Skip to content

[TI ThreatQ] Add IOC expiration support#8691

Merged
kcreddy merged 6 commits intoelastic:mainfrom
kcreddy:threat_ioc
Dec 20, 2023
Merged

[TI ThreatQ] Add IOC expiration support#8691
kcreddy merged 6 commits intoelastic:mainfrom
kcreddy:threat_ioc

Conversation

@kcreddy
Copy link
Copy Markdown
Contributor

@kcreddy kcreddy commented Dec 11, 2023
edited
Loading

Proposed commit message

Add IOC expiration support using status.name field in the API response. More details on the approach here

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

  • [ ]

How to test this PR locally

$ elastic-package stack down && elastic-package build && elastic-package stack up --version=8.11.0 -d -v --services=elasticsearch && eval "$(elastic-package stack shellinit)" && elastic-package test system --generate -v

--- Test results for package: ti_threatq - START ---
╭────────────┬─────────────┬───────────┬───────────┬────────┬───────────────╮
│ PACKAGE    │ DATA STREAM │ TEST TYPE │ TEST NAME │ RESULT │  TIME ELAPSED │
├────────────┼─────────────┼───────────┼───────────┼────────┼───────────────┤
│ ti_threatq │ threat      │ system    │ default   │ PASS   │ 44.012234958s │
╰────────────┴─────────────┴───────────┴───────────┴────────┴───────────────╯
--- Test results for package: ti_threatq - END   ---
Done

$ elastic-package stack down && elastic-package build && elastic-package stack up --version=8.11.0 -d -v --services=elasticsearch && eval "$(elastic-package stack shellinit)" && elastic-package test pipeline --generate -v

Run pipeline tests for the package
--- Test results for package: ti_threatq - START ---
╭────────────┬─────────────┬───────────┬─────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE    │ DATA STREAM │ TEST TYPE │ TEST NAME                           │ RESULT │ TIME ELAPSED │
├────────────┼─────────────┼───────────┼─────────────────────────────────────┼────────┼──────────────┤
│ ti_threatq │ threat      │ pipeline  │ test-threatq-no-preserve-ndjson.log │ PASS   │   6.207292ms │
│ ti_threatq │ threat      │ pipeline  │ test-threatq-sample-ndjson.log      │ PASS   │   8.625083ms │
╰────────────┴─────────────┴───────────┴─────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: ti_threatq - END   ---
Done

Related issues

Screenshots

Screenshot 2023-12-11 at 5 50 03 PM Screenshot 2023-12-11 at 5 49 42 PM Screenshot 2023-12-11 at 5 49 03 PM

@kcreddy kcreddy added enhancement New feature or request Integration:ti_threatq ThreatQuotient (Partner supported) labels Dec 11, 2023
@kcreddy kcreddy self-assigned this Dec 11, 2023
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Dec 11, 2023
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2023-12-19T08:57:13.217+0000

  • Duration: 17 min 14 sec

Test stats 🧪

Test Results
Failed 0
Passed 9
Skipped 0
Total 9

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Dec 12, 2023
edited
Loading

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (1/1) 💚
Files 100.0% (1/1) 💚 3.91
Classes 100.0% (1/1) 💚 3.91
Methods 90.909% (10/11) 👎 -1.264
Lines 49.66% (146/294) 👎 -38.952
Conditionals 100.0% (0/0) 💚

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Dec 12, 2023

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@kcreddy kcreddy marked this pull request as ready for review December 12, 2023 07:25
@kcreddy kcreddy requested a review from a team as a code owner December 12, 2023 07:25
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Dec 12, 2023

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

efd6
efd6 reviewed Dec 19, 2023
View reviewed changes
@kcreddy kcreddy merged commit dc18667 into elastic:main Dec 20, 2023
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Dec 20, 2023

Package ti_threatq - 1.24.0 containing this change is available at https://epr.elastic.co/search?package=ti_threatq

