-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x-pack/filebeat/module/threatintel/misp: add support for secondary object attribute handling #28124
Conversation
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
This pull request does not have a backport label. Could you fix it @efd6? 🙏
NOTE: |
deb2d0f
to
7ef42bf
Compare
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. 🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
7ef42bf
to
97dbdba
Compare
This pull request is now in conflicts. Could you fix it? 🙏
|
3049e73
to
80a8b30
Compare
/test |
This pull request is now in conflicts. Could you fix it? 🙏
|
…ject attribute handling Co-authored-by: Marius Iversen <[email protected]>
f2b013f
to
686dfe5
Compare
PTAL |
63ff6ab
to
32fae9e
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Feel free to merge once you have done your last changes and CI passes.
…ject attribute handling (#28124) Co-authored-by: Marius Iversen <[email protected]> (cherry picked from commit 22d1742) # Conflicts: # x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json
…upport for secondary object attribute handling (#28305) * x-pack/filebeat/module/threatintel/misp: add support for secondary object attribute handling (#28124) Co-authored-by: Marius Iversen <[email protected]> (cherry picked from commit 22d1742) # Conflicts: # x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json * Fix merge conflict Co-authored-by: Dan Kortschak <[email protected]> Co-authored-by: Dan Kortschak <[email protected]>
* upstream/master: (73 commits) Remove GCP support from Functionbeat (elastic#28253) Move labels and annotations under kubernetes.namespace. (elastic#27917) Update go release version 1.17.1 (elastic#27543) Osquerybeat: Runner and Fetcher unit tests (elastic#28290) Osquerybeat: Improve handling of osquery.autoload file, allow customizations (elastic#28289) seccomp: allow clone3 syscall for x86 (elastic#28117) packetbeat/protos/dns: don't render missing A and AAAA addresses from truncated records (elastic#28297) [7.x] [DOCS] Update api_key example on elasticsearch output (elastic#28288) [cloud][docker] use the private docker namespace (elastic#28286) Update aws-lambda-go library version to 1.13.3 (elastic#28236) Deprecate common.Float (elastic#28280) Filebeat: Change compatibility test stage to test against previous minor instead of 7.11 (elastic#28274) x-pack/filebeat/module/threatintel/misp: add support for secondary object attribute handling (elastic#28124) Explicitly pass http config to doppler consumer (elastic#28277) processors/actions/add_fields: Do not panic if event.Fields is nil map (elastic#28219) Resolved timestamp for defender atp (elastic#28272) [Winlogbeat] Tolerate faults when Windows Event Log session is interrupted (elastic#28191) [elastic-agent] proxy requests to subprocesses to their metrics endpoints (elastic#28165) Build cloud docker images for elastic-agent (elastic#28134) Upgrade k8s go-client library (elastic#28228) ...
…ject attribute handling (elastic#28124) Co-authored-by: Marius Iversen <[email protected]>
What does this PR do?
This change adds support for ingestion of secondary Object list Attribute data and more reliably handles cases where the primary Attribute data is missing. It does not currently promote attributes in the Object lists and drops some data from Objects (I have retained the same fields that are kept in the primary Attributes list.
Naming of the Object data is open for bikeshedding.
Why is it important?
This addresses a user issue (#26008), allowing indexing of Object lists in ThreatIntel MISP data.
Checklist
- [ ] I have made corresponding change to the default configuration filesCHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.Author's Checklist
How to test this PR locally
Standard testing.
Related issues
Use cases
See related issue.
Screenshots
N/A
Logs
N/A