28Z\",\"valid_until\":\"2023-10-21T02:00:28Z\"}", "type": [ diff --git a/packages/ti_eset/data_stream/files/fields/ecs.yml b/packages/ti_eset/data_stream/files/fields/ecs.yml new file mode 100644 index 00000000000..e3ba6a4be1b --- /dev/null +++ b/packages/ti_eset/data_stream/files/fields/ecs.yml @@ -0,0 +1,6 @@ +- external: ecs + name: threat.indicator.first_seen +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.indicator.modified_at diff --git a/packages/ti_eset/data_stream/files/sample_event.json b/packages/ti_eset/data_stream/files/sample_event.json index 9881c7e92bc..b782bda2517 100644 --- a/packages/ti_eset/data_stream/files/sample_event.json +++ b/packages/ti_eset/data_stream/files/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2023-10-19T02:00:38.000Z", "agent": { - "ephemeral_id": "205a7540-b015-4c5a-9534-191e2f7c11f1", - "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "ephemeral_id": "dbb7a40e-8e54-45da-9658-416a3183fbab", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.1" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_eset.files", - "namespace": "ep", + "namespace": "64810", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, - "version": "8.12.1" + "version": "8.13.0" }, "eset": { "id": "indicator--5d7e9ad6-7b48-42fa-8598-d474e8da1b0f", @@ -32,9 +32,9 @@ "category": [ "threat" ], - "created": "2024-03-27T14:21:17.805Z", + "created": "2024-08-02T05:09:00.102Z", "dataset": "ti_eset.files", - "ingested": "2024-03-27T14:21:29Z", + "ingested": "2024-08-02T05:09:12Z", "kind": "enrichment", "original": "{\"created\":\"2023-10-19T02:00:38.000Z\",\"description\":\"Each of these file hashes indicates that a variant of HTML/Phishing.Agent.EVU trojan is present.\",\"id\":\"indicator--5d7e9ad6-7b48-42fa-8598-d474e8da1b0f\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-19T02:00:38.000Z\",\"name\":\"b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7\",\"pattern\":\"[file:hashes.'SHA-256'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7'] OR [file:hashes.'SHA-1'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7'] OR [file:hashes.'MD5'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:00:38Z\",\"valid_until\":\"2023-10-21T02:00:38Z\"}", "type": [ diff --git a/packages/ti_eset/data_stream/ip/fields/ecs.yml b/packages/ti_eset/data_stream/ip/fields/ecs.yml new file mode 100644 index 00000000000..e3ba6a4be1b --- /dev/null +++ b/packages/ti_eset/data_stream/ip/fields/ecs.yml @@ -0,0 +1,6 @@ +- external: ecs + name: threat.indicator.first_seen +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.indicator.modified_at diff --git a/packages/ti_eset/data_stream/ip/sample_event.json b/packages/ti_eset/data_stream/ip/sample_event.json index 7772317080e..d572226f46e 100644 --- a/packages/ti_eset/data_stream/ip/sample_event.json +++ b/packages/ti_eset/data_stream/ip/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2023-10-19T02:20:06.000Z", "agent": { - "ephemeral_id": "013ad9c0-d817-4490-a524-0b3f275d2f1a", - "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "ephemeral_id": "960f3ac1-589e-4bc0-a8d2-ba6745729a1a", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.1" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_eset.ip", - "namespace": "ep", + "namespace": "85610", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, - "version": "8.12.1" + "version": "8.13.0" }, "eset": { "id": "indicator--905fad40-d804-4b89-ac9d-b616e0b8f6d3", @@ -32,9 +32,9 @@ "category": [ "threat" ], - "created": "2024-03-27T14:22:22.857Z", + "created": "2024-08-02T05:11:15.412Z", "dataset": "ti_eset.ip", - "ingested": "2024-03-27T14:22:34Z", + "ingested": "2024-08-02T05:11:27Z", "kind": "enrichment", "original": "{\"created\":\"2023-10-19T02:20:06.000Z\",\"description\":\"Web services scanning and attacks\",\"id\":\"indicator--905fad40-d804-4b89-ac9d-b616e0b8f6d3\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-19T02:20:06.000Z\",\"name\":\"5.2.75.227\",\"pattern\":\"[ipv4-addr:value='5.2.75.227']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:20:06Z\",\"valid_until\":\"2023-10-21T02:20:06Z\"}", "type": [ diff --git a/packages/ti_eset/data_stream/url/fields/ecs.yml b/packages/ti_eset/data_stream/url/fields/ecs.yml new file mode 100644 index 00000000000..e3ba6a4be1b --- /dev/null +++ b/packages/ti_eset/data_stream/url/fields/ecs.yml @@ -0,0 +1,6 @@ +- external: ecs + name: threat.indicator.first_seen +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.indicator.modified_at diff --git a/packages/ti_eset/data_stream/url/sample_event.json b/packages/ti_eset/data_stream/url/sample_event.json index 015da599a17..42fe543e0ba 100644 --- a/packages/ti_eset/data_stream/url/sample_event.json +++ b/packages/ti_eset/data_stream/url/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2023-10-19T02:00:13.000Z", "agent": { - "ephemeral_id": "47910f1c-df41-4011-adb3-74b1ad882384", - "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "ephemeral_id": "9dbf7300-beb1-41a6-ab96-8fd3b1fa2108", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.1" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_eset.url", - "namespace": "ep", + "namespace": "17964", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, - "version": "8.12.1" + "version": "8.13.0" }, "eset": { "id": "indicator--8986619a-150b-453c-aaa8-bfe8694d05cc", @@ -32,9 +32,9 @@ "category": [ "threat" ], - "created": "2024-03-27T14:23:28.010Z", + "created": "2024-08-02T05:13:29.831Z", "dataset": "ti_eset.url", - "ingested": "2024-03-27T14:23:40Z", + "ingested": "2024-08-02T05:13:41Z", "kind": "enrichment", "original": "{\"created\":\"2023-10-19T02:00:13.000Z\",\"description\":\"Host actively distributes high-severity threat in the form of executable code.\",\"id\":\"indicator--8986619a-150b-453c-aaa8-bfe8694d05cc\",\"labels\":[\"benign\"],\"modified\":\"2023-10-19T02:00:13.000Z\",\"name\":\"https://example.com/some/path\",\"pattern\":\"[url:value='https://example.com/some/path']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:00:13Z\",\"valid_until\":\"2023-10-21T02:00:13Z\"}", "type": [ diff --git a/packages/ti_eset/docs/README.md b/packages/ti_eset/docs/README.md index 84f68aef70f..1c80d223ec4 100644 --- a/packages/ti_eset/docs/README.md +++ b/packages/ti_eset/docs/README.md @@ -109,6 +109,9 @@ refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-a | host.os.codename | OS codename, if any. | keyword | | input.type | Input type. | keyword | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | An example event for `botnet` looks as following: @@ -117,24 +120,24 @@ An example event for `botnet` looks as following: { "@timestamp": "2023-10-18T02:05:09.000Z", "agent": { - "ephemeral_id": "29211d59-f061-4b27-a169-6db0193f8177", - "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "ephemeral_id": "e3582713-6bf8-43c3-af56-ccec81f7e8f4", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.1" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_eset.botnet", - "namespace": "ep", + "namespace": "22700", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, - "version": "8.12.1" + "version": "8.13.0" }, "eset": { "id": "indicator--80dc09fa-563f-4a9c-ad1d-655d8dffa37f", @@ -148,9 +151,9 @@ An example event for `botnet` looks as following: "category": [ "threat" ], - "created": "2024-03-27T14:18:01.686Z", + "created": "2024-08-02T05:02:05.881Z", "dataset": "ti_eset.botnet", - "ingested": "2024-03-27T14:18:13Z", + "ingested": "2024-08-02T05:02:17Z", "kind": "enrichment", "original": "{\"created\":\"2023-10-18T02:05:09.000Z\",\"description\":\"Each of these file hashes indicates that a variant of Win32/Rescoms.B backdoor is present.\",\"id\":\"indicator--80dc09fa-563f-4a9c-ad1d-655d8dffa37f\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-18T02:05:09.000Z\",\"name\":\"373d34874d7bc89fd4cefa6272ee80bf\",\"pattern\":\"[file:hashes.'SHA-256'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7'] OR [file:hashes.'SHA-1'='373d34874d7bc89fd4cefa6272ee80bf'] OR [file:hashes.'MD5'='373d34874d7bc89fd4cefa6272ee80bf']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-18T02:05:09Z\",\"valid_until\":\"2023-10-20T02:05:09Z\"}", "type": [ @@ -210,6 +213,9 @@ An example event for `botnet` looks as following: | host.os.codename | OS codename, if any. | keyword | | input.type | Input type. | keyword | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | An example event for `cc` looks as following: @@ -218,24 +224,24 @@ An example event for `cc` looks as following: { "@timestamp": "2023-10-19T02:00:09.000Z", "agent": { - "ephemeral_id": "f8b54ae9-959e-4ef4-b706-1bea093aaf7e", - "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "ephemeral_id": "95cbae2d-d7d2-4290-85f5-52760bcda80a", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.1" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_eset.cc", - "namespace": "ep", + "namespace": "98813", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, - "version": "8.12.1" + "version": "8.13.0" }, "eset": { "id": "indicator--34e0eaa0-d35d-4039-b801-8f05d4e16bea", @@ -249,9 +255,9 @@ An example event for `cc` looks as following: "category": [ "threat" ], - "created": "2024-03-27T14:19:06.534Z", + "created": "2024-08-02T05:04:32.167Z", "dataset": "ti_eset.cc", - "ingested": "2024-03-27T14:19:18Z", + "ingested": "2024-08-02T05:04:44Z", "kind": "enrichment", "original": "{\"created\":\"2023-10-19T02:00:09.000Z\",\"description\":\"C\\u0026C of Win32/Smokeloader.H trojan\",\"id\":\"indicator--34e0eaa0-d35d-4039-b801-8f05d4e16bea\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-19T02:00:09.000Z\",\"name\":\"https://example.com/some/path\",\"pattern\":\"[url:value='https://example.com/some/path']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:00:09Z\",\"valid_until\":\"2023-10-21T02:00:09Z\"}", "type": [ @@ -307,6 +313,9 @@ An example event for `cc` looks as following: | host.os.codename | OS codename, if any. | keyword | | input.type | Input type. | keyword | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | An example event for `domains` looks as following: @@ -315,24 +324,24 @@ An example event for `domains` looks as following: { "@timestamp": "2023-10-19T02:00:28.000Z", "agent": { - "ephemeral_id": "6f2d8296-ddcf-4634-867b-00b524eb387c", - "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "ephemeral_id": "76bad86d-2d9f-43d9-aa2b-f14fd7fc62ca", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.1" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_eset.domains", - "namespace": "ep", + "namespace": "67132", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, - "version": "8.12.1" + "version": "8.13.0" }, "eset": { "id": "indicator--dfb05726-f2be-43c8-a5b2-48e78cc05286", @@ -346,9 +355,9 @@ An example event for `domains` looks as following: "category": [ "threat" ], - "created": "2024-03-27T14:20:11.664Z", + "created": "2024-08-02T05:06:46.514Z", "dataset": "ti_eset.domains", - "ingested": "2024-03-27T14:20:23Z", + "ingested": "2024-08-02T05:06:58Z", "kind": "enrichment", "original": "{\"created\":\"2023-10-19T02:00:28.000Z\",\"description\":\"Host is known to be actively distributing adware or other medium-risk software.\",\"id\":\"indicator--dfb05726-f2be-43c8-a5b2-48e78cc05286\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-19T02:00:28.000Z\",\"name\":\"example.com\",\"pattern\":\"[domain-name:value='example.com']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:00:28Z\",\"valid_until\":\"2023-10-21T02:00:28Z\"}", "type": [ @@ -405,6 +414,9 @@ An example event for `domains` looks as following: | host.os.codename | OS codename, if any. | keyword | | input.type | Input type. | keyword | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | An example event for `files` looks as following: @@ -413,24 +425,24 @@ An example event for `files` looks as following: { "@timestamp": "2023-10-19T02:00:38.000Z", "agent": { - "ephemeral_id": "205a7540-b015-4c5a-9534-191e2f7c11f1", - "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "ephemeral_id": "dbb7a40e-8e54-45da-9658-416a3183fbab", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.1" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_eset.files", - "namespace": "ep", + "namespace": "64810", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, - "version": "8.12.1" + "version": "8.13.0" }, "eset": { "id": "indicator--5d7e9ad6-7b48-42fa-8598-d474e8da1b0f", @@ -444,9 +456,9 @@ An example event for `files` looks as following: "category": [ "threat" ], - "created": "2024-03-27T14:21:17.805Z", + "created": "2024-08-02T05:09:00.102Z", "dataset": "ti_eset.files", - "ingested": "2024-03-27T14:21:29Z", + "ingested": "2024-08-02T05:09:12Z", "kind": "enrichment", "original": "{\"created\":\"2023-10-19T02:00:38.000Z\",\"description\":\"Each of these file hashes indicates that a variant of HTML/Phishing.Agent.EVU trojan is present.