You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When threat.indicator.type is populated, there is an expectation in Kibana that the event will contain a particular field with the indicator value. For example, if the type is url, then the event should have a url.full field.
So perhaps when event.type == indicator && threat.indicator.type != null, we then verify that one of the fields associated with the threat.indicator.type value is populated. The expected fields are listed in:
When threat.indicator.type is populated, there is an expectation in Kibana that the event will contain a particular field with the indicator value. For example, if the type is
url, then the event should have aurl.fullfield.So perhaps when
event.type == indicator && threat.indicator.type != null, we then verify that one of the fields associated with thethreat.indicator.typevalue is populated. The expected fields are listed in:https://github.com/elastic/kibana/blob/33c18c72fa019430c6b73503dc3176e0136e3861/x-pack/solutions/security/plugins/threat_intelligence/server/utils/indicator_name.ts#L18-L53
This would help us be more consistent with our Threat Intelligence (TI) data. We might also want to codify this as part of ECS too.
Related:
The text was updated successfully, but these errors were encountered: