ti_opencti: fix pipeline errors due to access method from a null reference (#16129)

chemamartinez · web-flow · commit b34c073e1157 · 2025-11-28T07:49:47.000+01:00
Pipeline tests were failing with the error:
"cannot access method/field [add] from a null def reference".

This failure was caused by script processors calling .add()
on fields whose parent object (threat.indicator) could be null.

The fix updates the ingest pipeline scripts to safely initialize
ctx.threat, ctx.threat.indicator, and the target array field before adding elements.
diff --git a/packages/ti_opencti/changelog.yml b/packages/ti_opencti/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.10.1"
+  changes:
+    - description: Fix null reference errors in ingest pipelines.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/16129
 - version: "2.10.0"
   changes:
     - description: Add comprehensive filtering support for indicators including pattern types, confidence levels, labels, dates, authors, creators, and marking definitions.
diff --git a/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/ecs_from_artifact.yml b/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/ecs_from_artifact.yml
@@ -48,13 +48,13 @@ processors:
       ignore_empty_value: true
 
   # append object
-  - append:
-      field: threat.indicator.file
-      value: []
   - script:
       description: Append to the destination
       lang: painless
       source: |
+        ctx.threat = ctx.threat ?: [:];
+        ctx.threat.indicator = ctx.threat.indicator ?: [:];
+        ctx.threat.indicator.file = ctx.threat.indicator.file ?: [];
         ctx.threat.indicator.file.add(ctx._tmp_file);
 
   - remove:
diff --git a/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/ecs_from_autonomous_system.yml b/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/ecs_from_autonomous_system.yml
@@ -11,13 +11,13 @@ processors:
       value: "{{{_ingest._value.name}}}"
 
   # append object
-  - append:
-      field: threat.indicator.as
-      value: []
   - script:
       description: Append to the destination
       lang: painless
       source: |
+        ctx.threat = ctx.threat ?: [:];
+        ctx.threat.indicator = ctx.threat.indicator ?: [:];
+        ctx.threat.indicator.as = ctx.threat.indicator.as ?: [];
         ctx.threat.indicator.as.add(ctx._tmp_as);
 
   - remove:
diff --git a/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/ecs_from_directory.yml b/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/ecs_from_directory.yml
@@ -28,13 +28,13 @@ processors:
       ignore_empty_value: true
 
   # append object
-  - append:
-      field: threat.indicator.file
-      value: []
   - script:
       description: Append to the destination
       lang: painless
       source: |
+        ctx.threat = ctx.threat ?: [:];
+        ctx.threat.indicator = ctx.threat.indicator ?: [:];
+        ctx.threat.indicator.file = ctx.threat.indicator.file ?: [];
         ctx.threat.indicator.file.add(ctx._tmp_file);
 
   - remove:
diff --git a/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/ecs_from_domain_name_or_hostname.yml b/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/ecs_from_domain_name_or_hostname.yml
@@ -12,13 +12,13 @@ processors:
       ignore_missing: true
 
   # append object
-  - append:
-      field: threat.indicator.url
-      value: []
   - script:
       description: Append to the destination
       lang: painless
       source: |
+        ctx.threat = ctx.threat ?: [:];
+        ctx.threat.indicator = ctx.threat.indicator ?: [:];
+        ctx.threat.indicator.url = ctx.threat.indicator.url ?: [];
         ctx.threat.indicator.url.add(ctx._tmp_url);
 
   - remove:
diff --git a/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/ecs_from_file.yml b/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/ecs_from_file.yml
@@ -91,13 +91,13 @@ processors:
       ignore_empty_value: true
 
   # append object
-  - append:
-      field: threat.indicator.file
-      value: []
   - script:
       description: Append to the destination
       lang: painless
       source: |
+        ctx.threat = ctx.threat ?: [:];
+        ctx.threat.indicator = ctx.threat.indicator ?: [:];
+        ctx.threat.indicator.file = ctx.threat.indicator.file ?: [];
         ctx.threat.indicator.file.add(ctx._tmp_file);
 
   - remove:
diff --git a/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/ecs_from_url_field.yml b/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/ecs_from_url_field.yml
@@ -26,13 +26,13 @@ processors:
       copy_from: _tmp_url.original
 
   # append object
-  - append:
-      field: threat.indicator.url
-      value: []
   - script:
       description: Append to the destination
       lang: painless
       source: |
+        ctx.threat = ctx.threat ?: [:];
+        ctx.threat.indicator = ctx.threat.indicator ?: [:];
+        ctx.threat.indicator.url = ctx.threat.indicator.url ?: [];
         ctx.threat.indicator.url.add(ctx._tmp_url);
 
   - remove:
diff --git a/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/ecs_from_windows_registry_key.yml b/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/ecs_from_windows_registry_key.yml
@@ -24,13 +24,13 @@ processors:
       if: ctx._tmp_registry?.hive != null
 
   # append object
-  - append:
-      field: threat.indicator.registry
-      value: []
   - script:
       description: Append to the destination
       lang: painless
       source: |
+        ctx.threat = ctx.threat ?: [:];
+        ctx.threat.indicator = ctx.threat.indicator ?: [:];
+        ctx.threat.indicator.registry = ctx.threat.indicator.registry ?: [];
         ctx.threat.indicator.registry.add(ctx._tmp_registry);
 
   - remove:
diff --git a/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/ecs_from_windows_registry_value_type.yml b/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/ecs_from_windows_registry_value_type.yml
@@ -15,13 +15,13 @@ processors:
       value: "{{{_ingest._value.data}}}"
 
   # append object
-  - append:
-      field: threat.indicator.registry
-      value: []
   - script:
       description: Append to the destination
       lang: painless
       source: |
+        ctx.threat = ctx.threat ?: [:];
+        ctx.threat.indicator = ctx.threat.indicator ?: [:];
+        ctx.threat.indicator.registry = ctx.threat.indicator.registry ?: [];
         ctx.threat.indicator.registry.add(ctx._tmp_registry);
 
   - remove:
diff --git a/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/ecs_from_x509_certificate.yml b/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/ecs_from_x509_certificate.yml
@@ -43,13 +43,13 @@ processors:
       value: "{{{_ingest._value.version}}}"
 
   # append object
-  - append:
-      field: threat.indicator.x509
-      value: []
   - script:
       description: Append to the destination
       lang: painless
       source: |
+        ctx.threat = ctx.threat ?: [:];
+        ctx.threat.indicator = ctx.threat.indicator ?: [:];
+        ctx.threat.indicator.x509 = ctx.threat.indicator.x509 ?: [];
         ctx.threat.indicator.x509.add(ctx._tmp_x509);
 
   - remove:
diff --git a/packages/ti_opencti/manifest.yml b/packages/ti_opencti/manifest.yml
@@ -1,7 +1,7 @@
 format_version: "3.4.0"
 name: ti_opencti
 title: OpenCTI
-version: "2.10.0"
+version: "2.10.1"
 description: "Ingest threat intelligence indicators from OpenCTI with Elastic Agent."
 type: integration
 source:
