mirror of
https://github.com/elastic/kibana.git
synced 2025-04-24 09:48:58 -04:00
[TIP] Improve safety check on painless script and fix wrong indicator fields (#144651)
This commit is contained in:
Philippe Oberti
GitHub
parent
9958e6efd5
commit
9426f4980d
14 changed files with 1832 additions and 114 deletions
|
|
@ -32,13 +32,12 @@ export enum RawIndicatorFieldId {
|
|||
FileSha3512 = 'threat.indicator.file.hash.sha3-512',
|
||||
FileSha512224 = 'threat.indicator.file.hash.sha512/224',
|
||||
FileSha512256 = 'threat.indicator.file.hash.sha512/256',
|
||||
FileSSDeep = 'threat.indicator.file.ssdeep',
|
||||
FileTlsh = 'threat.indicator.file.tlsh',
|
||||
FileImpfuzzy = 'threat.indicator.file.impfuzzy',
|
||||
FileImphash = 'threat.indicator.file.imphash',
|
||||
FilePehash = 'threat.indicator.file.pehash',
|
||||
FileVhash = 'threat.indicator.file.vhash',
|
||||
FileTelfhash = 'threat.indicator.file.elf.telfhash',
|
||||
FileSSDeep = 'threat.indicator.file.hash.ssdeep',
|
||||
FileTlsh = 'threat.indicator.file.hash.tlsh',
|
||||
FileImpfuzzy = 'threat.indicator.file.hash.impfuzzy',
|
||||
FileImphash = 'threat.indicator.file.hash.imphash',
|
||||
FilePehash = 'threat.indicator.file.hash.pehash',
|
||||
FileVhash = 'threat.indicator.file.hash.vhash',
|
||||
X509Serial = 'threat.indicator.x509.serial_number',
|
||||
WindowsRegistryKey = 'threat.indicator.registry.key',
|
||||
WindowsRegistryPath = 'threat.indicator.registry.path',
|
||||
|
|
@ -56,12 +55,24 @@ export enum RawIndicatorFieldId {
|
|||
* (reverse of https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/common/cti/constants.ts#L35)
|
||||
*/
|
||||
export const IndicatorFieldEventEnrichmentMap: { [id: string]: string[] } = {
|
||||
[RawIndicatorFieldId.FileSha256]: ['file.hash.sha256'],
|
||||
[RawIndicatorFieldId.FileMd5]: ['file.hash.md5'],
|
||||
[RawIndicatorFieldId.FileSha1]: ['file.hash.sha1'],
|
||||
[RawIndicatorFieldId.FileSha256]: ['file.hash.sha256'],
|
||||
[RawIndicatorFieldId.FileImphash]: ['file.pe.imphash'],
|
||||
[RawIndicatorFieldId.FileTelfhash]: ['file.elf.telfhash'],
|
||||
[RawIndicatorFieldId.FileSha224]: ['file.hash.sha224'],
|
||||
[RawIndicatorFieldId.FileSha3224]: ['file.hash.sha3-224'],
|
||||
[RawIndicatorFieldId.FileSha3256]: ['file.hash.sha3-256'],
|
||||
[RawIndicatorFieldId.FileSha384]: ['file.hash.sha384'],
|
||||
[RawIndicatorFieldId.FileSha3384]: ['file.hash.sha3-384'],
|
||||
[RawIndicatorFieldId.FileSha512]: ['file.hash.sha512'],
|
||||
[RawIndicatorFieldId.FileSha3512]: ['file.hash.sha3-512'],
|
||||
[RawIndicatorFieldId.FileSha512224]: ['file.hash.sha512/224'],
|
||||
[RawIndicatorFieldId.FileSha512256]: ['file.hash.sha512/256'],
|
||||
[RawIndicatorFieldId.FileSSDeep]: ['file.hash.ssdeep'],
|
||||
[RawIndicatorFieldId.FileTlsh]: ['file.hash.tlsh'],
|
||||
[RawIndicatorFieldId.FileImpfuzzy]: ['file.hash.impfuzzy'],
|
||||
[RawIndicatorFieldId.FileImphash]: ['file.hash.imphash'],
|
||||
[RawIndicatorFieldId.FilePehash]: ['file.hash.pehash'],
|
||||
[RawIndicatorFieldId.FileVhash]: ['file.hash.vhash'],
|
||||
[RawIndicatorFieldId.Ip]: ['source.ip', 'destination.ip'],
|
||||
[RawIndicatorFieldId.UrlFull]: ['url.full'],
|
||||
[RawIndicatorFieldId.WindowsRegistryPath]: ['registry.path'],
|
||||
|
|
|
|||
|
|
@ -6,30 +6,33 @@
|
|||
*/
|
||||
|
||||
import {
|
||||
BREADCRUMBS,
|
||||
DEFAULT_LAYOUT_TITLE,
|
||||
EMPTY_STATE,
|
||||
ENDING_BREADCRUMB,
|
||||
FIELD_BROWSER,
|
||||
FIELD_BROWSER_MODAL,
|
||||
FIELD_SELECTOR,
|
||||
FIELD_SELECTOR_INPUT,
|
||||
FIELD_SELECTOR_LIST,
|
||||
FIELD_SELECTOR_TOGGLE_BUTTON,
|
||||
FILTERS_GLOBAL_CONTAINER,
|
||||
FLYOUT_JSON,
|
||||
FLYOUT_TABLE,
|
||||
FLYOUT_TABS,
|
||||
FLYOUT_TITLE,
|
||||
INDICATORS_TABLE,
|
||||
TOGGLE_FLYOUT_BUTTON,
|
||||
FILTERS_GLOBAL_CONTAINER,
|
||||
TIME_RANGE_PICKER,
|
||||
QUERY_INPUT,
|
||||
TABLE_CONTROLS,
|
||||
INDICATOR_TYPE_CELL,
|
||||
EMPTY_STATE,
|
||||
FIELD_SELECTOR,
|
||||
BREADCRUMBS,
|
||||
LEADING_BREADCRUMB,
|
||||
ENDING_BREADCRUMB,
|
||||
FIELD_BROWSER,
|
||||
FIELD_BROWSER_MODAL,
|
||||
FIELD_SELECTOR_TOGGLE_BUTTON,
|
||||
FIELD_SELECTOR_INPUT,
|
||||
FIELD_SELECTOR_LIST,
|
||||
INDICATORS_TABLE,
|
||||
INDICATORS_TABLE_INDICATOR_NAME_CELL,
|
||||
INDICATORS_TABLE_INVESTIGATE_IN_TIMELINE_BUTTON_ICON,
|
||||
INDICATORS_TABLE_ROW_CELL,
|
||||
INSPECTOR_BUTTON,
|
||||
INSPECTOR_PANEL,
|
||||
LEADING_BREADCRUMB,
|
||||
QUERY_INPUT,
|
||||
TABLE_CONTROLS,
|
||||
TIME_RANGE_PICKER,
|
||||
TOGGLE_FLYOUT_BUTTON,
|
||||
} from '../screens/indicators';
|
||||
import { login } from '../tasks/login';
|
||||
import { esArchiverLoad, esArchiverUnload } from '../tasks/es_archiver';
|
||||
|
|
@ -44,12 +47,87 @@ const THREAT_INTELLIGENCE = '/app/security/threat_intelligence/indicators';
|
|||
const URL_WITH_CONTRADICTORY_FILTERS =
|
||||
'/app/security/threat_intelligence/indicators?indicators=(filterQuery:(language:kuery,query:%27%27),filters:!((%27$state%27:(store:appState),meta:(alias:!n,disabled:!f,index:%27%27,key:threat.indicator.type,negate:!f,params:(query:file),type:phrase),query:(match_phrase:(threat.indicator.type:file))),(%27$state%27:(store:appState),meta:(alias:!n,disabled:!f,index:%27%27,key:threat.indicator.type,negate:!f,params:(query:url),type:phrase),query:(match_phrase:(threat.indicator.type:url)))),timeRange:(from:now/d,to:now/d))';
