ti_threatconnect: update pipeline to lowercase all hashes#17455
ti_threatconnect: update pipeline to lowercase all hashes#17455GShepherdTC wants to merge 7 commits intoelastic:mainfrom
Conversation
ReviewersBuildkite won't run for external contributors automatically; you need to add a comment:
NOTE: https://github.com/elastic/integrations/blob/main/.buildkite/pull-requests.json contains all those details. |
efd6
changed the title
efd6
left a comment
efd6
left a comment
There was a problem hiding this comment.
Suggested commit message:
ti_threatconnect: lowercase all hash values in indicator processing
Hash values should be normalized to lowercase for consistent matching
and deduplication across threat intelligence sources.
though this probably needs expansion. I think we want to know what visualisation and saved search impacts this will have.
andrewkroh
left a comment
andrewkroh
left a comment
There was a problem hiding this comment.
I opened a ECS issue to advise using lowercase for the hashes.
While reviewing I noticed that ECS threat.indicator.file.size and threat.indicator.geo.location were present in the TC data but completely missing from the ECS mapping. Can you please map those as well to improve ECS coverage?
packages/ti_threatconnect/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
andrewkroh
added
Integration:ti_threatconnect
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
ti_threatconnect: lowercase all hash values in indicator processing Hash values should be normalized to lowercase for consistent matching and deduplication across threat intelligence sources. Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>
4 participants
Proposed commit message
Updated pipeline to lowercase all hashes
Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Run the pipeline test. I updated the response data to match.
Related issues
Screenshots
No changes to UI.