\",\"id\":\"indicator--5d7e9ad6-7b48-42fa-8598-d474e8da1b0f\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-19T02:00:38.000Z\",\"name\":\"b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7\",\"pattern\":\"[file:hashes.'SHA-256'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7'] OR [file:hashes.'SHA-1'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7'] OR [file:hashes.'MD5'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:00:38Z\",\"valid_until\":\"2023-10-21T02:00:38Z\"}", "type": [ @@ -506,6 +518,9 @@ An example event for `files` looks as following: | host.os.codename | OS codename, if any. | keyword | | input.type | Input type. | keyword | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | An example event for `ip` looks as following: @@ -514,24 +529,24 @@ An example event for `ip` looks as following: { "@timestamp": "2023-10-19T02:20:06.000Z", "agent": { - "ephemeral_id": "013ad9c0-d817-4490-a524-0b3f275d2f1a", - "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "ephemeral_id": "960f3ac1-589e-4bc0-a8d2-ba6745729a1a", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.1" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_eset.ip", - "namespace": "ep", + "namespace": "85610", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, - "version": "8.12.1" + "version": "8.13.0" }, "eset": { "id": "indicator--905fad40-d804-4b89-ac9d-b616e0b8f6d3", @@ -545,9 +560,9 @@ An example event for `ip` looks as following: "category": [ "threat" ], - "created": "2024-03-27T14:22:22.857Z", + "created": "2024-08-02T05:11:15.412Z", "dataset": "ti_eset.ip", - "ingested": "2024-03-27T14:22:34Z", + "ingested": "2024-08-02T05:11:27Z", "kind": "enrichment", "original": "{\"created\":\"2023-10-19T02:20:06.000Z\",\"description\":\"Web services scanning and attacks\",\"id\":\"indicator--905fad40-d804-4b89-ac9d-b616e0b8f6d3\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-19T02:20:06.000Z\",\"name\":\"5.2.75.227\",\"pattern\":\"[ipv4-addr:value='5.2.75.227']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:20:06Z\",\"valid_until\":\"2023-10-21T02:20:06Z\"}", "type": [ @@ -604,6 +619,9 @@ An example event for `ip` looks as following: | host.os.codename | OS codename, if any. | keyword | | input.type | Input type. | keyword | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | An example event for `apt` looks as following: @@ -612,24 +630,24 @@ An example event for `apt` looks as following: { "@timestamp": "2023-09-29T08:48:42.000Z", "agent": { - "ephemeral_id": "aca3c3ca-0233-4da9-aa4d-67883702e60b", - "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "ephemeral_id": "bd2c939d-5911-4c25-b463-5e05b9c631d1", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.1" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_eset.apt", - "namespace": "ep", + "namespace": "69523", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, - "version": "8.12.1" + "version": "8.13.0" }, "eset": { "id": "indicator--a4cb9aa8-b12e-4141-ae33-509dfd9dd382", @@ -642,9 +660,9 @@ An example event for `apt` looks as following: "category": [ "threat" ], - "created": "2024-03-27T14:17:00.528Z", + "created": "2024-08-02T04:59:53.515Z", "dataset": "ti_eset.apt", - "ingested": "2024-03-27T14:17:10Z", + "ingested": "2024-08-02T05:00:03Z", "kind": "enrichment", "original": "{\"created\":\"2023-09-29T08:48:42.000Z\",\"created_by_ref\":\"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\",\"id\":\"indicator--a4cb9aa8-b12e-4141-ae33-509dfd9dd382\",\"kill_chain_phases\":[{\"kill_chain_name\":\"misp-category\",\"phase_name\":\"file\"}],\"labels\":[\"misp:name=\\\"file\\\"\",\"misp:meta-category=\\\"file\\\"\",\"misp:to_ids=\\\"True\\\"\"],\"modified\":\"2023-09-29T08:48:42.000Z\",\"pattern\":\"[file:hashes.MD5 = '7196b26572d2c357a17599b9a0d71d33' AND file:hashes.SHA1 = 'a3ee3d4bc8057cfde073a7acf3232cfb3cbb10c0' AND file:hashes.SHA256 = '6c9eab41d2e06702313ee6513a8b98adc083ee7bcd2c85821a8a3136c20d687e' AND file:name = 'KihqQGHs7zYOxqqNE0b9zO4w6d7ysXUWrfDf6vLOAW4MU3Fs.mp3' AND file:parent_directory_ref.path = 'Comchit ltr no 4200 dt 23-09-2023' AND file:x_misp_fullpath = 'Comchit ltr no 4200 dt 23-09-2023/KihqQGHs7zYOxqqNE0b9zO4w6d7ysXUWrfDf6vLOAW4MU3Fs.mp3' AND file:extensions.'windows-pebinary-ext'.imphash = 'fcab131627362db5898b1bcc15d7fd72' AND file:extensions.'windows-pebinary-ext'.pe_type = 'dll' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2023-09-25 07:03:56+00:00' AND file:extensions.'windows-pebinary-ext'.x_misp_authentihash = '6c744b262dbf76fb20346a93cbedbb0668c90b5bb5027485109e3cfb41f48d8c']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-09-26T07:00:04Z\"}", "type": [ @@ -703,6 +721,9 @@ An example event for `apt` looks as following: | host.os.codename | OS codename, if any. | keyword | | input.type | Input type. | keyword | | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | An example event for `url` looks as following: @@ -711,24 +732,24 @@ An example event for `url` looks as following: { "@timestamp": "2023-10-19T02:00:13.000Z", "agent": { - "ephemeral_id": "47910f1c-df41-4011-adb3-74b1ad882384", - "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "ephemeral_id": "9dbf7300-beb1-41a6-ab96-8fd3b1fa2108", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.1" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_eset.url", - "namespace": "ep", + "namespace": "17964", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, - "version": "8.12.1" + "version": "8.13.0" }, "eset": { "id": "indicator--8986619a-150b-453c-aaa8-bfe8694d05cc", @@ -742,9 +763,9 @@ An example event for `url` looks as following: "category": [ "threat" ], - "created": "2024-03-27T14:23:28.010Z", + "created": "2024-08-02T05:13:29.831Z", "dataset": "ti_eset.url", - "ingested": "2024-03-27T14:23:40Z", + "ingested": "2024-08-02T05:13:41Z", "kind": "enrichment", "original": "{\"created\":\"2023-10-19T02:00:13.000Z\",\"description\":\"Host actively distributes high-severity threat in the form of executable code.\",\"id\":\"indicator--8986619a-150b-453c-aaa8-bfe8694d05cc\",\"labels\":[\"benign\"],\"modified\":\"2023-10-19T02:00:13.000Z\",\"name\":\"https://example.com/some/path\",\"pattern\":\"[url:value='https://example.com/some/path']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:00:13Z\",\"valid_until\":\"2023-10-21T02:00:13Z\"}", "type": [ diff --git a/packages/ti_eset/manifest.yml b/packages/ti_eset/manifest.yml index 1b79fa1d80b..2f734fa4964 100644 --- a/packages/ti_eset/manifest.yml +++ b/packages/ti_eset/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: ti_eset title: "ESET Threat Intelligence" -version: "1.2.1" +version: "1.2.2" description: "Ingest threat intelligence indicators from ESET Threat Intelligence with Elastic Agent." type: integration categories: diff --git a/packages/ti_maltiverse/changelog.yml b/packages/ti_maltiverse/changelog.yml index 0f30d18f9ef..64a6d4de2ca 100644 --- a/packages/ti_maltiverse/changelog.yml +++ b/packages/ti_maltiverse/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.2.1" + changes: + - description: Fix ECS date mapping on threat fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/10674 - version: "1.2.0" changes: - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/ti_maltiverse/data_stream/indicator/fields/ecs.yml b/packages/ti_maltiverse/data_stream/indicator/fields/ecs.yml new file mode 100644 index 00000000000..e3ba6a4be1b --- /dev/null +++ b/packages/ti_maltiverse/data_stream/indicator/fields/ecs.yml @@ -0,0 +1,6 @@ +- external: ecs + name: threat.indicator.first_seen +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.indicator.modified_at diff --git a/packages/ti_maltiverse/data_stream/indicator/sample_event.json b/packages/ti_maltiverse/data_stream/indicator/sample_event.json index 17ff7ef192a..afef34ae08b 100644 --- a/packages/ti_maltiverse/data_stream/indicator/sample_event.json +++ b/packages/ti_maltiverse/data_stream/indicator/sample_event.json @@ -1,34 +1,34 @@ { "@timestamp": "2022-11-05T05:37:57.000Z", "agent": { - "ephemeral_id": "b5733e23-446c-4102-952c-66874de0414e", - "id": "0b6be6e3-4e8a-4084-942d-124b48dc67d5", + "ephemeral_id": "c371b9d1-ae14-4272-9d73-3ef7bf7e46f9", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.8.1" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_maltiverse.indicator", - "namespace": "ep", + "namespace": "34244", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "0b6be6e3-4e8a-4084-942d-124b48dc67d5", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, - "version": "8.8.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "threat" ], - "created": "2023-09-21T20:46:55.738Z", + "created": "2024-08-02T05:34:15.473Z", "dataset": "ti_maltiverse.indicator", "id": "NsHdp9tZZtzo6Kzlv6Z1TmPP47U=", - "ingested": "2023-09-21T20:46:58Z", + "ingested": "2024-08-02T05:34:27Z", "kind": "enrichment", "original": "{\"blacklist\":{\"count\":1,\"description\":\"QakBot\",\"first_seen\":\"2022-11-03 06:23:53\",\"labels\":[\"malicious-activity\"],\"last_seen\":\"2022-11-05 05:37:57\",\"source\":\"ThreatFox Abuse.ch\"},\"classification\":\"malicious\",\"creation_time\":\"2022-11-03 06:23:53\",\"domain\":\"autooutletllc.com\",\"hostname\":\"autooutletllc.com\",\"is_alive\":false,\"is_cnc\":true,\"is_distributing_malware\":false,\"is_iot_threat\":false,\"is_phishing\":false,\"last_online_time\":\"2022-11-05 05:37:57\",\"modification_time\":\"2022-11-05 05:37:57\",\"tag\":[\"bb05\",\"iso\",\"qakbot\",\"qbot\",\"quakbot\",\"tr\",\"w19\",\"zip\",\"oakboat\",\"pinkslipbot\"],\"tld\":\"com\",\"type\":\"url\",\"url\":\"https://autooutletllc.com/spares.php\",\"urlchecksum\":\"4aa7a29969dc1dffa5cad5af6cb343b9a9b40ea9646fed619d4c8d6472629128\"}", "severity": 9, @@ -97,4 +97,4 @@ } } } -} +} \ No newline at end of file diff --git a/packages/ti_maltiverse/docs/README.md b/packages/ti_maltiverse/docs/README.md index b78c32f1c83..9b7e9cab645 100644 --- a/packages/ti_maltiverse/docs/README.md +++ b/packages/ti_maltiverse/docs/README.md @@ -89,6 +89,9 @@ Both, the data_stream and the _latest index have applied expiration through ILM | maltiverse.tag | Tags of the threat | keyword | | maltiverse.type | Type of the threat | keyword | | maltiverse.urlchecksum | | keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | An example event for `indicator` looks as following: @@ -97,34 +100,34 @@ An example event for `indicator` looks as following: { "@timestamp": "2022-11-05T05:37:57.000Z", "agent": { - "ephemeral_id": "b5733e23-446c-4102-952c-66874de0414e", - "id": "0b6be6e3-4e8a-4084-942d-124b48dc67d5", + "ephemeral_id": "c371b9d1-ae14-4272-9d73-3ef7bf7e46f9", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.8.1" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_maltiverse.indicator", - "namespace": "ep", + "namespace": "34244", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "0b6be6e3-4e8a-4084-942d-124b48dc67d5", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, - "version": "8.8.