[Google Threat Intelligence]: Mapping conflicts with latest Transform indices

[akfav]

Integration Name

Google Threat Intelligence [ti_google_threat_intelligence]

Dataset Name

No response

Integration Version

0.6.0

Agent Version

9.1.3

Agent Output Type

elasticsearch

Elasticsearch Version

9.1.3

OS Version and Architecture

Red Hat Enterprise Linux 9.6 (Plow)

Software/API Version

No response

Error Message

Error while parsing document for index [logs-ti_google_threat_intelligence_latest.dest_file_ioc-1]: [1:1061] failed to parse field [data_stream.dataset] of type [constant_keyword] in document with id 'dDCEBV6A2eN_bjy9XeZDTUBTAAAAAAAA'. Preview of field's value: 'ti_google_threat_intelligence.cryptominer'

Error while parsing document for index [logs-ti_google_threat_intelligence_latest.dest_domain_ioc-1]: [1:944] failed to parse field [data_stream.dataset] of type [constant_keyword] in document with id 'dDBA7W4uhtWQgwLQ0gIwJQILAAAAAAAA'. Preview of field's value: 'ti_google_threat_intelligence.infostealer'

Error while parsing document for index [logs-ti_google_threat_intelligence_latest.dest_url_ioc-1]: [1:1214] failed to parse field [data_stream.dataset] of type [constant_keyword] in document with id 'dDCXNHbfpp6HlG5zefXxCBlIAAAAAAAA'. Preview of field's value: 'ti_google_threat_intelligence.first_stage_delivery_vectors'

Event Original

No response

What did you do?

What did you see?

Data was dropped due to the mapping conflict.

What did you expect to see?

Data to be ingested successfully.

Anything else?

We have observed the mapping errors with the following transforms/ associated indices:

• transform: logs-ti_google_threat_intelligence.domain_ioc-default-0.6.0
  • index: logs-ti_google_threat_intelligence_latest.dest_domain_ioc-1
• transform: logs-ti_google_threat_intelligence.file_ioc-default-0.6.0
  • index: logs-ti_google_threat_intelligence_latest.dest_file_ioc-1
• transform: logs-ti_google_threat_intelligence.url_ioc-default-0.6.0
  • index: logs-ti_google_threat_intelligence_latest.dest_url_ioc-1
• transform: logs-ti_google_threat_intelligence.ip_ioc-default-0.6.0
  • index: logs-ti_google_threat_intelligence_latest.dest_ip_ioc-1

For example the logs-ti_google_threat_intelligence_latest.dest_file_ioc-1 index can contain multiple data stream data sets such as:

• ti_google_threat_intelligence.ransomware
• ti_google_threat_intelligence.cryptominer

Checking the mapping for logs-ti_google_threat_intelligence_latest.dest_file_ioc-1 shows that the data_stream.dataset is populated with a constant_keyword of ti_google_threat_intelligence.ransomware:

However the related error message shows a document with the data_stream.dataset attempting to be ingested with ti_google_threat_intelligence.cryptominer. This prevents more than one data set from being ingested into the latest index.

Error while parsing document for index [logs-ti_google_threat_intelligence_latest.dest_file_ioc-1]: [1:1061] failed to parse field [data_stream.dataset] of type [constant_keyword] in document with id 'dDCEBV6A2eN_bjy9XeZDTUBTAAAAAAAA'. Preview of field's value: 'ti_google_threat_intelligence.cryptominer'

[kcreddy]

@akfav, can you share your transform definition? This is to confirm if a destination pipeline is applied to each of these transforms as noted in these steps: https://github.com/elastic/integrations/tree/main/packages/ti_google_threat_intelligence#steps-to-enable-transforms

---

For example the logs-ti_google_threat_intelligence_latest.dest_file_ioc-1 index can contain multiple data stream data sets such as:

• ti_google_threat_intelligence.ransomware
• ti_google_threat_intelligence.cryptominer