|
||||
|
||||
describe('Invalid Indicators', () => {
|
||||
describe('verify the grid loads even with missing fields', () => {
|
||||
before(() => {
|
||||
esArchiverLoad('threat_intelligence/invalid_indicators_data');
|
||||
|
||||
cy.visit(THREAT_INTELLIGENCE);
|
||||
selectRange();
|
||||
});
|
||||
after(() => {
|
||||
esArchiverUnload('threat_intelligence/invalid_indicators_data');
|
||||
});
|
||||
|
||||
it('should display data grid despite the missing fields', () => {
|
||||
cy.get(INDICATORS_TABLE).should('exist');
|
||||
|
||||
// there are 19 documents in the x-pack/test/threat_intelligence_cypress/es_archives/threat_intelligence/invalid_indicators_data/data.json
|
||||
const documentsNumber = 19;
|
||||
cy.get(INDICATORS_TABLE_ROW_CELL).should('have.length.gte', documentsNumber);
|
||||
|
||||
// the last document has no hash so the investigate in timeline button isn't rendered
|
||||
cy.get(INDICATORS_TABLE_INVESTIGATE_IN_TIMELINE_BUTTON_ICON).should(
|
||||
'have.length',
|
||||
documentsNumber - 1
|
||||
);
|
||||
|
||||
// we should have 19 documents plus the header
|
||||
cy.get(INDICATORS_TABLE_INDICATOR_NAME_CELL).should('have.length', documentsNumber + 1);
|
||||
|
||||
// the last entry has no hash to we show - in the Indicator Name column
|
||||
cy.get(INDICATORS_TABLE_INDICATOR_NAME_CELL).last().should('contain.text', '-');
|
||||
});
|
||||
});
|
||||
|
||||
describe('verify the grid loads even with missing mappings and missing fields', () => {
|
||||
before(() => {
|
||||
esArchiverLoad('threat_intelligence/missing_mappings_indicators_data');
|
||||
|
||||
cy.visit(THREAT_INTELLIGENCE);
|
||||
selectRange();
|
||||
});
|
||||
after(() => {
|
||||
esArchiverUnload('threat_intelligence/missing_mappings_indicators_data');
|
||||
});
|
||||
|
||||
it('should display data grid despite the missing mappings and missing fields', () => {
|
||||
cy.get(INDICATORS_TABLE).should('exist');
|
||||
|
||||
// there are 19 documents in the x-pack/test/threat_intelligence_cypress/es_archives/threat_intelligence/invalid_indicators_data/data.json
|
||||
const documentsNumber = 19;
|
||||
cy.get(INDICATORS_TABLE_ROW_CELL).should('have.length.gte', documentsNumber);
|
||||
|
||||
// the last document has no hash so the investigate in timeline button isn't rendered
|
||||
cy.get(INDICATORS_TABLE_INVESTIGATE_IN_TIMELINE_BUTTON_ICON).should(
|
||||
'have.length',
|
||||
documentsNumber - 1
|
||||
);
|
||||
|
||||
// we should have 19 documents plus the header
|
||||
cy.get(INDICATORS_TABLE_INDICATOR_NAME_CELL).should('have.length', documentsNumber + 1);
|
||||
|
||||
// the last entry has no hash to we show - in the Indicator Name column
|
||||
cy.get(INDICATORS_TABLE_INDICATOR_NAME_CELL).last().should('contain.text', '-');
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe('Indicators', () => {
|
||||
before(() => {
|
||||
esArchiverLoad('threat_intelligence');
|
||||
esArchiverLoad('threat_intelligence/indicators_data');
|
||||
});
|
||||
after(() => {
|
||||
esArchiverUnload('threat_intelligence');
|
||||
esArchiverUnload('threat_intelligence/indicators_data');
|
||||
});
|
||||
|
||||
describe('Indicators page loading', () => {
|
||||
it('verify the fleet plugin integrations endpoint exists', () => {
|
||||
cy.request({
|
||||
method: 'GET',
|
||||
url: '/api/fleet/epm/packages',
|
||||
}).should((response) => expect(response.status).to.eq(200));
|
||||
});
|
||||
});
|
||||
|
||||
describe('Indicators page basics', () => {
|
||||
|
|
@ -185,9 +263,7 @@ describe('Indicators', () => {
|
|||
it('should render the inspector flyout', () => {
|
||||
cy.get(INSPECTOR_BUTTON).last().click({ force: true });
|
||||
|
||||
cy.get(INSPECTOR_PANEL).should('be.visible');
|
||||
|
||||
cy.get(INSPECTOR_PANEL).contains('Index patterns');
|
||||
cy.get(INSPECTOR_PANEL).contains('Indicators search requests');
|
||||
});
|
||||
});
|
||||
});
|
||||
|
|
|
|||
|
|
@ -6,23 +6,23 @@
|
|||
*/
|
||||
|
||||
import {
|
||||
INDICATOR_TYPE_CELL,
|
||||
TOGGLE_FLYOUT_BUTTON,
|
||||
FLYOUT_CLOSE_BUTTON,
|
||||
KQL_FILTER,
|
||||
INDICATORS_TABLE_CELL_FILTER_IN_BUTTON,
|
||||
INDICATORS_TABLE_CELL_FILTER_OUT_BUTTON,
|
||||
FLYOUT_TABLE_TAB_ROW_FILTER_IN_BUTTON,
|
||||
FLYOUT_TABLE_TAB_ROW_FILTER_OUT_BUTTON,
|
||||
BARCHART_POPOVER_BUTTON,
|
||||
BARCHART_FILTER_IN_BUTTON,
|
||||
BARCHART_FILTER_OUT_BUTTON,
|
||||
BARCHART_POPOVER_BUTTON,
|
||||
FLYOUT_CLOSE_BUTTON,
|
||||
FLYOUT_OVERVIEW_TAB_BLOCKS_FILTER_IN_BUTTON,
|
||||
FLYOUT_OVERVIEW_TAB_BLOCKS_FILTER_OUT_BUTTON,
|
||||
FLYOUT_OVERVIEW_TAB_BLOCKS_ITEM,
|
||||
FLYOUT_OVERVIEW_TAB_TABLE_ROW_FILTER_IN_BUTTON,
|
||||
FLYOUT_OVERVIEW_TAB_TABLE_ROW_FILTER_OUT_BUTTON,
|
||||
FLYOUT_OVERVIEW_TAB_BLOCKS_ITEM,
|
||||
FLYOUT_TABLE_TAB_ROW_FILTER_IN_BUTTON,
|
||||
FLYOUT_TABLE_TAB_ROW_FILTER_OUT_BUTTON,
|
||||
FLYOUT_TABS,
|
||||
INDICATOR_TYPE_CELL,
|
||||