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "threat" ], - "created": "2023-09-21T20:46:55.738Z", + "created": "2024-08-02T05:34:15.473Z", "dataset": "ti_maltiverse.indicator", "id": "NsHdp9tZZtzo6Kzlv6Z1TmPP47U=", - "ingested": "2023-09-21T20:46:58Z", + "ingested": "2024-08-02T05:34:27Z", "kind": "enrichment", "original": "{\"blacklist\":{\"count\":1,\"description\":\"QakBot\",\"first_seen\":\"2022-11-03 06:23:53\",\"labels\":[\"malicious-activity\"],\"last_seen\":\"2022-11-05 05:37:57\",\"source\":\"ThreatFox Abuse.ch\"},\"classification\":\"malicious\",\"creation_time\":\"2022-11-03 06:23:53\",\"domain\":\"autooutletllc.com\",\"hostname\":\"autooutletllc.com\",\"is_alive\":false,\"is_cnc\":true,\"is_distributing_malware\":false,\"is_iot_threat\":false,\"is_phishing\":false,\"last_online_time\":\"2022-11-05 05:37:57\",\"modification_time\":\"2022-11-05 05:37:57\",\"tag\":[\"bb05\",\"iso\",\"qakbot\",\"qbot\",\"quakbot\",\"tr\",\"w19\",\"zip\",\"oakboat\",\"pinkslipbot\"],\"tld\":\"com\",\"type\":\"url\",\"url\":\"https://autooutletllc.com/spares.php\",\"urlchecksum\":\"4aa7a29969dc1dffa5cad5af6cb343b9a9b40ea9646fed619d4c8d6472629128\"}", "severity": 9, @@ -194,5 +197,4 @@ An example event for `indicator` looks as following: } } } - ``` \ No newline at end of file diff --git a/packages/ti_maltiverse/manifest.yml b/packages/ti_maltiverse/manifest.yml index f9fe5f2ba49..367033f23b5 100644 --- a/packages/ti_maltiverse/manifest.yml +++ b/packages/ti_maltiverse/manifest.yml @@ -1,6 +1,6 @@ name: ti_maltiverse title: Maltiverse -version: "1.2.0" +version: "1.2.1" description: Ingest threat intelligence indicators from Maltiverse feeds with Elastic Agent type: integration format_version: 3.0.2 diff --git a/packages/ti_mandiant_advantage/changelog.yml b/packages/ti_mandiant_advantage/changelog.yml index fc6f6a0b178..c473e55e48a 100644 --- a/packages/ti_mandiant_advantage/changelog.yml +++ b/packages/ti_mandiant_advantage/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.3.1" + changes: + - description: Fix ECS date mapping on threat fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/10674 - version: "1.3.0" changes: - description: ECS version updated to 8.11.0. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/ti_mandiant_advantage/data_stream/threat_intelligence/fields/ecs.yml b/packages/ti_mandiant_advantage/data_stream/threat_intelligence/fields/ecs.yml index 3c8e64b475d..bca8282af61 100644 --- a/packages/ti_mandiant_advantage/data_stream/threat_intelligence/fields/ecs.yml +++ b/packages/ti_mandiant_advantage/data_stream/threat_intelligence/fields/ecs.yml @@ -1,3 +1,9 @@ - external: ecs name: cloud.account.id dimension: true +- external: ecs + name: threat.indicator.first_seen +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.indicator.modified_at diff --git a/packages/ti_mandiant_advantage/data_stream/threat_intelligence/sample_event.json b/packages/ti_mandiant_advantage/data_stream/threat_intelligence/sample_event.json index 6f5268c698e..083df9fd2a3 100644 --- a/packages/ti_mandiant_advantage/data_stream/threat_intelligence/sample_event.json +++ b/packages/ti_mandiant_advantage/data_stream/threat_intelligence/sample_event.json @@ -1,104 +1,103 @@ { - "@timestamp": "2023-05-05T15:45:59.710Z", + "@timestamp": "2023-04-25T09:36:05.822Z", + "agent": { + "ephemeral_id": "3cf850f4-d7a9-4302-9745-cb0d0b408c1e", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.13.0" + }, + "data_stream": { + "dataset": "ti_mandiant_advantage.threat_intelligence", + "namespace": "99619", + "type": "logs" + }, "ecs": { "version": "8.11.0" }, + "elastic_agent": { + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", + "snapshot": false, + "version": "8.13.0" + }, "event": { + "agent_id_status": "verified", "category": [ "threat" ], + "created": "2024-08-02T05:42:35.442Z", + "dataset": "ti_mandiant_advantage.threat_intelligence", + "ingested": "2024-08-02T05:42:45Z", "kind": "enrichment", "module": "ti_mandiant_advantage_threat_intelligence", - "risk_score": 50, + "original": "{\"first_seen\":\"2022-09-06T00:46:38.000Z\",\"id\":\"fqdn--33bf4df5-3564-51e3-84f1-ca9d5bc2329e\",\"is_publishable\":true,\"last_seen\":\"2023-03-23T21:42:34.000Z\",\"last_updated\":\"2023-04-25T09:36:05.822Z\",\"misp\":{\"akamai\":false,\"alexa\":false,\"alexa_1M\":true,\"amazon-aws\":false,\"apple\":false,\"automated-malware-analysis\":false,\"bank-website\":false,\"captive-portals\":false,\"cisco_1M\":true,\"cisco_top1000\":false,\"cisco_top10k\":false,\"cisco_top20k\":false,\"cisco_top5k\":false,\"cloudflare\":false,\"common-contact-emails\":false,\"common-ioc-false-positive\":false,\"covid\":false,\"covid-19-cyber-threat-coalition-whitelist\":false,\"covid-19-krassi-whitelist\":false,\"crl-hostname\":false,\"crl-ip\":false,\"dax30\":false,\"disposable-email\":false,\"dynamic-dns\":false,\"eicar.com\":false,\"empty-hashes\":false,\"fastly\":false,\"google\":false,\"google-chrome-crux-1million\":true,\"google-gcp\":false,\"google-gmail-sending-ips\":false,\"googlebot\":false,\"ipv6-linklocal\":false,\"majestic_million\":true,\"majestic_million_1M\":true,\"microsoft\":false,\"microsoft-attack-simulator\":false,\"microsoft-azure\":false,\"microsoft-azure-appid\":false,\"microsoft-azure-china\":false,\"microsoft-azure-germany\":false,\"microsoft-azure-us-gov\":false,\"microsoft-office365\":false,\"microsoft-office365-cn\":false,\"microsoft-office365-ip\":false,\"microsoft-win10-connection-endpoints\":false,\"moz-top500\":false,\"mozilla-CA\":false,\"mozilla-IntermediateCA\":false,\"multicast\":false,\"nioc-filehash\":false,\"ovh-cluster\":false,\"parking-domain\":false,\"parking-domain-ns\":false,\"phone_numbers\":false,\"public-dns-hostname\":false,\"public-dns-v4\":false,\"public-dns-v6\":false,\"public-ipfs-gateways\":false,\"rfc1918\":false,\"rfc3849\":false,\"rfc5735\":false,\"rfc6598\":false,\"rfc6761\":false,\"second-level-tlds\":true,\"security-provider-blogpost\":false,\"sinkholes\":false,\"smtp-receiving-ips\":false,\"smtp-sending-ips\":false,\"stackpath\":false,\"tenable-cloud-ipv4\":false,\"tenable-cloud-ipv6\":false,\"ti-falsepositives\":false,\"tlds\":true,\"tranco\":true,\"tranco10k\":true,\"university_domains\":false,\"url-shortener\":false,\"vpn-ipv4\":false,\"vpn-ipv6\":false,\"whats-my-ip\":false,\"wikimedia\":false},\"mscore\":27,\"sources\":[{\"category\":[\"test\"],\"first_seen\":\"2022-09-06T00:46:38.722+0000\",\"last_seen\":\"2023-03-23T21:42:34.707+0000\",\"osint\":true,\"source_name\":\"dtm.blackbeard\"},{\"category\":[],\"first_seen\":\"2022-11-29T16:24:52.984+0000\",\"last_seen\":\"2022-11-29T16:24:52.984+0000\",\"osint\":true,\"source_name\":\"dtm.vanellope\"}],\"type\":\"fqdn\",\"value\":\"ru.wikibooks.org\"}", + "risk_score": 27, "type": [ "indicator" ] }, + "input": { + "type": "httpjson" + }, "mandiant": { "threat_intelligence": { "ioc": { "categories": [ - "exploit/vuln-scanning", - "exploit", - "spam/sender", - "spam" + "test" ], - "first_seen": "2022-06-18T23:22:01.000Z", - "id": "ipv4--af6febd0-3351-5b32-a66c-bbac306c7360", - "last_seen": "2023-03-23T23:22:01.000Z", - "last_update_date": "2023-05-05T15:45:59.710Z", - "mscore": 50, + "first_seen": "2022-09-06T00:46:38.000Z", + "id": "fqdn--33bf4df5-3564-51e3-84f1-ca9d5bc2329e", + "last_seen": "2023-03-23T21:42:34.000Z", + "last_update_date": "2023-04-25T09:36:05.822Z", + "mscore": 27, "sources": [ - { - "first_seen": "2022-09-22T23:40:00.911+0000", - "last_seen": "2022-09-23T00:33:09.000+0000", - "osint": true, - "source_name": "voipbl" - }, - { - "category": [ - "exploit/vuln-scanning", - "exploit" - ], - "first_seen": "2022-09-14T09:20:00.904+0000", - "last_seen": "2023-02-24T18:20:00.857+0000", - "osint": true, - "source_name": "greensnow" - }, { "category": [ - "spam/sender", - "spam" + "test" ], - "first_seen": "2022-06-18T23:22:01.386+0000", - "last_seen": "2023-03-23T23:22:01.308+0000", + "first_seen": "2022-09-06T00:46:38.722+0000", + "last_seen": "2023-03-23T21:42:34.707+0000", "osint": true, - "source_name": "sblam_blacklist" + "source_name": "dtm.blackbeard" }, { - "first_seen": "2022-09-14T23:34:04.312+0000", - "last_seen": "2022-09-23T00:33:09.000+0000", + "first_seen": "2022-11-29T16:24:52.984+0000", + "last_seen": "2022-11-29T16:24:52.984+0000", "osint": true, - "source_name": "blocklist_net_ua" + "source_name": "dtm.vanellope" } ], - "type": "ipv4", - "value": "1.128.3.4" + "type": "fqdn", + "value": "ru.wikibooks.org" } } }, - "related": { - "ip": [ - "1.128.3.4" - ] - }, + "tags": [ + "preserve_original_event", + "forwarded", + "mandiant-threat-intelligence-indicator" + ], "threat": { "feed": { "name": "Mandiant Threat Intelligence" }, "indicator": { - "as": { - "number": 1221, - "organization": { - "name": "Telstra Pty Ltd" - } - }, - "confidence": "Medium", - "first_seen": "2022-06-18T23:22:01.000Z", - "ip": "1.128.3.4", - "last_seen": "2023-03-23T23:22:01.000Z", + "confidence": "Low", + "first_seen": "2022-09-06T00:46:38.000Z", + "last_seen": "2023-03-23T21:42:34.000Z", "marking": { "tlp": "GREEN", "tlp_version": "2.0" }, - "modified_at": "2023-05-05T15:45:59.710Z", + "modified_at": "2023-04-25T09:36:05.822Z", "provider": [ - "voipbl", - "greensnow", - "sblam_blacklist", - "blocklist_net_ua" + "dtm.blackbeard", + "dtm.vanellope" ], - "type": "ipv4-addr" + "type": "domain-name", + "url": { + "domain": "ru.wikibooks.org" + } } } } \ No newline at end of file diff --git a/packages/ti_mandiant_advantage/docs/README.md b/packages/ti_mandiant_advantage/docs/README.md index 9cc42076a82..830c1f1c1db 100644 --- a/packages/ti_mandiant_advantage/docs/README.md +++ b/packages/ti_mandiant_advantage/docs/README.md @@ -57,106 +57,105 @@ An example event for `threat_intelligence` looks as following: ```json { - "@timestamp": "2023-05-05T15:45:59.710Z", + "@timestamp": "2023-04-25T09:36:05.822Z", + "agent": { + "ephemeral_id": "3cf850f4-d7a9-4302-9745-cb0d0b408c1e", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.13.0" + }, + "data_stream": { + "dataset": "ti_mandiant_advantage.threat_intelligence", + "namespace": "99619", + "type": "logs" + }, "ecs": { "version": "8.11.0" }, + "elastic_agent": { + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", + "snapshot": false, + "version": "8.13.0" + }, "event": { + "agent_id_status": "verified", "category": [ "threat" ], + "created": "2024-08-02T05:42:35.442Z", + "dataset": "ti_mandiant_advantage.threat_intelligence", + "ingested": "2024-08-02T05:42:45Z", "kind": "enrichment", "module": "ti_mandiant_advantage_threat_intelligence", - "risk_score": 50, + "original": "{\"first_seen\":\"2022-09-06T00:46:38.000Z\",\"id\":\"fqdn--33bf4df5-3564-51e3-84f1-ca9d5bc2329e\",\"is_publishable\":true,\"last_seen\":\"2023-03-23T21:42:34.000Z\",\"last_updated\":\"2023-04-25T09:36:05.822Z\",\"misp\":{\"akamai\":false,\"alexa\":false,\"alexa_1M\":true,\"amazon-aws\":false,\"apple\":false,\"automated-malware-analysis\":false,\"bank-website\":false,\"captive-portals\":false,\"cisco_1M\":true,\"cisco_top1000\":false,\"cisco_top10k\":false,\"cisco_top20k\":false,\"cisco_top5k\":false,\"cloudflare\":false,\"common-contact-emails\":false,\"common-ioc-false-positive\":false,\"covid\":false,\"covid-19-cyber-threat-coalition-whitelist\":false,\"covid-19-krassi-whitelist\":false,\"crl-hostname\":false,\"crl-ip\":false,\"dax30\":false,\"disposable-email\":false,\"dynamic-dns\":false,\"eicar.com\":false,\"empty-hashes\":false,\"fastly\":false,\"google\":false,\"google-chrome-crux-1million\":true,\"google-gcp\":false,\"google-gmail-sending-ips\":false,\"googlebot\":false,\"ipv6-linklocal\":false,\"majestic_million\":true,\"majestic_million_1M\":true,\"microsoft\":false,\"microsoft-attack-simulator\":false,\"microsoft-azure\":false,\"microsoft-azure-appid\":false,\"microsoft-azure-china\":false,\"microsoft-azure-germany\":false,\"microsoft-azure-us-gov\":false,\"microsoft-office365\":false,\"microsoft-office365-cn\":false,\"microsoft-office365-ip\":false,\"microsoft-win10-connection-endpoints\":false,\"moz-top500\":false,\"mozilla-CA\":false,\"mozilla-IntermediateCA\":false,\"multicast\":false,\"nioc-filehash\":false,\"ovh-cluster\":false,\"parking-domain\":false,\"parking-domain-ns\":false,\"phone_numbers\":false,\"public-dns-hostname\":false,\"public-dns-v4\":false,\"public-dns-v6\":false,\"public-ipfs-gateways\":false,\"rfc1918\":false,\"rfc3849\":false,\"rfc5735\":false,\"rfc6598\":false,\"rfc6761\":false,\"second-level-tlds\":true,\"security-provider-blogpost\":false,\"sinkholes\":false,\"smtp-receiving-ips\":false,\"smtp-sending-ips\":false,\"stackpath\":false,\"tenable-cloud-ipv4\":false,\"tenable-cloud-ipv6\":false,\"ti-falsepositives\":false,\"tlds\":true,\"tranco\":true,\"tranco10k\":true,\"university_domains\":false,\"url-shortener\":false,\"vpn-ipv4\":false,\"vpn-ipv6\":false,\"whats-my-ip\":false,\"wikimedia\":false},\"mscore\":27,\"sources\":[{\"category\":[\"test\"],\"first_seen\":\"2022-09-06T00:46:38.722+0000\",\"last_seen\":\"2023-03-23T21:42:34.707+0000\",\"osint\":true,\"source_name\":\"dtm.blackbeard\"},{\"category\":[],\"first_seen\":\"2022-11-29T16:24:52.984+0000\",\"last_seen\":\"2022-11-29T16:24:52.984+0000\",\"osint\":true,\"source_name\":\"dtm.vanellope\"}],\"type\":\"fqdn\",\"value\":\"ru.wikibooks.org\"}", + "risk_score": 