From 7810d023895db95dc605674d8a9ff6a70ae9fdcb Mon Sep 17 00:00:00 2001
From: Seth Grover <seth.d.grover@gmail.com>
Date: Fri, 8 Nov 2024 08:39:28 -0700
Subject: [PATCH] work in progress for mandiant threat intel integration,
 cisagov/Malcolm#358

---
 shared/bin/zeek_threat_feed_utils.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shared/bin/zeek_threat_feed_utils.py b/shared/bin/zeek_threat_feed_utils.py
index 07165c51a..5ab872066 100644
--- a/shared/bin/zeek_threat_feed_utils.py
+++ b/shared/bin/zeek_threat_feed_utils.py
@@ -311,7 +311,7 @@ def map_mandiant_indicator_to_zeek(
             for hashish in hashes:
                 if hashVal := hashish.get('value', None):
                     tmpItem = copy.deepcopy(zeekItem)
-                    tmpItem[ZEEK_INTEL_INDICATOR] = hashish
+                    tmpItem[ZEEK_INTEL_INDICATOR] = hashVal
                     if newId := hashish.get('id', None):
                         tmpItem[ZEEK_INTEL_META_URL] = f'https://advantage.mandiant.com/indicator/{newId}'
                     results.append(tmpItem)