INDICATORS_TABLE_CELL_FILTER_IN_BUTTON,
|
||||
INDICATORS_TABLE_CELL_FILTER_OUT_BUTTON,
|
||||
KQL_FILTER,
|
||||
TOGGLE_FLYOUT_BUTTON,
|
||||
} from '../screens/indicators';
|
||||
import { selectRange } from '../tasks/select_range';
|
||||
import { login } from '../tasks/login';
|
||||
|
|
@ -36,10 +36,10 @@ const THREAT_INTELLIGENCE = '/app/security/threat_intelligence/indicators';
|
|||
|
||||
describe('Indicators', () => {
|
||||
before(() => {
|
||||
esArchiverLoad('threat_intelligence');
|
||||
esArchiverLoad('threat_intelligence/indicators_data');
|
||||
});
|
||||
after(() => {
|
||||
esArchiverUnload('threat_intelligence');
|
||||
esArchiverUnload('threat_intelligence/indicators_data');
|
||||
});
|
||||
|
||||
describe('Indicators query bar interaction', () => {
|
||||
|
|
|
|||
|
|
@ -34,10 +34,10 @@ before(() => {
|
|||
|
||||
describe('Indicators', () => {
|
||||
before(() => {
|
||||
esArchiverLoad('threat_intelligence');
|
||||
esArchiverLoad('threat_intelligence/indicators_data');
|
||||
});
|
||||
after(() => {
|
||||
esArchiverUnload('threat_intelligence');
|
||||
esArchiverUnload('threat_intelligence/indicators_data');
|
||||
});
|
||||
|
||||
describe('Indicators timeline interactions', () => {
|
||||
|
|
|
|||
|
|
@ -15,6 +15,10 @@ export const DEFAULT_LAYOUT_TITLE = `[data-test-subj="tiDefaultPageLayoutTitle"]
|
|||
|
||||
export const INDICATORS_TABLE = `[data-test-subj="tiIndicatorsTable"]`;
|
||||
|
||||
export const INDICATORS_TABLE_ROW_CELL = `[data-test-subj="dataGridRowCell"]`;
|
||||
|
||||
export const INDICATORS_TABLE_INDICATOR_NAME_CELL = `[data-gridcell-column-id="threat.indicator.name"]`;
|
||||
|
||||
export const TOGGLE_FLYOUT_BUTTON = `[data-test-subj="tiToggleIndicatorFlyoutButton"]`;
|
||||
|
||||
export const FLYOUT_CLOSE_BUTTON = `[data-test-subj="euiFlyoutCloseButton"]`;
|
||||
|
|
|
|||
|
|
@ -11,47 +11,47 @@ describe('display name generation', () => {
|
|||
describe('threatIndicatorNamesScript()', () => {
|
||||
it('should generate a valid painless script', () => {
|
||||
expect(threatIndicatorNamesScript()).toMatchInlineSnapshot(`
|
||||
"if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='ipv4-addr') { if (doc['threat.indicator.ip'].size()!=0 && doc['threat.indicator.ip'].value!=null) { return emit(doc['threat.indicator.ip'].value) } }
|
||||
if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='ipv6-addr') { if (doc['threat.indicator.ip'].size()!=0 && doc['threat.indicator.ip'].value!=null) { return emit(doc['threat.indicator.ip'].value) } }
|
||||
"if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='ipv4-addr') { if (doc.containsKey('threat.indicator.ip') && !doc['threat.indicator.ip'].empty && doc['threat.indicator.ip'].size()!=0 && doc['threat.indicator.ip'].value!=null) { return emit(doc['threat.indicator.ip'].value) } }
|
||||
if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='ipv6-addr') { if (doc.containsKey('threat.indicator.ip') && !doc['threat.indicator.ip'].empty && doc['threat.indicator.ip'].size()!=0 && doc['threat.indicator.ip'].value!=null) { return emit(doc['threat.indicator.ip'].value) } }
|
||||
|
||||
if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='file') { if (doc['threat.indicator.file.hash.sha256'].size()!=0 && doc['threat.indicator.file.hash.sha256'].value!=null) { return emit(doc['threat.indicator.file.hash.sha256'].value) }
|
||||
if (doc['threat.indicator.file.hash.md5'].size()!=0 && doc['threat.indicator.file.hash.md5'].value!=null) { return emit(doc['threat.indicator.file.hash.md5'].value) }
|
||||
if (doc['threat.indicator.file.hash.sha1'].size()!=0 && doc['threat.indicator.file.hash.sha1'].value!=null) { return emit(doc['threat.indicator.file.hash.sha1'].value) }
|
||||
if (doc['threat.indicator.file.hash.sha224'].size()!=0 && doc['threat.indicator.file.hash.sha224'].value!=null) { return emit(doc['threat.indicator.file.hash.sha224'].value) }
|
||||
if (doc['threat.indicator.file.hash.sha3-224'].size()!=0 && doc['threat.indicator.file.hash.sha3-224'].value!=null) { return emit(doc['threat.indicator.file.hash.sha3-224'].value) }
|
||||
if (doc['threat.indicator.file.hash.sha3-256'].size()!=0 && doc['threat.indicator.file.hash.sha3-256'].value!=null) { return emit(doc['threat.indicator.file.hash.sha3-256'].value) }
|
||||
if (doc['threat.indicator.file.hash.sha384'].size()!=0 && doc['threat.indicator.file.hash.sha384'].value!=null) { return emit(doc['threat.indicator.file.hash.sha384'].value) }
|
||||
if (doc['threat.indicator.file.hash.sha3-384'].size()!=0 && doc['threat.indicator.file.hash.sha3-384'].value!=null) { return emit(doc['threat.indicator.file.hash.sha3-384'].value) }
|
||||
if (doc['threat.indicator.file.hash.sha512'].size()!=0 && doc['threat.indicator.file.hash.sha512'].value!=null) { return emit(doc['threat.indicator.file.hash.sha512'].value) }
|
||||
if (doc['threat.indicator.file.hash.sha3-512'].size()!=0 && doc['threat.indicator.file.hash.sha3-512'].value!=null) { return emit(doc['threat.indicator.file.hash.sha3-512'].value) }
|
||||