27, "type": [ "indicator" ] }, + "input": { + "type": "httpjson" + }, "mandiant": { "threat_intelligence": { "ioc": { "categories": [ - "exploit/vuln-scanning", - "exploit", - "spam/sender", - "spam" + "test" ], - "first_seen": "2022-06-18T23:22:01.000Z", - "id": "ipv4--af6febd0-3351-5b32-a66c-bbac306c7360", - "last_seen": "2023-03-23T23:22:01.000Z", - "last_update_date": "2023-05-05T15:45:59.710Z", - "mscore": 50, + "first_seen": "2022-09-06T00:46:38.000Z", + "id": "fqdn--33bf4df5-3564-51e3-84f1-ca9d5bc2329e", + "last_seen": "2023-03-23T21:42:34.000Z", + "last_update_date": "2023-04-25T09:36:05.822Z", + "mscore": 27, "sources": [ - { - "first_seen": "2022-09-22T23:40:00.911+0000", - "last_seen": "2022-09-23T00:33:09.000+0000", - "osint": true, - "source_name": "voipbl" - }, - { - "category": [ - "exploit/vuln-scanning", - "exploit" - ], - "first_seen": "2022-09-14T09:20:00.904+0000", - "last_seen": "2023-02-24T18:20:00.857+0000", - "osint": true, - "source_name": "greensnow" - }, { "category": [ - "spam/sender", - "spam" + "test" ], - "first_seen": "2022-06-18T23:22:01.386+0000", - "last_seen": "2023-03-23T23:22:01.308+0000", + "first_seen": "2022-09-06T00:46:38.722+0000", + "last_seen": "2023-03-23T21:42:34.707+0000", "osint": true, - "source_name": "sblam_blacklist" + "source_name": "dtm.blackbeard" }, { - "first_seen": "2022-09-14T23:34:04.312+0000", - "last_seen": "2022-09-23T00:33:09.000+0000", + "first_seen": "2022-11-29T16:24:52.984+0000", + "last_seen": "2022-11-29T16:24:52.984+0000", "osint": true, - "source_name": "blocklist_net_ua" + "source_name": "dtm.vanellope" } ], - "type": "ipv4", - "value": "1.128.3.4" + "type": "fqdn", + "value": "ru.wikibooks.org" } } }, - "related": { - "ip": [ - "1.128.3.4" - ] - }, + "tags": [ + "preserve_original_event", + "forwarded", + "mandiant-threat-intelligence-indicator" + ], "threat": { "feed": { "name": "Mandiant Threat Intelligence" }, "indicator": { - "as": { - "number": 1221, - "organization": { - "name": "Telstra Pty Ltd" - } - }, - "confidence": "Medium", - "first_seen": "2022-06-18T23:22:01.000Z", - "ip": "1.128.3.4", - "last_seen": "2023-03-23T23:22:01.000Z", + "confidence": "Low", + "first_seen": "2022-09-06T00:46:38.000Z", + "last_seen": "2023-03-23T21:42:34.000Z", "marking": { "tlp": "GREEN", "tlp_version": "2.0" }, - "modified_at": "2023-05-05T15:45:59.710Z", + "modified_at": "2023-04-25T09:36:05.822Z", "provider": [ - "voipbl", - "greensnow", - "sblam_blacklist", - "blocklist_net_ua" + "dtm.blackbeard", + "dtm.vanellope" ], - "type": "ipv4-addr" + "type": "domain-name", + "url": { + "domain": "ru.wikibooks.org" + } } } } @@ -189,4 +188,7 @@ An example event for `threat_intelligence` looks as following: | mandiant.threat_intelligence.ioc.sources | List of the indicator sources. | object | | mandiant.threat_intelligence.ioc.type | IOC type. | keyword | | mandiant.threat_intelligence.ioc.value | IOC value. | keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | diff --git a/packages/ti_mandiant_advantage/manifest.yml b/packages/ti_mandiant_advantage/manifest.yml index c3414188796..98ae1828877 100644 --- a/packages/ti_mandiant_advantage/manifest.yml +++ b/packages/ti_mandiant_advantage/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.2 name: ti_mandiant_advantage title: "Mandiant Advantage" -version: "1.3.0" +version: "1.3.1" source: license: "Elastic-2.0" description: "Collect Threat Intelligence from products within the Mandiant Advantage platform." diff --git a/packages/ti_opencti/changelog.yml b/packages/ti_opencti/changelog.yml index ef67ccc3bd4..424ee6cd641 100644 --- a/packages/ti_opencti/changelog.yml +++ b/packages/ti_opencti/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.3.2" + changes: + - description: Fix ECS date mapping on threat fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/10674 - version: "2.3.1" changes: - description: Ignore missing createdBy, improve registry hive name handling. diff --git a/packages/ti_opencti/data_stream/indicator/fields/ecs.yml b/packages/ti_opencti/data_stream/indicator/fields/ecs.yml index f6d9a652390..db67311babe 100644 --- a/packages/ti_opencti/data_stream/indicator/fields/ecs.yml +++ b/packages/ti_opencti/data_stream/indicator/fields/ecs.yml @@ -45,3 +45,9 @@ type: constant_keyword description: Event module value: ti_opencti +- name: threat.indicator.first_seen + external: ecs +- name: threat.indicator.last_seen + external: ecs +- name: threat.indicator.modified_at + external: ecs diff --git a/packages/ti_opencti/data_stream/indicator/sample_event.json b/packages/ti_opencti/data_stream/indicator/sample_event.json index 234ba4a76cf..9b056027f10 100644 --- a/packages/ti_opencti/data_stream/indicator/sample_event.json +++ b/packages/ti_opencti/data_stream/indicator/sample_event.json @@ -1,22 +1,22 @@ { - "@timestamp": "2024-06-12T06:54:25.854Z", + "@timestamp": "2024-08-02T05:53:33.529Z", "agent": { - "ephemeral_id": "de8fc32a-4eaf-4e32-97ae-bcdb93b8d8ee", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "ephemeral_id": "a21855cb-722e-430f-8d9a-e6dfedf565b1", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "ti_opencti.indicator", - "namespace": "66338", + "namespace": "82985", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, "version": "8.13.0" }, @@ -28,7 +28,7 @@ "created": "2018-02-05T08:04:53.000Z", "dataset": "ti_opencti.indicator", "id": "d019b01c-b637-4eb2-af53-6d527be3193d", - "ingested": "2024-06-12T06:54:37Z", + "ingested": "2024-08-02T05:53:45Z", "kind": "enrichment", "original": "{\"confidence\":15,\"created\":\"2018-02-05T08:04:53.000Z\",\"createdBy\":{\"identity_class\":\"organization\",\"name\":\"CthulhuSPRL.be\"},\"description\":\"\",\"externalReferences\":{\"edges\":[]},\"id\":\"d019b01c-b637-4eb2-af53-6d527be3193d\",\"is_inferred\":false,\"killChainPhases\":[],\"lang\":\"en\",\"modified\":\"2023-01-17T05:53:42.851Z\",\"name\":\"ec2-23-21-172-164.compute-1.amazonaws.com\",\"objectLabel\":[{\"value\":\"information-credibility-6\"},{\"value\":\"osint\"}],\"objectMarking\":[{\"definition\":\"TLP:GREEN\",\"definition_type\":\"TLP\"}],\"observables\":{\"edges\":[{\"node\":{\"entity_type\":\"Hostname\",\"id\":\"b0a91059-5637-4050-8dce-a976a607f75c\",\"observable_value\":\"ec2-23-21-172-164.compute-1.amazonaws.com\",\"standard_id\":\"hostname--2047cd44-ffae-5b34-b912-5856add59b59\",\"value\":\"ec2-23-21-172-164.compute-1.amazonaws.com\"}}],\"pageInfo\":{\"globalCount\":1}},\"pattern\":\"[hostname:value = 'ec2-23-21-172-164.compute-1.amazonaws.com']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"revoked\":true,\"standard_id\":\"indicator--cde0a6e1-c622-52c4-b857-e9aeac56131b\",\"valid_from\":\"2018-02-05T08:04:53.000Z\",\"valid_until\":\"2019-02-05T08:04:53.000Z\",\"x_opencti_detection\":false,\"x_opencti_main_observable_type\":\"Hostname\",\"x_opencti_score\":40}", "type": [ @@ -93,7 +93,7 @@ "name": "ec2-23-21-172-164.compute-1.amazonaws.com", "provider": "CthulhuSPRL.be", "reference": "http://svc-opencti_stub:8080/dashboard/observations/indicators/d019b01c-b637-4eb2-af53-6d527be3193d", - "type": "domain-name", + "type": "hostname", "url": { "domain": "ec2-23-21-172-164.compute-1.amazonaws.com", "registered_domain": "ec2-23-21-172-164.compute-1.amazonaws.com", diff --git a/packages/ti_opencti/docs/README.md b/packages/ti_opencti/docs/README.md index c8884ecc123..a495c826913 100644 --- a/packages/ti_opencti/docs/README.md +++ b/packages/ti_opencti/docs/README.md @@ -53,24 +53,24 @@ An example event for `indicator` looks as following: ```json { - "@timestamp": "2024-06-12T06:54:25.854Z", + "@timestamp": "2024-08-02T05:53:33.529Z", "agent": { - "ephemeral_id": "de8fc32a-4eaf-4e32-97ae-bcdb93b8d8ee", - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "ephemeral_id": "a21855cb-722e-430f-8d9a-e6dfedf565b1", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "ti_opencti.indicator", - "namespace": "66338", + "namespace": "82985", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, "version": "8.13.0" }, @@ -82,7 +82,7 @@ An example event for `indicator` looks as following: "created": "2018-02-05T08:04:53.000Z", "dataset": "ti_opencti.indicator", "id": "d019b01c-b637-4eb2-af53-6d527be3193d", - "ingested": "2024-06-12T06:54:37Z", + "ingested": "2024-08-02T05:53:45Z", "kind": "enrichment", "original": "{\"confidence\":15,\"created\":\"2018-02-05T08:04:53.000Z\",\"createdBy\":{\"identity_class\":\"organization\",\"name\":\"CthulhuSPRL.be\"},\"description\":\"\",\"externalReferences\":{\"edges\":[]},\"id\":\"d019b01c-b637-4eb2-af53-6d527be3193d\",\"is_inferred\":false,\"killChainPhases\":[],\"lang\":\"en\",\"modified\":\"2023-01-17T05:53:42.851Z\",\"name\":\"ec2-23-21-172-164.compute-1.amazonaws.com\",\"objectLabel\":[{\"value\":\"information-credibility-6\"},{\"value\":\"osint\"}],\"objectMarking\":[{\"definition\":\"TLP:GREEN\",\"definition_type\":\"TLP\"}],\"observables\":{\"edges\":[{\"node\":{\"entity_type\":\"Hostname\",\"id\":\"b0a91059-5637-4050-8dce-a976a607f75c\",\"observable_value\":\"ec2-23-21-172-164.compute-1.amazonaws.com\",\"standard_id\":\"hostname--2047cd44-ffae-5b34-b912-5856add59b59\",\"value\":\"ec2-23-21-172-164.compute-1.amazonaws.com\"}}],\"pageInfo\":{\"globalCount\":1}},\"pattern\":\"[hostname:value = 'ec2-23-21-172-164.compute-1.amazonaws.com']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"revoked\":true,\"standard_id\":\"indicator--cde0a6e1-c622-52c4-b857-e9aeac56131b\",\"valid_from\":\"2018-02-05T08:04:53.000Z\",\"valid_until\":\"2019-02-05T08:04:53.000Z\",\"x_opencti_detection\":false,\"x_opencti_main_observable_type\":\"Hostname\",\"x_opencti_score\":40}", "type": [ @@ -147,7 +147,7 @@ An example event for `indicator` looks as following: "name": "ec2-23-21-172-164.compute-1.amazonaws.com", "provider": "CthulhuSPRL.be", "reference": "http://svc-opencti_stub:8080/dashboard/observations/indicators/d019b01c-b637-4eb2-af53-6d527be3193d", - "type": "domain-name", + "type": "hostname", "url": { "domain": "ec2-23-21-172-164.compute-1.amazonaws.com", "registered_domain": "ec2-23-21-172-164.compute-1.amazonaws.com", @@ -513,5 +513,8 @@ The documentation for ECS fields can be found at: | opencti.observable.x509_certificate.version | The version of the encoded certificate. | keyword | | threat.indicator.file.hash.sha3_256 | SHA3-256 hash. | keyword | | threat.indicator.file.hash.sha3_512 | SHA3-512 hash. | keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | | threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.1 or OpenCTI | keyword | diff --git a/packages/ti_opencti/manifest.yml b/packages/ti_opencti/manifest.yml index 01bcb8a3604..fda5f4af8c9 100644 --- a/packages/ti_opencti/manifest.yml +++ b/packages/ti_opencti/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: ti_opencti title: OpenCTI -version: "2.3.1" +version: "2.3.2" description: "Ingest threat intelligence indicators from OpenCTI with Elastic Agent." type: integration source: diff --git a/packages/ti_otx/changelog.yml b/packages/ti_otx/changelog.yml index 1355341f819..0c8afb896a8 100644 --- a/packages/ti_otx/changelog.yml +++ b/packages/ti_otx/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.25.1" + changes: + - description: Fix ECS date mapping on threat fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/10674 - version: "1.25.0" changes: - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/ti_otx/data_stream/pulses_subscribed/fields/ecs.yml b/packages/ti_otx/data_stream/pulses_subscribed/fields/ecs.yml index 34fc117cd80..241dca2335e 100644 --- a/packages/ti_otx/data_stream/pulses_subscribed/fields/ecs.yml +++ b/packages/ti_otx/data_stream/pulses_subscribed/fields/ecs.yml @@ -1,3 +1,9 @@ - name: threat.indicator.file.hash.pehash type: keyword description: "The file's pehash, if available." +- name: threat.indicator.first_seen + external: ecs +- name: threat.indicator.last_seen + external: ecs +- name: threat.indicator.modified_at + external: ecs diff --git a/packages/ti_otx/data_stream/pulses_subscribed/sample_event.json b/packages/ti_otx/data_stream/pulses_subscribed/sample_event.json index e96d8cc2c2d..7ec88c438b1 100644 --- a/packages/ti_otx/data_stream/pulses_subscribed/sample_event.json +++ b/packages/ti_otx/data_stream/pulses_subscribed/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2023-08-08T05:05:15.000Z", "agent": { - "ephemeral_id": "98babf94-9cf4-45af-aef8-2d57d61d9876", - "id": "f29e7d89-991e-4f0a-838f-9c2eb93d876e", + "ephemeral_id": "c12b4f72-265e-41f0-96e0-103c81de7908", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.1" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_otx.pulses_subscribed", - "namespace": "ep", + "namespace": "32586", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "f29e7d89-991e-4f0a-838f-9c2eb93d876e", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, - "version": "8.12.