@niraj-crest, PTAL. This issue seems to be existed since the initial release as the field mapping in the destination index remains untouched since then: https://github.com/elastic/integrations/blob/main/packages/ti_google_threat_intelligence/elasticsearch/transform/domain_ioc/fields/base-fields.yml#L4-L6

If multiple values are possible within each of these destination indices, then we could change the mapping to keyword (which is not a breaking change as they belong to the same keyword family).
Also, please check the same for event.dataset if it can contain multiple values.

cc: @piyush-elastic

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[akfav]

@kcreddy thanks for the additional info here, it looks like it is a mistake on my end for not configuring the associated ingest pipelines on the Transforms.

Checking the ingest pipelines they do have processors to set data_stream.dataset to a more generic label to prevent this exact issue:

integrations/packages/ti_google_threat_intelligence/elasticsearch/ingest_pipeline/ti_google_threat_intelligence-latest_domain_ioc-transform-pipeline.yml

Line 87 in 8df94e9

value: ti_google_threat_intelligence.domain_ioc

Checking the ECS reference for data_stream.dataset it is intended to be a constant_keyword.

Some follow up questions/feedback:

• Is it possible to have the ingest pipeline automatically pre-configured in the Transform? Both the ingest pipeline and Transforms have versioning prefix or suffix. This seems like a better UX flow and would have helped prevent this issue.
• The step you mentioned does specify that each corresponding Transform has an ingest pipeline, however the table references two Transform though there are ten in total.
• When you go to edit the Transform in Kibana the flyout has a warning against performing edits which makes this process slightly confusing:

[kcreddy]

@akfav , thanks for confirming it is working as expected after adding the ingest pipelines.

---

Answering your questions:

Is it possible to have the ingest pipeline automatically pre-configured in the Transform? Both the ingest pipeline and Transforms have versioning prefix or suffix. This seems like a better UX flow and would have helped prevent this issue.

Yes, we have elastic/package-spec#833 for adding that support. Once this is done, we will add the pipeline to the transform definition and also update the integration documentation to remove editing transform manually.

The step you mentioned does specify that each corresponding Transform has an ingest pipeline, however the table references two Transform though there are ten in total.

The two transforms that you mentioned, namely logs-ti_google_threat_intelligence.rule and logs-ti_google_threat_intelligence.rule_ioc_st serve a different purpose i.e., to enrich a generated alert triggered by the detection rule.
The transforms in question are much above in the documentation: https://github.com/elastic/integrations/tree/main/packages/ti_google_threat_intelligence#transforming-data-for-up-to-date-insights. There are total of 8 transforms, two each for ip, domain, file, and url.
The documentation states there are four, which needs to be updated. cc: @niraj-crest

When you go to edit the Transform in Kibana the flyout has a warning against performing edits which makes this process slightly confusing:

This happens because all of the assets are managed by Fleet and is generic warning for editing anything managed. We could update documentation to suggest users to ignore this warning and proceed editing the transform. cc: @niraj-crest
Note: This is only until elastic/package-spec#833 is implemented, and after which we will re-write documentation reducing the manual editing of transforms.

[akfav]

@kcreddy thanks for clarifying, it sounds elastic/package-spec#833 will address everything here. I haven't added the pipelines yet as I will still have the issue since the constant_keyword is already set. I will likely perform an update by query or delete the affected indices first.

[akfav]

I ended up deleting the "latest" indices since you cannot update a constant_keyword field after its already been set. Next I updated each Transform with its associated ingest pipeline. After that the mapping issues cleared up.

[kcreddy]

I ended up deleting the "latest" indices since you cannot update a constant_keyword field after its already been set. Next I updated each Transform with its associated ingest pipeline. After that the mapping issues cleared up.

Thanks for the confirmation @akfav. Once elastic/package-spec#833 is implemented, this issue shouldn't happen.