if (doc['threat.indicator.file.hash.sha512/224'].size()!=0 && doc['threat.indicator.file.hash.sha512/224'].value!=null) { return emit(doc['threat.indicator.file.hash.sha512/224'].value) }
|
||||
if (doc['threat.indicator.file.hash.sha512/256'].size()!=0 && doc['threat.indicator.file.hash.sha512/256'].value!=null) { return emit(doc['threat.indicator.file.hash.sha512/256'].value) }
|
||||
if (doc['threat.indicator.file.ssdeep'].size()!=0 && doc['threat.indicator.file.ssdeep'].value!=null) { return emit(doc['threat.indicator.file.ssdeep'].value) }
|
||||
if (doc['threat.indicator.file.tlsh'].size()!=0 && doc['threat.indicator.file.tlsh'].value!=null) { return emit(doc['threat.indicator.file.tlsh'].value) }
|
||||
if (doc['threat.indicator.file.impfuzzy'].size()!=0 && doc['threat.indicator.file.impfuzzy'].value!=null) { return emit(doc['threat.indicator.file.impfuzzy'].value) }
|
||||
if (doc['threat.indicator.file.imphash'].size()!=0 && doc['threat.indicator.file.imphash'].value!=null) { return emit(doc['threat.indicator.file.imphash'].value) }
|
||||
if (doc['threat.indicator.file.pehash'].size()!=0 && doc['threat.indicator.file.pehash'].value!=null) { return emit(doc['threat.indicator.file.pehash'].value) }
|
||||
if (doc['threat.indicator.file.vhash'].size()!=0 && doc['threat.indicator.file.vhash'].value!=null) { return emit(doc['threat.indicator.file.vhash'].value) } }
|
||||
if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='file') { if (doc.containsKey('threat.indicator.file.hash.sha256') && !doc['threat.indicator.file.hash.sha256'].empty && doc['threat.indicator.file.hash.sha256'].size()!=0 && doc['threat.indicator.file.hash.sha256'].value!=null) { return emit(doc['threat.indicator.file.hash.sha256'].value) }
|
||||
if (doc.containsKey('threat.indicator.file.hash.md5') && !doc['threat.indicator.file.hash.md5'].empty && doc['threat.indicator.file.hash.md5'].size()!=0 && doc['threat.indicator.file.hash.md5'].value!=null) { return emit(doc['threat.indicator.file.hash.md5'].value) }
|
||||
if (doc.containsKey('threat.indicator.file.hash.sha1') && !doc['threat.indicator.file.hash.sha1'].empty && doc['threat.indicator.file.hash.sha1'].size()!=0 && doc['threat.indicator.file.hash.sha1'].value!=null) { return emit(doc['threat.indicator.file.hash.sha1'].value) }
|
||||
if (doc.containsKey('threat.indicator.file.hash.sha224') && !doc['threat.indicator.file.hash.sha224'].empty && doc['threat.indicator.file.hash.sha224'].size()!=0 && doc['threat.indicator.file.hash.sha224'].value!=null) { return emit(doc['threat.indicator.file.hash.sha224'].value) }
|
||||
if (doc.containsKey('threat.indicator.file.hash.sha3-224') && !doc['threat.indicator.file.hash.sha3-224'].empty && doc['threat.indicator.file.hash.sha3-224'].size()!=0 && doc['threat.indicator.file.hash.sha3-224'].value!=null) { return emit(doc['threat.indicator.file.hash.sha3-224'].value) }
|
||||
if (doc.containsKey('threat.indicator.file.hash.sha3-256') && !doc['threat.indicator.file.hash.sha3-256'].empty && doc['threat.indicator.file.hash.sha3-256'].size()!=0 && doc['threat.indicator.file.hash.sha3-256'].value!=null) { return emit(doc['threat.indicator.file.hash.sha3-256'].value) }
|
||||
if (doc.containsKey('threat.indicator.file.hash.sha384') && !doc['threat.indicator.file.hash.sha384'].empty && doc['threat.indicator.file.hash.sha384'].size()!=0 && doc['threat.indicator.file.hash.sha384'].value!=null) { return emit(doc['threat.indicator.file.hash.sha384'].value) }
|
||||
if (doc.containsKey('threat.indicator.file.hash.sha3-384') && !doc['threat.indicator.file.hash.sha3-384'].empty && doc['threat.indicator.file.hash.sha3-384'].size()!=0 && doc['threat.indicator.file.hash.sha3-384'].value!=null) { return emit(doc['threat.indicator.file.hash.sha3-384'].value) }
|
||||
if (doc.containsKey('threat.indicator.file.hash.sha512') && !doc['threat.indicator.file.hash.sha512'].empty && doc['threat.indicator.file.hash.sha512'].size()!=0 && doc['threat.indicator.file.hash.sha512'].value!=null) { return emit(doc['threat.indicator.file.hash.sha512'].value) }
|
||||
if (doc.containsKey('threat.indicator.file.hash.sha3-512') && !doc['threat.indicator.file.hash.sha3-512'].empty && doc['threat.indicator.file.hash.sha3-512'].size()!=0 && doc['threat.indicator.file.hash.sha3-512'].value!=null) { return emit(doc['threat.indicator.file.hash.sha3-512'].value) }
|
||||
if (doc.containsKey('threat.indicator.file.hash.sha512/224') && !doc['threat.indicator.file.hash.sha512/224'].empty && doc['threat.indicator.file.hash.sha512/224'].size()!=0 && doc['threat.indicator.file.hash.sha512/224'].value!=null) { return emit(doc['threat.indicator.file.hash.sha512/224'].value) }
|
||||
if (doc.containsKey('threat.indicator.file.hash.sha512/256') && !doc['threat.indicator.file.hash.sha512/256'].empty && doc['threat.indicator.file.hash.sha512/256'].size()!=0 && doc['threat.indicator.file.hash.sha512/256'].value!=null) { return emit(doc['threat.indicator.file.hash.sha512/256'].value) }
|
||||
if (doc.containsKey('threat.indicator.file.hash.ssdeep') && !doc['threat.indicator.file.hash.ssdeep'].empty && doc['threat.indicator.file.hash.ssdeep'].size()!=0 && doc['threat.indicator.file.hash.ssdeep'].value!=null) { return emit(doc['threat.indicator.file.hash.ssdeep'].value) }