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", @@ -26,7 +26,7 @@ "threat" ], "dataset": "ti_otx.pulses_subscribed", - "ingested": "2024-03-08T02:54:50Z", + "ingested": "2024-08-02T06:03:28Z", "kind": "enrichment", "original": "{\"content\":\"\",\"count\":2,\"created\":\"2023-08-08T05:05:15\",\"description\":\"\",\"expiration\":null,\"id\":3454375108,\"indicator\":\"pinup-casino-tr.site\",\"is_active\":1,\"prefetch_pulse_ids\":false,\"pulse_raw\":\"{\\\"adversary\\\":\\\"\\\",\\\"attack_ids\\\":[\\\"T1531\\\",\\\"T1059\\\",\\\"T1566\\\"],\\\"author_name\\\":\\\"SampleUser\\\",\\\"created\\\":\\\"2023-08-22T09:43:18.855000\\\",\\\"description\\\":\\\"\\\",\\\"extract_source\\\":[],\\\"id\\\":\\\"64e38336d783f91d6948a7b1\\\",\\\"industries\\\":[],\\\"malware_families\\\":[\\\"WHIRLPOOL\\\"],\\\"modified\\\":\\\"2023-08-22T09:43:18.855000\\\",\\\"more_indicators\\\":false,\\\"name\\\":\\\"Sample Pulse\\\",\\\"public\\\":1,\\\"references\\\":[\\\"https://www.cisa.gov/news-events/analysis-reports/ar23-230a\\\"],\\\"revision\\\":1,\\\"tags\\\":[\\\"cisa\\\",\\\"backdoor\\\",\\\"whirlpool\\\",\\\"malware\\\"],\\\"targeted_countries\\\":[],\\\"tlp\\\":\\\"white\\\"}\",\"role\":null,\"t\":0,\"t2\":0.0050694942474365234,\"t3\":2.7960586547851562,\"title\":\"\",\"type\":\"domain\"}", "type": [ diff --git a/packages/ti_otx/data_stream/threat/fields/ecs.yml b/packages/ti_otx/data_stream/threat/fields/ecs.yml index 34fc117cd80..241dca2335e 100644 --- a/packages/ti_otx/data_stream/threat/fields/ecs.yml +++ b/packages/ti_otx/data_stream/threat/fields/ecs.yml @@ -1,3 +1,9 @@ - name: threat.indicator.file.hash.pehash type: keyword description: "The file's pehash, if available." +- name: threat.indicator.first_seen + external: ecs +- name: threat.indicator.last_seen + external: ecs +- name: threat.indicator.modified_at + external: ecs diff --git a/packages/ti_otx/docs/README.md b/packages/ti_otx/docs/README.md index 31ce471790a..8abed51a677 100644 --- a/packages/ti_otx/docs/README.md +++ b/packages/ti_otx/docs/README.md @@ -38,6 +38,9 @@ Retrieves all the related indicators over time, related to your pulse subscripti | threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | | threat.feed.name | Display friendly feed name | constant_keyword | | threat.indicator.file.hash.pehash | The file's pehash, if available. | keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | An example event for `threat` looks as following: @@ -166,6 +169,9 @@ The following subscriptions are included by this API: | threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | | threat.feed.name | Display friendly feed name | constant_keyword | | threat.indicator.file.hash.pehash | The file's pehash, if available. | keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | An example event for `pulses_subscribed` looks as following: @@ -174,24 +180,24 @@ An example event for `pulses_subscribed` looks as following: { "@timestamp": "2023-08-08T05:05:15.000Z", "agent": { - "ephemeral_id": "98babf94-9cf4-45af-aef8-2d57d61d9876", - "id": "f29e7d89-991e-4f0a-838f-9c2eb93d876e", + "ephemeral_id": "c12b4f72-265e-41f0-96e0-103c81de7908", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.1" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_otx.pulses_subscribed", - "namespace": "ep", + "namespace": "32586", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "f29e7d89-991e-4f0a-838f-9c2eb93d876e", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, - "version": "8.12.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", @@ -199,7 +205,7 @@ An example event for `pulses_subscribed` looks as following: "threat" ], "dataset": "ti_otx.pulses_subscribed", - "ingested": "2024-03-08T02:54:50Z", + "ingested": "2024-08-02T06:03:28Z", "kind": "enrichment", "original": "{\"content\":\"\",\"count\":2,\"created\":\"2023-08-08T05:05:15\",\"description\":\"\",\"expiration\":null,\"id\":3454375108,\"indicator\":\"pinup-casino-tr.site\",\"is_active\":1,\"prefetch_pulse_ids\":false,\"pulse_raw\":\"{\\\"adversary\\\":\\\"\\\",\\\"attack_ids\\\":[\\\"T1531\\\",\\\"T1059\\\",\\\"T1566\\\"],\\\"author_name\\\":\\\"SampleUser\\\",\\\"created\\\":\\\"2023-08-22T09:43:18.855000\\\",\\\"description\\\":\\\"\\\",\\\"extract_source\\\":[],\\\"id\\\":\\\"64e38336d783f91d6948a7b1\\\",\\\"industries\\\":[],\\\"malware_families\\\":[\\\"WHIRLPOOL\\\"],\\\"modified\\\":\\\"2023-08-22T09:43:18.855000\\\",\\\"more_indicators\\\":false,\\\"name\\\":\\\"Sample Pulse\\\",\\\"public\\\":1,\\\"references\\\":[\\\"https://www.cisa.gov/news-events/analysis-reports/ar23-230a\\\"],\\\"revision\\\":1,\\\"tags\\\":[\\\"cisa\\\",\\\"backdoor\\\",\\\"whirlpool\\\",\\\"malware\\\"],\\\"targeted_countries\\\":[],\\\"tlp\\\":\\\"white\\\"}\",\"role\":null,\"t\":0,\"t2\":0.0050694942474365234,\"t3\":2.7960586547851562,\"title\":\"\",\"type\":\"domain\"}", "type": [ diff --git a/packages/ti_otx/manifest.yml b/packages/ti_otx/manifest.yml index 29fca1f2893..31def6b73cb 100644 --- a/packages/ti_otx/manifest.yml +++ b/packages/ti_otx/manifest.yml @@ -1,6 +1,6 @@ name: ti_otx title: AlienVault OTX -version: "1.25.0" +version: "1.25.1" description: Ingest threat intelligence indicators from AlienVault Open Threat Exchange (OTX) with Elastic Agent. type: integration format_version: "3.0.2" diff --git a/packages/ti_rapid7_threat_command/changelog.yml b/packages/ti_rapid7_threat_command/changelog.yml index dcfbb2ef0b6..5b7f78ab802 100644 --- a/packages/ti_rapid7_threat_command/changelog.yml +++ b/packages/ti_rapid7_threat_command/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.0.1" + changes: + - description: Fix ECS date mapping on threat fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/10674 - version: "2.0.0" changes: - description: Add support for IOC expiration diff --git a/packages/ti_rapid7_threat_command/data_stream/ioc/fields/ecs.yml b/packages/ti_rapid7_threat_command/data_stream/ioc/fields/ecs.yml new file mode 100644 index 00000000000..e3ba6a4be1b --- /dev/null +++ b/packages/ti_rapid7_threat_command/data_stream/ioc/fields/ecs.yml @@ -0,0 +1,6 @@ +- external: ecs + name: threat.indicator.first_seen +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.indicator.modified_at diff --git a/packages/ti_rapid7_threat_command/data_stream/ioc/sample_event.json b/packages/ti_rapid7_threat_command/data_stream/ioc/sample_event.json index 5e95b750cec..b491e057427 100644 --- a/packages/ti_rapid7_threat_command/data_stream/ioc/sample_event.json +++ b/packages/ti_rapid7_threat_command/data_stream/ioc/sample_event.json @@ -1,22 +1,22 @@ { "@timestamp": "2022-06-16T10:39:07.851Z", "agent": { - "ephemeral_id": "bc74bf1e-3b49-4a4f-b121-ce54d80ad098", - "id": "34592ccf-10ae-4d24-a28c-97be832bde99", + "ephemeral_id": "f8dfeb31-2b56-4f8e-bb91-d4b94b8086da", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "ti_rapid7_threat_command.ioc", - "namespace": "ep", + "namespace": "98425", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "34592ccf-10ae-4d24-a28c-97be832bde99", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, "version": "8.13.0" }, @@ -25,9 +25,9 @@ "category": [ "threat" ], - "created": "2024-06-26T07:01:52.941Z", + "created": "2024-08-02T06:09:57.917Z", "dataset": "ti_rapid7_threat_command.ioc", - "ingested": "2024-06-26T07:02:02Z", + "ingested": "2024-08-02T06:10:07Z", "kind": "enrichment", "module": "ti_rapid7_threat_command", "original": "{\"firstSeen\":\"2022-05-04T20:11:04.000Z\",\"lastSeen\":\"2022-06-15T20:11:04.000Z\",\"lastUpdateDate\":\"2022-06-16T10:39:07.851Z\",\"relatedCampaigns\":[],\"relatedMalware\":[\"remcos\"],\"relatedThreatActors\":[],\"reportedFeeds\":[{\"confidenceLevel\":2,\"id\":\"5b68306df84f7c8696047fdd\",\"name\":\"Test Feed\"}],\"score\":13.26086956521739,\"severity\":\"Low\",\"status\":\"Active\",\"tags\":[\"Test\"],\"type\":\"IpAddresses\",\"value\":\"89.160.20.112\",\"whitelisted\":false}", diff --git a/packages/ti_rapid7_threat_command/docs/README.md b/packages/ti_rapid7_threat_command/docs/README.md index 0128421f2fe..25a60f99a85 100644 --- a/packages/ti_rapid7_threat_command/docs/README.md +++ b/packages/ti_rapid7_threat_command/docs/README.md @@ -216,22 +216,22 @@ An example event for `ioc` looks as following: { "@timestamp": "2022-06-16T10:39:07.851Z", "agent": { - "ephemeral_id": "bc74bf1e-3b49-4a4f-b121-ce54d80ad098", - "id": "34592ccf-10ae-4d24-a28c-97be832bde99", + "ephemeral_id": "f8dfeb31-2b56-4f8e-bb91-d4b94b8086da", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "ti_rapid7_threat_command.ioc", - "namespace": "ep", + "namespace": "98425", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "34592ccf-10ae-4d24-a28c-97be832bde99", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, "version": "8.13.0" }, @@ -240,9 +240,9 @@ An example event for `ioc` looks as following: "category": [ "threat" ], - "created": "2024-06-26T07:01:52.941Z", + "created": "2024-08-02T06:09:57.917Z", "dataset": "ti_rapid7_threat_command.ioc", - "ingested": "2024-06-26T07:02:02Z", + "ingested": "2024-08-02T06:10:07Z", "kind": "enrichment", "module": "ti_rapid7_threat_command", "original": "{\"firstSeen\":\"2022-05-04T20:11:04.000Z\",\"lastSeen\":\"2022-06-15T20:11:04.000Z\",\"lastUpdateDate\":\"2022-06-16T10:39:07.851Z\",\"relatedCampaigns\":[],\"relatedMalware\":[\"remcos\"],\"relatedThreatActors\":[],\"reportedFeeds\":[{\"confidenceLevel\":2,\"id\":\"5b68306df84f7c8696047fdd\",\"name\":\"Test Feed\"}],\"score\":13.26086956521739,\"severity\":\"Low\",\"status\":\"Active\",\"tags\":[\"Test\"],\"type\":\"IpAddresses\",\"value\":\"89.160.20.112\",\"whitelisted\":false}", @@ -367,6 +367,9 @@ An example event for `ioc` looks as following: | rapid7.tc.ioc.type | IOC type. | keyword | | rapid7.tc.ioc.value | IOC value. | keyword | | rapid7.tc.ioc.whitelisted | An indicator which states if the IOC was checked and found as whitelisted or not. | keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | ### Alert diff --git a/packages/ti_rapid7_threat_command/manifest.yml b/packages/ti_rapid7_threat_command/manifest.yml index d969ad682af..7612cb51f07 100644 --- a/packages/ti_rapid7_threat_command/manifest.yml +++ b/packages/ti_rapid7_threat_command/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.2 name: ti_rapid7_threat_command title: Rapid7 Threat Command -version: "2.0.0" +version: "2.0.1" description: Collect threat intelligence from Threat Command API with Elastic Agent. type: integration categories: ["security", "threat_intel"] diff --git a/packages/ti_recordedfuture/changelog.yml b/packages/ti_recordedfuture/changelog.yml index 0758329930c..e2dfc99ef8c 100644 --- a/packages/ti_recordedfuture/changelog.yml +++ b/packages/ti_recordedfuture/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.26.1" + changes: + - description: Fix ECS date mapping on threat fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/10674 - version: "1.26.0" changes: - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/ti_recordedfuture/data_stream/threat/fields/ecs.yml b/packages/ti_recordedfuture/data_stream/threat/fields/ecs.yml new file mode 100644 index 00000000000..e3ba6a4be1b --- /dev/null +++ b/packages/ti_recordedfuture/data_stream/threat/fields/ecs.yml @@ -0,0 +1,6 @@ +- external: ecs + name: threat.indicator.first_seen +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.indicator.modified_at diff --git a/packages/ti_recordedfuture/data_stream/threat/sample_event.json b/packages/ti_recordedfuture/data_stream/threat/sample_event.json index f39ff978bb3..0c05eecf848 100644 --- a/packages/ti_recordedfuture/data_stream/threat/sample_event.json +++ b/packages/ti_recordedfuture/data_stream/threat/sample_event.json @@ -1,85 +1,109 @@ { - "@timestamp": "2024-05-09T12:24:05.286Z", + "@timestamp": "2024-08-02T06:24:04.201Z", "agent": { - "ephemeral_id": "b0d47395-89bd-40e7-8018-57fdcc0cf1b8", - "id": "013c7177-2e5d-40da-9e17-9ee5d2249880", + "ephemeral_id": "25d7a936-2b7c-4476-9181-82d1296ce9df", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.2" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_recordedfuture.threat", - "namespace": "ep", + "namespace": "67234", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "013c7177-2e5d-40da-9e17-9ee5d2249880", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, - "version": "8.12.2" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "threat" ], + "created": "2024-08-02T06:24:04.201Z", "dataset": "ti_recordedfuture.threat", - "ingested": "2024-05-09T12:24:15Z", + "ingested": "2024-08-02T06:24:16Z", "kind": "enrichment", - "risk_score": 75, - "timezone": "+00:00", + "original": "{\"EvidenceDetails\":\"{\\\"EvidenceDetails\\\": [{\\\"Name\\\": \\\"suspectedCncDnsName\\\", \\\"EvidenceString\\\": \\\"1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified ubykou33.top as possible TA0011 (Command and Control) for CryptBot on December 26, 2023. Most recent link (Dec 26, 2023): https://threatfox.abuse.ch/ioc/1223634\\\", \\\"CriticalityLabel\\\": \\\"Unusual\\\", \\\"MitigationString\\\": \\\"\\\", \\\"Rule\\\": \\\"Historical Suspected C\\\\u0026C DNS Name\\\", \\\"SourcesCount\\\": 1.0, \\\"Sources\\\": [\\\"source:sIoEOQ\\\"], \\\"Timestamp\\\": \\\"2023-12-26T17:06:29.000Z\\\", \\\"SightingsCount\\\": 1.0, \\\"Criticality\\\": 1.0}, {\\\"Name\\\": \\\"malwareSiteDetected\\\", \\\"EvidenceString\\\": \\\"2 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. ubykou33.top is observed to be a malware site domain that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\\\", \\\"CriticalityLabel\\\": \\\"Unusual\\\", \\\"MitigationString\\\": \\\"\\\", \\\"Rule\\\": \\\"Historically Detected Malware Operation\\\", \\\"SourcesCount\\\": 2.0, \\\"Sources\\\": [\\\"source:kBB1fk\\\", \\\"source:d3Awkm\\\"], \\\"Timestamp\\\": \\\"2024-01-26T00:00:00.000Z\\\", \\\"SightingsCount\\\": 2.0, \\\"Criticality\\\": 1.0}, {\\\"Name\\\": \\\"malwareSiteSuspected\\\", \\\"EvidenceString\\\": \\\"1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jan 26, 2024.\\\", \\\"CriticalityLabel\\\": \\\"Unusual\\\", \\\"MitigationString\\\": \\\"\\\", \\\"Rule\\\": \\\"Historically Suspected Malware Operation\\\", \\\"SourcesCount\\\": 1.0, \\\"Sources\\\": [\\\"source:d3Awkm\\\"], \\\"Timestamp\\\": \\\"2024-01-26T00:00:00.000Z\\\", \\\"SightingsCount\\\": 1.0, \\\"Criticality\\\": 1.0}, {\\\"Name\\\": \\\"recentMalwareSiteDetected\\\", \\\"EvidenceString\\\": \\\"1 sighting on 1 source: External Sensor Data Analysis. ubykou33.top is observed to be a malware site domain that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\\\", \\\"CriticalityLabel\\\": \\\"Malicious\\\", \\\"MitigationString\\\": \\\"\\\", \\\"Rule\\\": \\\"Recently Detected Malware Operation\\\", \\\"SourcesCount\\\": 1.0, \\\"Sources\\\": [\\\"source:kBB1fk\\\"], \\\"Timestamp\\\": \\\"2024-05-08T23:11:43.601Z\\\", \\\"SightingsCount\\\": 1.0, \\\"Criticality\\\": 3.0}]}\",\"Name\":\"ubykou33.top\",\"Risk\":\"67\",\"RiskString\":\"4/52\"}", + "risk_score": 67, "type": [ "indicator" ] }, "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/rf_file_default.csv" - }, - "offset": 57 + "type": "httpjson" }, "recordedfuture": { "evidence_details": [ { - "criticality": 2, - "criticality_label": "Suspicious", - "evidence_string": "2 sightings on 1 source: PolySwarm. Most recent link (Mar 23, 2024): https://polyswarm.network/scan/results/file/63212aa8c94098a844945ed1611389b2e1c9dc3906a5ba9d7d0d320344213f4f", + "criticality": 1, + "criticality_label": "Unusual", + "evidence_string": "1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified ubykou33.top as possible TA0011 (Command and Control) for CryptBot on December 26, 2023. Most recent link (Dec 26, 2023): https://threatfox.abuse.ch/ioc/1223634", + "mitigation_string": "", + "name": "suspectedCncDnsName", + "rule": "Historical Suspected C&C DNS Name", + "sightings_count": 1, + "sources": [ + "source:sIoEOQ" + ], + "sources_count": 1, + "timestamp": "2023-12-26T17:06:29.000Z" + }, + { + "criticality": 1, + "criticality_label": "Unusual", + "evidence_string": "2 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. ubykou33.top is observed to be a malware site domain that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.", "mitigation_string": "", - "name": "linkedToMalware", - "rule": "Linked to Malware", + "name": "malwareSiteDetected", + "rule": "Historically Detected Malware Operation", "sightings_count": 2, "sources": [ - "source:doLlw5" + "source:kBB1fk", + "source:d3Awkm" + ], + "sources_count": 2, + "timestamp": "2024-01-26T00:00:00.000Z" + }, + { + "criticality": 1, + "criticality_label": "Unusual", + "evidence_string": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jan 26, 2024.", + "mitigation_string": "", + "name": "malwareSiteSuspected", + "rule": "Historically Suspected Malware Operation", + "sightings_count": 1, + "sources": [ + "source:d3Awkm" ], "sources_count": 1, - "timestamp": "2024-03-23T17:10:20.642Z" + "timestamp": "2024-01-26T00:00:00.000Z" }, { "criticality": 3, "criticality_label": "Malicious", - "evidence_string": "3 sightings on 3 sources: Polyswarm Sandbox Analysis, Recorded Future Triage Malware Analysis, PolySwarm. Most recent link (Mar 23, 2024): https://polyswarm.network/scan/results/file/63212aa8c94098a844945ed1611389b2e1c9dc3906a5ba9d7d0d320344213f4f", + "evidence_string": "1 sighting on 1 source: External Sensor Data Analysis. ubykou33.top is observed to be a malware site domain that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.", "mitigation_string": "", - "name": "positiveMalwareVerdict", - "rule": "Positive Malware Verdict", - "sightings_count": 3, + "name": "recentMalwareSiteDetected", + "rule": "Recently Detected Malware Operation", + "sightings_count": 1, "sources": [ - "source:hzRhwZ", - "source:ndy5_2", - "source:doLlw5" + "source:kBB1fk" ], - "sources_count": 3, - "timestamp": "2024-03-23T16:36:02.000Z" + "sources_count": 1, + "timestamp": "2024-05-08T23:11:43.601Z" } ], - "name": "63212aa8c94098a844945ed1611389b2e1c9dc3906a5ba9d7d0d320344213f4f", - "risk_string": "2/17" + "list": "test", + "name": "ubykou33.top", + "risk_string": "4/52" }, "tags": [ + "preserve_original_event", "forwarded", "recordedfuture" ], @@ -88,19 +112,17 @@ "name": "Recorded Future" }, "indicator": { - "file": { - "hash": { - "sha256": "63212aa8c94098a844945ed1611389b2e1c9dc3906a5ba9d7d0d320344213f4f" - } - }, "provider": [ - "PolySwarm", - "Polyswarm Sandbox Analysis", - "Recorded Future Triage Malware Analysis" + "ThreatFox Infrastructure Analysis", + "External Sensor Data Analysis", + "Bitdefender" ], - "scanner_stats": 4, + "scanner_stats": 5, "sightings": 5, - "type": "file" + "type": "domain-name", + "url": { + "domain": "ubykou33.top" + } } } } \ No newline at end of file diff --git a/packages/ti_recordedfuture/docs/README.md b/packages/ti_recordedfuture/docs/README.md index d2b9b5769bb..752d82a9d4d 100644 --- a/packages/ti_recordedfuture/docs/README.md +++ b/packages/ti_recordedfuture/docs/README.md @@ -23,87 +23,111 @@ An example event for `threat` looks as following: ```json { - "@timestamp": "2024-05-09T12:24:05.286Z", + "@timestamp": "2024-08-02T06:24:04.201Z", "agent": { - "ephemeral_id": "b0d47395-89bd-40e7-8018-57fdcc0cf1b8", - "id": "013c7177-2e5d-40da-9e17-9ee5d2249880", + "ephemeral_id": "25d7a936-2b7c-4476-9181-82d1296ce9df", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.2" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_recordedfuture.threat", - "namespace": "ep", + "namespace": "67234", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "013c7177-2e5d-40da-9e17-9ee5d2249880", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, - "version": "8.12.2" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "threat" ], + "created": "2024-08-02T06:24:04.201Z", "dataset": "ti_recordedfuture.threat", - "ingested": "2024-05-09T12:24:15Z", + "ingested": "2024-08-02T06:24:16Z", "kind": "enrichment", - "risk_score": 75, - "timezone": "+00:00", + "original": "{\"EvidenceDetails\":\"{\\\"EvidenceDetails\\\": [{\\\"Name\\\": \\\"suspectedCncDnsName\\\", \\\"EvidenceString\\\": \\\"1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified ubykou33.top as possible TA0011 (Command and Control) for CryptBot on December 26, 2023. Most recent link (Dec 26, 2023): https://threatfox.abuse.ch/ioc/1223634\\\", \\\"CriticalityLabel\\\": \\\"Unusual\\\", \\\"MitigationString\\\": \\\"\\\", \\\"Rule\\\": \\\"Historical Suspected C\\\\u0026C DNS Name\\\", \\\"SourcesCount\\\": 1.0, \\\"Sources\\\": [\\\"source:sIoEOQ\\\"], \\\"Timestamp\\\": \\\"2023-12-26T17:06:29.000Z\\\", \\\"SightingsCount\\\": 1.0, \\\"Criticality\\\": 1.0}, {\\\"Name\\\": \\\"malwareSiteDetected\\\", \\\"EvidenceString\\\": \\\"2 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. ubykou33.top is observed to be a malware site domain that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\\\", \\\"CriticalityLabel\\\": \\\"Unusual\\\", \\\"MitigationString\\\": \\\"\\\", \\\"Rule\\\": \\\"Historically Detected Malware Operation\\\", \\\"SourcesCount\\\": 2.0, \\\"Sources\\\": [\\\"source:kBB1fk\\\", \\\"source:d3Awkm\\\"], \\\"Timestamp\\\": \\\"2024-01-26T00:00:00.000Z\\\", \\\"SightingsCount\\\": 2.0, \\\"Criticality\\\": 1.0}, {\\\"Name\\\": \\\"malwareSiteSuspected\\\", \\\"EvidenceString\\\": \\\"1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jan 26, 2024.