v1v added a commit that referenced this pull request Dec 21, 2023
@v1v
Merge remote-tracking branch 'upstream/main' into v1v-patch-1
3e599b5 
* upstream/main: (117 commits)
  [TI MISP] Add IOC expiration support (#8639)
  Add CSPM Rules 6.2, 6.3 and 6.4 (#8778)
  [Infoblox NIOS] Update timestamp parsing logic (#8767)
  [Rapid7 InsightVM] Split vulnerability categories into array (#8768)
  [Exchange Online Message Trace] Add Additional Look-back Time & Fix Cursor Value (#8717)
  [Buildkite] Update bucket settings (#8765)
  Remove Jenkins .ci folder (#8766)
  First part of removal of Jenkins jobs (#8763)
  misp: parse URIs for URI type threats (#8760)
  [amazon_security_lake] Added support for all the OCSF Classes (#8579)
  [Buildkite] Update settings for integrations pipeline (#8758)
  [TI ThreatQ] Add IOC expiration support (#8691)
  [ti_opencti] Support OpenCTI 5.12 by removing filters parameter (#8744)
  [Cribl] Updating setup guidance for Cribl field (#8746)
  crowdstrike: add userinfo enrichment support and map fields to ECS (#8742)
  [etcd] Enable TSDB for metrics datastream (#8649)
  Bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#8749)
  auditd: relax field_split pattern and handle AVC header (#8748)
  Update cloud packages codeowner (#8672)
  [O11Y] [AWS Billing] Convert "Total Estimated Charges" visualization to new metric (#8509)
  ...
qcorporation pushed a commit that referenced this pull request Feb 3, 2025
@v1v
Merge remote-tracking branch 'upstream/main' into v1v-patch-1
7a91099 
* upstream/main: (117 commits)
  [TI MISP] Add IOC expiration support (#8639)
  Add CSPM Rules 6.2, 6.3 and 6.4 (#8778)
  [Infoblox NIOS] Update timestamp parsing logic (#8767)
  [Rapid7 InsightVM] Split vulnerability categories into array (#8768)
  [Exchange Online Message Trace] Add Additional Look-back Time & Fix Cursor Value (#8717)
  [Buildkite] Update bucket settings (#8765)
  Remove Jenkins .ci folder (#8766)
  First part of removal of Jenkins jobs (#8763)
  misp: parse URIs for URI type threats (#8760)
  [amazon_security_lake] Added support for all the OCSF Classes (#8579)
  [Buildkite] Update settings for integrations pipeline (#8758)
  [TI ThreatQ] Add IOC expiration support (#8691)
  [ti_opencti] Support OpenCTI 5.12 by removing filters parameter (#8744)
  [Cribl] Updating setup guidance for Cribl field (#8746)
  crowdstrike: add userinfo enrichment support and map fields to ECS (#8742)
  [etcd] Enable TSDB for metrics datastream (#8649)
  Bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#8749)
  auditd: relax field_split pattern and handle AVC header (#8748)
  Update cloud packages codeowner (#8672)
  [O11Y] [AWS Billing] Convert "Total Estimated Charges" visualization to new metric (#8509)
  ...
qcorporation pushed a commit that referenced this pull request Feb 4, 2025
@v1v
Merge remote-tracking branch 'upstream/main' into v1v-patch-1
2b2dec7 
* upstream/main: (117 commits)
  [TI MISP] Add IOC expiration support (#8639)
  Add CSPM Rules 6.2, 6.3 and 6.4 (#8778)
  [Infoblox NIOS] Update timestamp parsing logic (#8767)
  [Rapid7 InsightVM] Split vulnerability categories into array (#8768)
  [Exchange Online Message Trace] Add Additional Look-back Time & Fix Cursor Value (#8717)
  [Buildkite] Update bucket settings (#8765)
  Remove Jenkins .ci folder (#8766)
  First part of removal of Jenkins jobs (#8763)
  misp: parse URIs for URI type threats (#8760)
  [amazon_security_lake] Added support for all the OCSF Classes (#8579)
  [Buildkite] Update settings for integrations pipeline (#8758)
  [TI ThreatQ] Add IOC expiration support (#8691)
  [ti_opencti] Support OpenCTI 5.12 by removing filters parameter (#8744)
  [Cribl] Updating setup guidance for Cribl field (#8746)
  crowdstrike: add userinfo enrichment support and map fields to ECS (#8742)
  [etcd] Enable TSDB for metrics datastream (#8649)
  Bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#8749)
  auditd: relax field_split pattern and handle AVC header (#8748)
  Update cloud packages codeowner (#8672)
  [O11Y] [AWS Billing] Convert "Total Estimated Charges" visualization to new metric (#8509)
  ...
@kcreddy kcreddy deleted the threat_ioc branch February 7, 2025 09:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 efd6 approved these changes

Assignees

@kcreddy kcreddy

Labels

enhancement New feature or request Integration:ti_threatq ThreatQuotient (Partner supported)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[TI_THREATQ] Add support for IOC expiration

3 participants

@kcreddy @elasticmachine @efd6