|
||||
if (doc.containsKey('threat.indicator.file.hash.tlsh') && !doc['threat.indicator.file.hash.tlsh'].empty && doc['threat.indicator.file.hash.tlsh'].size()!=0 && doc['threat.indicator.file.hash.tlsh'].value!=null) { return emit(doc['threat.indicator.file.hash.tlsh'].value) }
|
||||
if (doc.containsKey('threat.indicator.file.hash.impfuzzy') && !doc['threat.indicator.file.hash.impfuzzy'].empty && doc['threat.indicator.file.hash.impfuzzy'].size()!=0 && doc['threat.indicator.file.hash.impfuzzy'].value!=null) { return emit(doc['threat.indicator.file.hash.impfuzzy'].value) }
|
||||
if (doc.containsKey('threat.indicator.file.hash.imphash') && !doc['threat.indicator.file.hash.imphash'].empty && doc['threat.indicator.file.hash.imphash'].size()!=0 && doc['threat.indicator.file.hash.imphash'].value!=null) { return emit(doc['threat.indicator.file.hash.imphash'].value) }
|
||||
if (doc.containsKey('threat.indicator.file.hash.pehash') && !doc['threat.indicator.file.hash.pehash'].empty && doc['threat.indicator.file.hash.pehash'].size()!=0 && doc['threat.indicator.file.hash.pehash'].value!=null) { return emit(doc['threat.indicator.file.hash.pehash'].value) }
|
||||
if (doc.containsKey('threat.indicator.file.hash.vhash') && !doc['threat.indicator.file.hash.vhash'].empty && doc['threat.indicator.file.hash.vhash'].size()!=0 && doc['threat.indicator.file.hash.vhash'].value!=null) { return emit(doc['threat.indicator.file.hash.vhash'].value) } }
|
||||
|
||||
if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='url') { if (doc['threat.indicator.url.full'].size()!=0 && doc['threat.indicator.url.full'].value!=null) { return emit(doc['threat.indicator.url.full'].value) } }
|
||||
if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='url') { if (doc.containsKey('threat.indicator.url.full') && !doc['threat.indicator.url.full'].empty && doc['threat.indicator.url.full'].size()!=0 && doc['threat.indicator.url.full'].value!=null) { return emit(doc['threat.indicator.url.full'].value) } }
|
||||
|
||||
if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='domain') { if (doc['threat.indicator.url.domain'].size()!=0 && doc['threat.indicator.url.domain'].value!=null) { return emit(doc['threat.indicator.url.domain'].value) } }
|
||||
if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='domain-name') { if (doc['threat.indicator.url.domain'].size()!=0 && doc['threat.indicator.url.domain'].value!=null) { return emit(doc['threat.indicator.url.domain'].value) } }
|
||||
if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='domain') { if (doc.containsKey('threat.indicator.url.domain') && !doc['threat.indicator.url.domain'].empty && doc['threat.indicator.url.domain'].size()!=0 && doc['threat.indicator.url.domain'].value!=null) { return emit(doc['threat.indicator.url.domain'].value) } }
|
||||
if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='domain-name') { if (doc.containsKey('threat.indicator.url.domain') && !doc['threat.indicator.url.domain'].empty && doc['threat.indicator.url.domain'].size()!=0 && doc['threat.indicator.url.domain'].value!=null) { return emit(doc['threat.indicator.url.domain'].value) } }
|
||||
|
||||
if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='x509-certificate') { if (doc['threat.indicator.x509.serial_number'].size()!=0 && doc['threat.indicator.x509.serial_number'].value!=null) { return emit(doc['threat.indicator.x509.serial_number'].value) } }
|
||||
if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='x509 serial') { if (doc['threat.indicator.x509.serial_number'].size()!=0 && doc['threat.indicator.x509.serial_number'].value!=null) { return emit(doc['threat.indicator.x509.serial_number'].value) } }
|
||||
if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='x509-certificate') { if (doc.containsKey('threat.indicator.x509.serial_number') && !doc['threat.indicator.x509.serial_number'].empty && doc['threat.indicator.x509.serial_number'].size()!=0 && doc['threat.indicator.x509.serial_number'].value!=null) { return emit(doc['threat.indicator.x509.serial_number'].value) } }
|
||||
if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='x509 serial') { if (doc.containsKey('threat.indicator.x509.serial_number') && !doc['threat.indicator.x509.serial_number'].empty && doc['threat.indicator.x509.serial_number'].size()!=0 && doc['threat.indicator.x509.serial_number'].value!=null) { return emit(doc['threat.indicator.x509.serial_number'].value) } }
|
||||
|
||||
if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='email-addr') { if (doc['threat.indicator.email.address'].size()!=0 && doc['threat.indicator.email.address'].value!=null) { return emit(doc['threat.indicator.email.address'].value) } }
|
||||
if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='email-addr') { if (doc.containsKey('threat.indicator.email.address') && !doc['threat.indicator.email.address'].empty && doc['threat.indicator.email.address'].size()!=0 && doc['threat.indicator.email.address'].value!=null) { return emit(doc['threat.indicator.email.address'].value) } }