\\\", \\\"CriticalityLabel\\\": \\\"Unusual\\\", \\\"MitigationString\\\": \\\"\\\", \\\"Rule\\\": \\\"Historically Suspected Malware Operation\\\", \\\"SourcesCount\\\": 1.0, \\\"Sources\\\": [\\\"source:d3Awkm\\\"], \\\"Timestamp\\\": \\\"2024-01-26T00:00:00.000Z\\\", \\\"SightingsCount\\\": 1.0, \\\"Criticality\\\": 1.0}, {\\\"Name\\\": \\\"recentMalwareSiteDetected\\\", \\\"EvidenceString\\\": \\\"1 sighting on 1 source: External Sensor Data Analysis. ubykou33.top is observed to be a malware site domain that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\\\", \\\"CriticalityLabel\\\": \\\"Malicious\\\", \\\"MitigationString\\\": \\\"\\\", \\\"Rule\\\": \\\"Recently Detected Malware Operation\\\", \\\"SourcesCount\\\": 1.0, \\\"Sources\\\": [\\\"source:kBB1fk\\\"], \\\"Timestamp\\\": \\\"2024-05-08T23:11:43.601Z\\\", \\\"SightingsCount\\\": 1.0, \\\"Criticality\\\": 3.0}]}\",\"Name\":\"ubykou33.top\",\"Risk\":\"67\",\"RiskString\":\"4/52\"}", + "risk_score": 67, "type": [ "indicator" ] }, "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/rf_file_default.csv" - }, - "offset": 57 + "type": "httpjson" }, "recordedfuture": { "evidence_details": [ { - "criticality": 2, - "criticality_label": "Suspicious", - "evidence_string": "2 sightings on 1 source: PolySwarm. Most recent link (Mar 23, 2024): https://polyswarm.network/scan/results/file/63212aa8c94098a844945ed1611389b2e1c9dc3906a5ba9d7d0d320344213f4f", + "criticality": 1, + "criticality_label": "Unusual", + "evidence_string": "1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified ubykou33.top as possible TA0011 (Command and Control) for CryptBot on December 26, 2023. Most recent link (Dec 26, 2023): https://threatfox.abuse.ch/ioc/1223634", + "mitigation_string": "", + "name": "suspectedCncDnsName", + "rule": "Historical Suspected C&C DNS Name", + "sightings_count": 1, + "sources": [ + "source:sIoEOQ" + ], + "sources_count": 1, + "timestamp": "2023-12-26T17:06:29.000Z" + }, + { + "criticality": 1, + "criticality_label": "Unusual", + "evidence_string": "2 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. ubykou33.top is observed to be a malware site domain that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.", "mitigation_string": "", - "name": "linkedToMalware", - "rule": "Linked to Malware", + "name": "malwareSiteDetected", + "rule": "Historically Detected Malware Operation", "sightings_count": 2, "sources": [ - "source:doLlw5" + "source:kBB1fk", + "source:d3Awkm" + ], + "sources_count": 2, + "timestamp": "2024-01-26T00:00:00.000Z" + }, + { + "criticality": 1, + "criticality_label": "Unusual", + "evidence_string": "1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Jan 26, 2024.", + "mitigation_string": "", + "name": "malwareSiteSuspected", + "rule": "Historically Suspected Malware Operation", + "sightings_count": 1, + "sources": [ + "source:d3Awkm" ], "sources_count": 1, - "timestamp": "2024-03-23T17:10:20.642Z" + "timestamp": "2024-01-26T00:00:00.000Z" }, { "criticality": 3, "criticality_label": "Malicious", - "evidence_string": "3 sightings on 3 sources: Polyswarm Sandbox Analysis, Recorded Future Triage Malware Analysis, PolySwarm. Most recent link (Mar 23, 2024): https://polyswarm.network/scan/results/file/63212aa8c94098a844945ed1611389b2e1c9dc3906a5ba9d7d0d320344213f4f", + "evidence_string": "1 sighting on 1 source: External Sensor Data Analysis. ubykou33.top is observed to be a malware site domain that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.", "mitigation_string": "", - "name": "positiveMalwareVerdict", - "rule": "Positive Malware Verdict", - "sightings_count": 3, + "name": "recentMalwareSiteDetected", + "rule": "Recently Detected Malware Operation", + "sightings_count": 1, "sources": [ - "source:hzRhwZ", - "source:ndy5_2", - "source:doLlw5" + "source:kBB1fk" ], - "sources_count": 3, - "timestamp": "2024-03-23T16:36:02.000Z" + "sources_count": 1, + "timestamp": "2024-05-08T23:11:43.601Z" } ], - "name": "63212aa8c94098a844945ed1611389b2e1c9dc3906a5ba9d7d0d320344213f4f", - "risk_string": "2/17" + "list": "test", + "name": "ubykou33.top", + "risk_string": "4/52" }, "tags": [ + "preserve_original_event", "forwarded", "recordedfuture" ], @@ -112,19 +136,17 @@ An example event for `threat` looks as following: "name": "Recorded Future" }, "indicator": { - "file": { - "hash": { - "sha256": "63212aa8c94098a844945ed1611389b2e1c9dc3906a5ba9d7d0d320344213f4f" - } - }, "provider": [ - "PolySwarm", - "Polyswarm Sandbox Analysis", - "Recorded Future Triage Malware Analysis" + "ThreatFox Infrastructure Analysis", + "External Sensor Data Analysis", + "Bitdefender" ], - "scanner_stats": 4, + "scanner_stats": 5, "sightings": 5, - "type": "file" + "type": "domain-name", + "url": { + "domain": "ubykou33.top" + } } } } @@ -162,4 +184,7 @@ An example event for `threat` looks as following: | recordedfuture.name | Indicator value. | keyword | | recordedfuture.risk_string | Details of risk rules observed. | keyword | | threat.feed.name | Display friendly feed name | constant_keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | diff --git a/packages/ti_recordedfuture/manifest.yml b/packages/ti_recordedfuture/manifest.yml index 1224f15c145..bfe0757fbc4 100644 --- a/packages/ti_recordedfuture/manifest.yml +++ b/packages/ti_recordedfuture/manifest.yml @@ -1,6 +1,6 @@ name: ti_recordedfuture title: Recorded Future -version: "1.26.0" +version: "1.26.1" description: Ingest threat intelligence indicators from Recorded Future risk lists with Elastic Agent. type: integration format_version: 3.0.2 diff --git a/packages/ti_threatconnect/changelog.yml b/packages/ti_threatconnect/changelog.yml index a15a04a87c0..a640c890cce 100644 --- a/packages/ti_threatconnect/changelog.yml +++ b/packages/ti_threatconnect/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.1" + changes: + - description: Fix ECS date mapping on threat fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/10674 - version: "1.2.0" changes: - description: Improve error reporting for API request failures. diff --git a/packages/ti_threatconnect/data_stream/indicator/fields/ecs.yml b/packages/ti_threatconnect/data_stream/indicator/fields/ecs.yml new file mode 100644 index 00000000000..e3ba6a4be1b --- /dev/null +++ b/packages/ti_threatconnect/data_stream/indicator/fields/ecs.yml @@ -0,0 +1,6 @@ +- external: ecs + name: threat.indicator.first_seen +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.indicator.modified_at diff --git a/packages/ti_threatconnect/data_stream/indicator/sample_event.json b/packages/ti_threatconnect/data_stream/indicator/sample_event.json index 1e149b5d8f4..56308a85c47 100644 --- a/packages/ti_threatconnect/data_stream/indicator/sample_event.json +++ b/packages/ti_threatconnect/data_stream/indicator/sample_event.json @@ -1,22 +1,22 @@ { "@timestamp": "2023-12-05T06:38:53.000Z", "agent": { - "ephemeral_id": "43b1a042-a9b3-4d01-b836-a9349883688b", - "id": "c3650180-e3d1-4dad-9094-89c988e721d7", + "ephemeral_id": "bfc8c3c8-d6ef-467f-a80c-6c75059c9a7c", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "ti_threatconnect.indicator", - "namespace": "ep", + "namespace": "53159", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "c3650180-e3d1-4dad-9094-89c988e721d7", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, "version": "8.13.0" }, @@ -27,7 +27,7 @@ ], "dataset": "ti_threatconnect.indicator", "id": "test.user@elastic.co", - "ingested": "2024-05-16T22:35:04Z", + "ingested": "2024-08-02T06:30:51Z", "kind": "enrichment", "original": "{\"active\":true,\"activeLocked\":false,\"address\":\"test.user@elastic.co\",\"associatedGroups\":{\"data\":[{\"createdBy\":{\"firstName\":\"test\",\"id\":69,\"lastName\":\"user\",\"owner\":\"Elastic\",\"pseudonym\":\"testW\",\"userName\":\"test.user@elastic.co\"},\"dateAdded\":\"2023-12-05T06:38:33Z\",\"downVoteCount\":\"0\",\"id\":609427,\"lastModified\":\"2023-12-05T06:43:21Z\",\"legacyLink\":\"https://app.threatconnect.com/auth/vulnerability/vulnerability.xhtml?vulnerability=609427\",\"name\":\"Test2 \",\"ownerId\":51,\"ownerName\":\"Elastic\",\"type\":\"Vulnerability\",\"upVoteCount\":\"0\",\"webLink\":\"https://app.threatconnect.com/#/details/groups/609427/overview\"},{\"createdBy\":{\"firstName\":\"test\",\"id\":69,\"lastName\":\"user\",\"owner\":\"Elastic\",\"pseudonym\":\"testW\",\"userName\":\"test.user@elastic.co\"},\"dateAdded\":\"2023-12-04T07:18:52Z\",\"documentDateAdded\":\"2023-12-04T07:18:53Z\",\"documentType\":\"PDF\",\"downVoteCount\":\"0\",\"fileName\":\"testthreatgroup.pdf\",\"fileSize\":24467,\"generatedReport\":true,\"id\":601237,\"lastModified\":\"2023-12-05T06:38:46Z\",\"legacyLink\":\"https://app.threatconnect.com/auth/report/report.xhtml?report=601237\",\"name\":\"TestThreatGroup\",\"ownerId\":51,\"ownerName\":\"Elastic\",\"status\":\"Success\",\"type\":\"Report\",\"upVoteCount\":\"0\",\"webLink\":\"https://app.threatconnect.com/#/details/groups/601237/overview\"}]},\"associatedIndicators\":{\"data\":[{\"active\":true,\"activeLocked\":false,\"address\":\"testing@poverts.com\",\"confidence\":61,\"dateAdded\":\"2023-08-25T12:57:24Z\",\"id\":891599,\"lastModified\":\"2023-12-05T06:50:06Z\",\"legacyLink\":\"https://app.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=testing%40poverts.com\\u0026owner=Elastic\",\"ownerId\":51,\"ownerName\":\"Elastic\",\"privateFlag\":false,\"rating\":3,\"summary\":\"testing@poverts.com\",\"type\":\"EmailAddress\",\"webLink\":\"https://app.threatconnect.com/#/details/indicators/891599/overview\"},{\"active\":true,\"activeLocked\":false,\"dateAdded\":\"2023-08-24T06:28:17Z\",\"id\":738667,\"lastModified\":\"2023-12-05T06:47:59Z\",\"legacyLink\":\"https://app.threatconnect.com/auth/indicators/details/url.xhtml?orgid=738667\\u0026owner=Elastic\",\"ownerId\":51,\"ownerName\":\"Elastic\",\"privateFlag\":false,\"summary\":\"http://www.testingmcafeesites.com/testcat_pc.html\",\"text\":\"http://www.testingmcafeesites.com/testcat_pc.html\",\"type\":\"URL\",\"webLink\":\"https://app.threatconnect.com/#/details/indicators/738667/overview\"}]},\"attributes\":{},\"dateAdded\":\"2023-08-24T06:19:58Z\",\"id\":736758,\"lastModified\":\"2023-12-05T06:38:53Z\",\"legacyLink\":\"https://app.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=test.user%40elastic.co\\u0026owner=Elastic\",\"ownerId\":51,\"ownerName\":\"Elastic\",\"privateFlag\":false,\"securityLabels\":{\"data\":[{\"color\":\"FFC000\",\"dateAdded\":\"2016-08-31T00:00:00Z\",\"description\":\"This security label is used for information that requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Information with this label can be shared with members of an organization and its clients.\",\"id\":3,\"name\":\"TLP:AMBER\",\"owner\":\"System\"}]},\"summary\":\"test.user@elastic.co\",\"tags\":{\"data\":[{\"description\":\"Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) \\\"pig butchering,\\\"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin) \\n\\nAdversaries may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) to conduct unauthorized transfers of funds.(Citation: Internet crime report 2022) In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://attack.mitre.org/techniques/T1656) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.(Citation: FBI-BEC) This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.(Citation: VEC)\\n\\nExtortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) (Citation: NYT-Colonial) and [Exfiltration](https://attack.mitre.org/tactics/TA0010) of data, followed by threatening public exposure unless payment is made to the adversary.(Citation: Mandiant-leaks)\\n\\nDue to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and business disruption.(Citation: AP-NotPetya)\",\"id\":463701,\"lastUsed\":\"2023-12-04T06:44:44Z\",\"name\":\"Financial Theft\",\"platforms\":{\"count\":6,\"data\":[\"Linux\",\"macOS\",\"Windows\",\"Office 365\",\"SaaS\",\"Google Workspace\"]},\"techniqueId\":\"T1657\"}]},\"threatAssessConfidence\":0,\"threatAssessRating\":0,\"threatAssessScore\":281,\"threatAssessScoreFalsePositive\":0,\"threatAssessScoreObserved\":0,\"type\":\"EmailAddress\",\"webLink\":\"https://app.threatconnect.com/#/details/indicators/736758/overview\"}", "type": [ diff --git a/packages/ti_threatconnect/docs/README.md b/packages/ti_threatconnect/docs/README.md index 427b014914d..5a7259da412 100644 --- a/packages/ti_threatconnect/docs/README.md +++ b/packages/ti_threatconnect/docs/README.md @@ -89,22 +89,22 @@ An example event for `indicator` looks as following: { "@timestamp": "2023-12-05T06:38:53.000Z", "agent": { - "ephemeral_id": "43b1a042-a9b3-4d01-b836-a9349883688b", - "id": "c3650180-e3d1-4dad-9094-89c988e721d7", + "ephemeral_id": "bfc8c3c8-d6ef-467f-a80c-6c75059c9a7c", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "ti_threatconnect.indicator", - "namespace": "ep", + "namespace": "53159", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "c3650180-e3d1-4dad-9094-89c988e721d7", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, "version": "8.13.0" }, @@ -115,7 +115,7 @@ An example event for `indicator` looks as following: ], "dataset": "ti_threatconnect.indicator", "id": "test.user@elastic.co", - "ingested": "2024-05-16T22:35:04Z", + "ingested": "2024-08-02T06:30:51Z", "kind": "enrichment", "original": "{\"active\":true,\"activeLocked\":false,\"address\":\"test.user@elastic.co\",\"associatedGroups\":{\"data\":[{\"createdBy\":{\"firstName\":\"test\",\"id\":69,\"lastName\":\"user\",\"owner\":\"Elastic\",\"pseudonym\":\"testW\",\"userName\":\"test.user@elastic.co\"},\"dateAdded\":\"2023-12-05T06:38:33Z\",\"downVoteCount\":\"0\",\"id\":609427,\"lastModified\":\"2023-12-05T06:43:21Z\",\"legacyLink\":\"https://app.threatconnect.com/auth/vulnerability/vulnerability.xhtml?vulnerability=609427\",\"name\":\"Test2 \",\"ownerId\":51,\"ownerName\":\"Elastic\",\"type\":\"Vulnerability\",\"upVoteCount\":\"0\",\"webLink\":\"https://app.threatconnect.com/#/details/groups/609427/overview\"},{\"createdBy\":{\"firstName\":\"test\",\"id\":69,\"lastName\":\"user\",\"owner\":\"Elastic\",\"pseudonym\":\"testW\",\"userName\":\"test.user@elastic.co\"},\"dateAdded\":\"2023-12-04T07:18:52Z\",\"documentDateAdded\":\"2023-12-04T07:18:53Z\",\"documentType\":\"PDF\",\"downVoteCount\":\"0\",\"fileName\":\"testthreatgroup.pdf\",\"fileSize\":24467,\"generatedReport\":true,\"id\":601237,\"lastModified\":\"2023-12-05T06:38:46Z\",\"legacyLink\":\"https://app.threatconnect.com/auth/report/report.xhtml?report=601237\",\"name\":\"TestThreatGroup\",\"ownerId\":51,\"ownerName\":\"Elastic\",\"status\":\"Success\",\"type\":\"Report\",\"upVoteCount\":\"0\",\"webLink\":\"https://app.threatconnect.com/#/details/groups/601237/overview\"}]},\"associatedIndicators\":{\"data\":[{\"active\":true,\"activeLocked\":false,\"address\":\"testing@poverts.com\",\"confidence\":61,\"dateAdded\":\"2023-08-25T12:57:24Z\",\"id\":891599,\"lastModified\":\"2023-12-05T06:50:06Z\",\"legacyLink\":\"https://app.