[TI_RecordedFuture] Support IoC expiration #5459

kcreddy · 2023-03-07T09:07:11Z

In order to support IoC expiration for Recorded Future, following need to be added to the package:

Path forward:

The current source indices should contain all IoC ingesting every interval. In other words, we need to maintain duplicate IoCs inside source indices. This needs removal of current fingerprint processor
Create Latest Elastic Transforms, from source to destination indices.
- Destination indices should only contain latest IoCs since the last time the transform ran and they are created using latest transform i.e, unique key with combination of fields event.dataset, threat.indicator.type, and Name
- Transform also needs to define a retention policy for it to delete old IoCs.

The text was updated successfully, but these errors were encountered:

elasticmachine · 2023-03-07T09:07:15Z

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

elasticmachine · 2023-05-15T09:13:28Z

Package ti_recordedfuture - 1.9.0 containing this change is available at https://epr.elastic.co/search?package=ti_recordedfuture

kcreddy added enhancement New feature or request Team:Security-External Integrations Integration:ti_recordedfuture Recorded Future labels Mar 7, 2023

kcreddy self-assigned this Mar 7, 2023

kcreddy mentioned this issue Mar 7, 2023

[TI_RecordedFuture] Support IoC expiration #5460

Merged

4 tasks

kcreddy closed this as completed in #5460 May 15, 2023

Provide feedback