|
||||
|
||||
if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='unknown') { if (doc['_id'].size()!=0 && doc['_id'].value!=null) { return emit(doc['_id'].value) } }
|
||||
if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='email') { if (doc['_id'].size()!=0 && doc['_id'].value!=null) { return emit(doc['_id'].value) } }
|
||||
if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='email-message') { if (doc['_id'].size()!=0 && doc['_id'].value!=null) { return emit(doc['_id'].value) } }
|
||||
if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='unknown') { if (doc.containsKey('_id') && !doc['_id'].empty && doc['_id'].size()!=0 && doc['_id'].value!=null) { return emit(doc['_id'].value) } }
|
||||
if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='email') { if (doc.containsKey('_id') && !doc['_id'].empty && doc['_id'].size()!=0 && doc['_id'].value!=null) { return emit(doc['_id'].value) } }
|
||||
if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='email-message') { if (doc.containsKey('_id') && !doc['_id'].empty && doc['_id'].size()!=0 && doc['_id'].value!=null) { return emit(doc['_id'].value) } }
|
||||
|
||||
if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='windows-registry-key') { if (doc['threat.indicator.registry.key'].size()!=0 && doc['threat.indicator.registry.key'].value!=null) { return emit(doc['threat.indicator.registry.key'].value) } }
|
||||
if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='windows-registry-key') { if (doc.containsKey('threat.indicator.registry.key') && !doc['threat.indicator.registry.key'].empty && doc['threat.indicator.registry.key'].size()!=0 && doc['threat.indicator.registry.key'].value!=null) { return emit(doc['threat.indicator.registry.key'].value) } }
|
||||
|
||||
if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='autonomous-system') { if (doc['threat.indicator.as.number'].size()!=0 && doc['threat.indicator.as.number'].value!=null) { return emit(doc['threat.indicator.as.number'].value) } }
|
||||
if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='autonomous-system') { if (doc.containsKey('threat.indicator.as.number') && !doc['threat.indicator.as.number'].empty && doc['threat.indicator.as.number'].size()!=0 && doc['threat.indicator.as.number'].value!=null) { return emit(doc['threat.indicator.as.number'].value) } }
|
||||
|
||||
if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='mac-addr') { if (doc['threat.indicator.mac'].size()!=0 && doc['threat.indicator.mac'].value!=null) { return emit(doc['threat.indicator.mac'].value) } }
|
||||
if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='mac-addr') { if (doc.containsKey('threat.indicator.mac') && !doc['threat.indicator.mac'].empty && doc['threat.indicator.mac'].size()!=0 && doc['threat.indicator.mac'].value!=null) { return emit(doc['threat.indicator.mac'].value) } }
|
||||
|
||||
return emit('')"
|
||||
`);
|
||||
|
|
@ -61,47 +61,47 @@ describe('display name generation', () => {
|
|||
describe('threatIndicatorNamesOriginScript()', () => {
|
||||
it('should generate a valid painless script', () => {
|
||||
expect(threatIndicatorNamesOriginScript()).toMatchInlineSnapshot(`
|
||||
"if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='ipv4-addr') { if (doc['threat.indicator.ip'].size()!=0 && doc['threat.indicator.ip'].value!=null) { return emit('threat.indicator.ip') } }
|
||||
if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='ipv6-addr') { if (doc['threat.indicator.ip'].size()!=0 && doc['threat.indicator.ip'].value!=null) { return emit('threat.indicator.ip') } }
|
||||
"if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='ipv4-addr') { if (doc.containsKey('threat.indicator.ip') && !doc['threat.indicator.ip'].empty && doc['threat.indicator.ip'].size()!=0 && doc['threat.indicator.ip'].value!=null) { return emit('threat.indicator.ip') } }
|
||||
if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='ipv6-addr') { if (doc.containsKey('threat.indicator.ip') && !doc['threat.indicator.ip'].empty && doc['threat.indicator.ip'].size()!=0 && doc['threat.indicator.ip'].value!=null) { return emit('threat.indicator.ip') } }
|
||||
|
||||
if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='file') { if (doc['threat.indicator.file.hash.sha256'].size()!=0 && doc['threat.indicator.file.hash.sha256'].value!=null) { return emit('threat.indicator.file.hash.sha256') }
|
||||
if (doc['threat.indicator.file.hash.md5'].size()!=0 && doc['threat.indicator.file.hash.md5'].value!=null) { return emit('threat.indicator.file.hash.md5') }
|
||||
if (doc['threat.indicator.file.hash.sha1'].size()!=0 && doc['threat.indicator.file.hash.sha1'].value!=null) { return emit('threat.indicator.file.hash.sha1') }
|
||||
if (doc['threat.indicator.file.hash.sha224'].size()!=0 && doc['threat.indicator.file.hash.sha224'].value!=null) { return emit('threat.indicator.file.hash.sha224') }
|
||||
if (doc['threat.indicator.file.hash.sha3-224'].size()!=0 && doc['threat.indicator.file.hash.sha3-224'].value!=null) { return emit('threat.indicator.file.hash.sha3-224') }
|
