Add integration for Recorded Future threat intel #2757
Conversation
|
Note to reviewers. I have a few doubts:
|
adriansr
added
Integration:ti_util
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
| @@ -0,0 +1,29 @@ | |||
| name: ti_recordedfuture | |||
| title: Recorded Future | |||
| version: 0.1.0 | |||
There was a problem hiding this comment.
I think this is the right choice FWIW. If it were experimental I'd say 0.0.1, though with semver<1.0.0 the semantics are essentially free.
| @@ -0,0 +1,852 @@ | |||
| { | |||
| "expected": [ | |||
| null, | |||
There was a problem hiding this comment.
Is this null expected? (also in some other inputs below: test-hash-default.log-expected.json, test-ip-default.log-expected.json and test-url-default.log-expected.json).
There was a problem hiding this comment.
I assume the null is for the header line and that line is dropped.
There was a problem hiding this comment.
That's right, is the header line. This only happens with CSV input from file.
|
|
||
| Alternatively, it's also possible to use the integration to fetch custom Fusion files | ||
| by supplying the URL to the CSV file as the _Custom_ _URL_ configuration option. | ||
|
|
There was a problem hiding this comment.
Are there any links you can add to publicly available Recorded Future docs about the API or schema?
There was a problem hiding this comment.
Unfortunately the API docs now require signing up to RecordedFuture's support portal.
https://support.recordedfuture.com/hc/en-us/articles/115000897248
| @@ -0,0 +1,852 @@ | |||
| { | |||
| "expected": [ | |||
| null, | |||
There was a problem hiding this comment.
I assume the null is for the header line and that line is dropped.
| field: threat.feed.name | ||
| value: "Recorded Future" | ||
| # | ||
| # TODO: Add dashboard |
There was a problem hiding this comment.
What's the plan for addressing this TODO? Separate PR?
And given that there is a commented out constant_keyword version with a static value in the fields.yml, do we need this one at all?
There was a problem hiding this comment.
The commented values could be moved to base-fields.yml, similar to how the other TI packages does it, but they should not be added before the dashboards as they are required, else it will break UI components
There was a problem hiding this comment.
So for now we can leave as is and then add the dashboard in a follow up PR, is that ok?
| - event.dataset | ||
| - threat.indicator.type | ||
| - json.Name | ||
| target_field: "_id" |
There was a problem hiding this comment.
Do we expect to receive updates for the data and discard it due to the append only nature of data streams? I just want to understand the expected behavior and maybe document it in the pipeline comments.
There was a problem hiding this comment.
I think mostly all the TI sources has it, before it was for appending indeed, but there are scenarios which could result in duplicates, so it's just to make sure values are not stored twice.
There was a problem hiding this comment.
Yeah this seems useless in data streams, unless the Kibana alerting side somehow uses the ID to deduplicate.
Otherwise the fingerprint processor calculating `id` field doesn't have access to this constant_keyword field as it is not yet set in the document.
Otherwise the fingerprint processor calculating `id` field doesn't have access to this constant_keyword field as it is not yet set in the document.
andrewkroh
added
Integration:ti_recordedfuture
What does this PR do?
Adds a new integration to collect threat indicators from Recorded Future.
This supersedes the existing (recalled) Filebeat integration.
Checklist
changelog.ymlfile.Author's Checklist
0.1.0) andbetatag.See comment below.
Related issues
Screenshots