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=testing%40poverts.com\\u0026owner=Elastic\",\"ownerId\":51,\"ownerName\":\"Elastic\",\"privateFlag\":false,\"rating\":3,\"summary\":\"testing@poverts.com\",\"type\":\"EmailAddress\",\"webLink\":\"https://app.threatconnect.com/#/details/indicators/891599/overview\"},{\"active\":true,\"activeLocked\":false,\"dateAdded\":\"2023-08-24T06:28:17Z\",\"id\":738667,\"lastModified\":\"2023-12-05T06:47:59Z\",\"legacyLink\":\"https://app.threatconnect.com/auth/indicators/details/url.xhtml?orgid=738667\\u0026owner=Elastic\",\"ownerId\":51,\"ownerName\":\"Elastic\",\"privateFlag\":false,\"summary\":\"http://www.testingmcafeesites.com/testcat_pc.html\",\"text\":\"http://www.testingmcafeesites.com/testcat_pc.html\",\"type\":\"URL\",\"webLink\":\"https://app.threatconnect.com/#/details/indicators/738667/overview\"}]},\"attributes\":{},\"dateAdded\":\"2023-08-24T06:19:58Z\",\"id\":736758,\"lastModified\":\"2023-12-05T06:38:53Z\",\"legacyLink\":\"https://app.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=test.user%40elastic.co\\u0026owner=Elastic\",\"ownerId\":51,\"ownerName\":\"Elastic\",\"privateFlag\":false,\"securityLabels\":{\"data\":[{\"color\":\"FFC000\",\"dateAdded\":\"2016-08-31T00:00:00Z\",\"description\":\"This security label is used for information that requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Information with this label can be shared with members of an organization and its clients.\",\"id\":3,\"name\":\"TLP:AMBER\",\"owner\":\"System\"}]},\"summary\":\"test.user@elastic.co\",\"tags\":{\"data\":[{\"description\":\"Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) \\\"pig butchering,\\\"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin) \\n\\nAdversaries may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) to conduct unauthorized transfers of funds.(Citation: Internet crime report 2022) In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://attack.mitre.org/techniques/T1656) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.(Citation: FBI-BEC) This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.(Citation: VEC)\\n\\nExtortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) (Citation: NYT-Colonial) and [Exfiltration](https://attack.mitre.org/tactics/TA0010) of data, followed by threatening public exposure unless payment is made to the adversary.(Citation: Mandiant-leaks)\\n\\nDue to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and business disruption.(Citation: AP-NotPetya)\",\"id\":463701,\"lastUsed\":\"2023-12-04T06:44:44Z\",\"name\":\"Financial Theft\",\"platforms\":{\"count\":6,\"data\":[\"Linux\",\"macOS\",\"Windows\",\"Office 365\",\"SaaS\",\"Google Workspace\"]},\"techniqueId\":\"T1657\"}]},\"threatAssessConfidence\":0,\"threatAssessRating\":0,\"threatAssessScore\":281,\"threatAssessScoreFalsePositive\":0,\"threatAssessScoreObserved\":0,\"type\":\"EmailAddress\",\"webLink\":\"https://app.threatconnect.com/#/details/indicators/736758/overview\"}", "type": [ @@ -350,6 +350,9 @@ An example event for `indicator` looks as following: | labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | | log.offset | Log offset. | long | | threat.feed.name | Display friendly feed name. | constant_keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | | threat_connect.indicator.active.locked | Indicates whether the active status is locked. | boolean | | threat_connect.indicator.active.value | Indicates whether the indicator is active. | boolean | | threat_connect.indicator.address | The email address associated with the Email Address Indicator. | keyword | diff --git a/packages/ti_threatconnect/manifest.yml b/packages/ti_threatconnect/manifest.yml index 78e06447a56..1c53fe77640 100644 --- a/packages/ti_threatconnect/manifest.yml +++ b/packages/ti_threatconnect/manifest.yml @@ -2,7 +2,7 @@ format_version: 3.0.3 name: ti_threatconnect title: ThreatConnect -version: "1.2.0" +version: "1.2.1" description: Collects Indicators from ThreatConnect using the Elastic Agent and saves them as logs inside Elastic type: integration categories: diff --git a/packages/ti_threatq/changelog.yml b/packages/ti_threatq/changelog.yml index c2553083e48..3bd585d79e8 100644 --- a/packages/ti_threatq/changelog.yml +++ b/packages/ti_threatq/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.28.1" + changes: + - description: Fix ECS date mapping on threat fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/10674 - version: "1.28.0" changes: - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/ti_threatq/data_stream/threat/fields/ecs.yml b/packages/ti_threatq/data_stream/threat/fields/ecs.yml new file mode 100644 index 00000000000..e3ba6a4be1b --- /dev/null +++ b/packages/ti_threatq/data_stream/threat/fields/ecs.yml @@ -0,0 +1,6 @@ +- external: ecs + name: threat.indicator.first_seen +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.indicator.modified_at diff --git a/packages/ti_threatq/data_stream/threat/sample_event.json b/packages/ti_threatq/data_stream/threat/sample_event.json index 3b393b34b8d..50bac054b36 100644 --- a/packages/ti_threatq/data_stream/threat/sample_event.json +++ b/packages/ti_threatq/data_stream/threat/sample_event.json @@ -1,33 +1,33 @@ { "@timestamp": "2019-11-15T00:00:02.000Z", "agent": { - "ephemeral_id": "b61f9d9a-97f7-4d8a-9ec1-535a1ca13e89", - "id": "8130bdff-3530-4540-8c03-ba091c47a24f", + "ephemeral_id": "9f1b0b7f-5be0-463d-9551-3d66aab12b6f", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.11.0" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_threatq.threat", - "namespace": "ep", + "namespace": "94389", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "8130bdff-3530-4540-8c03-ba091c47a24f", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, - "version": "8.11.0" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "threat" ], - "created": "2023-12-22T11:40:37.696Z", + "created": "2024-08-02T06:46:26.556Z", "dataset": "ti_threatq.threat", - "ingested": "2023-12-22T11:40:38Z", + "ingested": "2024-08-02T06:46:36Z", "kind": "enrichment", "original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":3,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1877,\"indicator_id\":336,\"name\":\"Description\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Malicious Host\"},{\"attribute_id\":4,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1878,\"indicator_id\":336,\"name\":\"Country\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"MP\"}],\"class\":\"network\",\"created_at\":\"2020-09-11 14:35:51\",\"expires_calculated_at\":\"2020-10-15 14:40:03\",\"hash\":\"1ece659dcec98b1e1141160b55655c96\",\"id\":336,\"published_at\":\"2020-09-11 14:35:51\",\"score\":4,\"sources\":[{\"created_at\":\"2020-09-11 14:35:53\",\"creator_source_id\":12,\"id\":336,\"indicator_id\":336,\"indicator_status_id\":2,\"indicator_type_id\":15,\"name\":\"AlienVault OTX\",\"published_at\":\"2020-09-11 14:35:53\",\"reference_id\":1,\"source_expire_days\":\"30\",\"source_id\":12,\"source_score\":1,\"source_type\":\"connectors\",\"updated_at\":\"2020-10-15 14:36:00\"}],\"status\":{\"description\":\"Poses a threat\",\"id\":2,\"name\":\"Active\"},\"status_id\":2,\"touched_at\":\"2021-06-07 19:47:27\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2019-11-15 00:00:02\",\"value\":\"89.160.20.156\"}", "type": [ diff --git a/packages/ti_threatq/docs/README.md b/packages/ti_threatq/docs/README.md index f619f9c4e67..12e41346608 100644 --- a/packages/ti_threatq/docs/README.md +++ b/packages/ti_threatq/docs/README.md @@ -45,6 +45,9 @@ To facilitate IOC expiration, source datastream-backed indices `.ds-logs-ti_thre | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | | threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | | threatq.adversaries | Adversaries that are linked to the object | keyword | | threatq.attributes | These provide additional context about an object | flattened | | threatq.created_at | Object creation time | date | @@ -67,33 +70,33 @@ An example event for `threat` looks as following: { "@timestamp": "2019-11-15T00:00:02.000Z", "agent": { - "ephemeral_id": "b61f9d9a-97f7-4d8a-9ec1-535a1ca13e89", - "id": "8130bdff-3530-4540-8c03-ba091c47a24f", + "ephemeral_id": "9f1b0b7f-5be0-463d-9551-3d66aab12b6f", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.11.0" + "version": "8.13.0" }, "data_stream": { "dataset": "ti_threatq.threat", - "namespace": "ep", + "namespace": "94389", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "8130bdff-3530-4540-8c03-ba091c47a24f", + "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb", "snapshot": false, - "version": "8.11.0" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "threat" ], - "created": "2023-12-22T11:40:37.696Z", + "created": "2024-08-02T06:46:26.556Z", "dataset": "ti_threatq.threat", - "ingested": "2023-12-22T11:40:38Z", + "ingested": "2024-08-02T06:46:36Z", "kind": "enrichment", "original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":3,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1877,\"indicator_id\":336,\"name\":\"Description\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"Malicious Host\"},{\"attribute_id\":4,\"created_at\":\"2020-09-11 14:35:53\",\"id\":1878,\"indicator_id\":336,\"name\":\"Country\",\"touched_at\":\"2020-10-15 14:36:00\",\"updated_at\":\"2020-10-15 14:36:00\",\"value\":\"MP\"}],\"class\":\"network\",\"created_at\":\"2020-09-11 14:35:51\",\"expires_calculated_at\":\"2020-10-15 14:40:03\",\"hash\":\"1ece659dcec98b1e1141160b55655c96\",\"id\":336,\"published_at\":\"2020-09-11 14:35:51\",\"score\":4,\"sources\":[{\"created_at\":\"2020-09-11 14:35:53\",\"creator_source_id\":12,\"id\":336,\"indicator_id\":336,\"indicator_status_id\":2,\"indicator_type_id\":15,\"name\":\"AlienVault OTX\",\"published_at\":\"2020-09-11 14:35:53\",\"reference_id\":1,\"source_expire_days\":\"30\",\"source_id\":12,\"source_score\":1,\"source_type\":\"connectors\",\"updated_at\":\"2020-10-15 14:36:00\"}],\"status\":{\"description\":\"Poses a threat\",\"id\":2,\"name\":\"Active\"},\"status_id\":2,\"touched_at\":\"2021-06-07 19:47:27\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2019-11-15 00:00:02\",\"value\":\"89.160.20.156\"}", "type": [ diff --git a/packages/ti_threatq/manifest.yml b/packages/ti_threatq/manifest.yml index f6ce83ca7a1..d2f97c97b86 100644 --- a/packages/ti_threatq/manifest.yml +++ b/packages/ti_threatq/manifest.yml @@ -1,6 +1,6 @@ name: ti_threatq title: ThreatQuotient -version: "1.28.0" +version: "1.28.1" description: Ingest threat intelligence indicators from ThreatQuotient with Elastic Agent. type: integration format_version: "3.0.2"