||||
if (doc['threat.indicator.file.hash.sha3-256'].size()!=0 && doc['threat.indicator.file.hash.sha3-256'].value!=null) { return emit('threat.indicator.file.hash.sha3-256') }
|
||||
if (doc['threat.indicator.file.hash.sha384'].size()!=0 && doc['threat.indicator.file.hash.sha384'].value!=null) { return emit('threat.indicator.file.hash.sha384') }
|
||||
if (doc['threat.indicator.file.hash.sha3-384'].size()!=0 && doc['threat.indicator.file.hash.sha3-384'].value!=null) { return emit('threat.indicator.file.hash.sha3-384') }
|
||||
if (doc['threat.indicator.file.hash.sha512'].size()!=0 && doc['threat.indicator.file.hash.sha512'].value!=null) { return emit('threat.indicator.file.hash.sha512') }
|
||||
if (doc['threat.indicator.file.hash.sha3-512'].size()!=0 && doc['threat.indicator.file.hash.sha3-512'].value!=null) { return emit('threat.indicator.file.hash.sha3-512') }
|
||||
if (doc['threat.indicator.file.hash.sha512/224'].size()!=0 && doc['threat.indicator.file.hash.sha512/224'].value!=null) { return emit('threat.indicator.file.hash.sha512/224') }
|
||||
if (doc['threat.indicator.file.hash.sha512/256'].size()!=0 && doc['threat.indicator.file.hash.sha512/256'].value!=null) { return emit('threat.indicator.file.hash.sha512/256') }
|
||||
if (doc['threat.indicator.file.ssdeep'].size()!=0 && doc['threat.indicator.file.ssdeep'].value!=null) { return emit('threat.indicator.file.ssdeep') }
|
||||
if (doc['threat.indicator.file.tlsh'].size()!=0 && doc['threat.indicator.file.tlsh'].value!=null) { return emit('threat.indicator.file.tlsh') }
|
||||
if (doc['threat.indicator.file.impfuzzy'].size()!=0 && doc['threat.indicator.file.impfuzzy'].value!=null) { return emit('threat.indicator.file.impfuzzy') }
|
||||
if (doc['threat.indicator.file.imphash'].size()!=0 && doc['threat.indicator.file.imphash'].value!=null) { return emit('threat.indicator.file.imphash') }
|
||||
if (doc['threat.indicator.file.pehash'].size()!=0 && doc['threat.indicator.file.pehash'].value!=null) { return emit('threat.indicator.file.pehash') }
|
||||
if (doc['threat.indicator.file.vhash'].size()!=0 && doc['threat.indicator.file.vhash'].value!=null) { return emit('threat.indicator.file.vhash') } }
|
||||
if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='file') { if (doc.containsKey('threat.indicator.file.hash.sha256') && !doc['threat.indicator.file.hash.sha256'].empty && doc['threat.indicator.file.hash.sha256'].size()!=0 && doc['threat.indicator.file.hash.sha256'].value!=null) { return emit('threat.indicator.file.hash.sha256') }
|
||||
if (doc.containsKey('threat.indicator.file.hash.md5') && !doc['threat.indicator.file.hash.md5'].empty && doc['threat.indicator.file.hash.md5'].size()!=0 && doc['threat.indicator.file.hash.md5'].value!=null) { return emit('threat.indicator.file.hash.md5') }
|
||||
if (doc.containsKey('threat.indicator.file.hash.sha1') && !doc['threat.indicator.file.hash.sha1'].empty && doc['threat.indicator.file.hash.sha1'].size()!=0 && doc['threat.indicator.file.hash.sha1'].value!=null) { return emit('threat.indicator.file.hash.sha1') }
|
||||
if (doc.containsKey('threat.indicator.file.hash.sha224') && !doc['threat.indicator.file.hash.sha224'].empty && doc['threat.indicator.file.hash.sha224'].size()!=0 && doc['threat.indicator.file.hash.sha224'].value!=null) { return emit('threat.indicator.file.hash.sha224') }
|
||||
if (doc.containsKey('threat.indicator.file.hash.sha3-224') && !doc['threat.indicator.file.hash.sha3-224'].empty && doc['threat.indicator.file.hash.sha3-224'].size()!=0 && doc['threat.indicator.file.hash.sha3-224'].value!=null) { return emit('threat.indicator.file.hash.sha3-224') }
|
||||
if (doc.containsKey('threat.indicator.file.hash.sha3-256') && !doc['threat.indicator.file.hash.sha3-256'].empty && doc['threat.indicator.file.hash.sha3-256'].size()!=0 && doc['threat.indicator.file.hash.sha3-256'].value!=null) { return emit('threat.indicator.file.hash.sha3-256') }
|
||||
if (doc.containsKey('threat.indicator.file.hash.sha384') && !doc['threat.indicator.file.hash.sha384'].empty && doc['threat.indicator.file.hash.sha384'].size()!=0 && doc['threat.indicator.file.hash.sha384'].value!=null) { return emit('threat.indicator.file.hash.sha384') }
|
||||
if (doc.containsKey('threat.indicator.file.hash.sha3-384') && !doc['threat.indicator.file.hash.sha3-384'].empty && doc['threat.indicator.file.hash.sha3-384'].size()!=0 && doc['threat.indicator.file.hash.sha3-384'].value!=null) { return emit('threat.indicator.file.hash.sha3-384') }
|
||||
if (doc.containsKey('threat.indicator.file.hash.sha512') && !doc['threat.indicator.file.hash.sha512'].empty && doc['threat.indicator.file.hash.sha512'].size()!=0 && doc['threat.indicator.file.hash.sha512'].value!=null) { return emit('threat.indicator.file.hash.sha512') }
|
||||
if (doc.containsKey('threat.indicator.file.hash.sha3-512') && !doc['threat.indicator.file.hash.sha3-512'].empty && doc['threat.indicator.file.hash.sha3-512'].size()!=0 && doc['threat.indicator.file.hash.sha3-512'].value!=null) { return emit('threat.indicator.file.hash.sha3-512') }
|
||||
if (doc.containsKey('threat.indicator.file.hash.sha512/224') && !doc['threat.indicator.file.hash.sha512/224'].empty && doc['threat.indicator.file.hash.sha512/224'].size()!=0 && doc['threat.indicator.file.hash.sha512/224'].value!=null) { return emit('threat.indicator.file.hash.sha512/224') }
|
||||
if (doc.containsKey('threat.indicator.file.hash.sha512/256') && !doc['threat.indicator.file.hash.sha512/256'].empty && doc['threat.indicator.file.hash.sha512/256'].size()!=0 && doc['threat.indicator.file.hash.sha512/256'].value!=null) { return emit('threat.indicator.file.hash.sha512/256') }
|
||||
if (doc.containsKey('threat.indicator.file.hash.ssdeep') && !doc['threat.indicator.file.hash.ssdeep'].empty && doc['threat.indicator.file.hash.ssdeep'].size()!=0 && doc['threat.indicator.file.hash.ssdeep'].value!=null) { return emit('threat.indicator.file.hash.ssdeep') }
|
||||
if (doc.containsKey('threat.indicator.file.hash.tlsh') && !doc['threat.indicator.file.hash.tlsh'].empty && doc['threat.indicator.file.hash.tlsh'].size()!=0 && doc['threat.indicator.file.hash.tlsh'].value!=null) { return emit('threat.indicator.file.hash.tlsh') }
|
||||
if (doc.containsKey('threat.indicator.file.hash.impfuzzy') && !doc['threat.indicator.file.hash.impfuzzy'].empty && doc['threat.indicator.file.hash.impfuzzy'].size()!=0 && doc['threat.indicator.file.hash.impfuzzy'].value!=null) { return emit('threat.indicator.file.hash.impfuzzy') }
|
||||
if (doc.containsKey('threat.indicator.file.hash.imphash') && !doc['threat.indicator.file.hash.imphash'].empty && doc['threat.indicator.file.hash.imphash'].size()!=0 && doc['threat.indicator.file.hash.imphash'].value!=null) { return emit('threat.indicator.file.hash.imphash') }
|
||||
if (doc.containsKey('threat.indicator.file.hash.pehash') && !doc['threat.indicator.file.hash.pehash'].empty && doc['threat.indicator.file.hash.pehash'].size()!=0 && doc['threat.indicator.file.hash.pehash'].value!=null) { return emit('threat.indicator.file.hash.pehash') }
|
||||
if (doc.containsKey('threat.indicator.file.hash.vhash') && !doc['threat.indicator.file.hash.vhash'].empty && doc['threat.indicator.file.hash.vhash'].size()!=0 && doc['threat.indicator.file.hash.vhash'].value!=null) { return emit('threat.indicator.file.hash.vhash') } }
|
||||
|
||||
if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='url') { if (doc['threat.indicator.url.full'].size()!=0 && doc['threat.indicator.url.full'].value!=null) { return emit('threat.indicator.url.full') } }
|
||||
if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='url') { if (doc.containsKey('threat.indicator.url.full') && !doc['threat.indicator.url.full'].empty && doc['threat.indicator.url.full'].size()!=0 && doc['threat.indicator.url.full'].value!=null) { return emit('threat.indicator.url.full') } }
|
||||
|
||||
if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='domain') { if (doc['threat.indicator.url.domain'].size()!=0 && doc['threat.indicator.url.domain'].value!=null) { return emit('threat.indicator.url.domain') } }
|
||||
if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='domain-name') { if (doc['threat.indicator.url.domain'].size()!=0 && doc['threat.indicator.url.domain'].value!=null) { return emit('threat.indicator.url.domain') } }
|
||||
if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='domain') { if (doc.containsKey('threat.indicator.url.domain') && !doc['threat.indicator.url.domain'].empty && doc['threat.indicator.url.domain'].size()!=0 && doc['threat.indicator.url.domain'].value!=null) { return emit('threat.indicator.url.domain') } }
|
||||
if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='domain-name') { if (doc.containsKey('threat.indicator.url.domain') && !doc['threat.indicator.url.domain'].empty && doc['threat.indicator.url.domain'].size()!=0 && doc['threat.indicator.url.domain'].value!=null) { return emit('threat.indicator.url.domain') } }
|
||||
|
||||
if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='x509-certificate') { if (doc['threat.indicator.x509.serial_number'].size()!=0 && doc['threat.indicator.x509.serial_number'].value!=null) { return emit('threat.indicator.x509.serial_number') } }
|
||||
if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='x509 serial') { if (doc['threat.indicator.x509.serial_number'].size()!=0 && doc['threat.indicator.x509.serial_number'].value!=null) { return emit('threat.indicator.x509.serial_number') } }
|
||||
if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='x509-certificate') { if (doc.containsKey('threat.indicator.x509.serial_number') && !doc['threat.indicator.x509.serial_number'].empty && doc['threat.indicator.x509.serial_number'].size()!=0 && doc['threat.indicator.x509.serial_number'].value!=null) { return emit('threat.indicator.x509.serial_number') } }
|
||||
if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='x509 serial') { if (doc.containsKey('threat.indicator.x509.serial_number') && !doc['threat.indicator.x509.serial_number'].empty && doc['threat.indicator.x509.serial_number'].size()!=0 && doc['threat.indicator.x509.serial_number'].value!=null) { return emit('threat.indicator.x509.serial_number') } }
|
||||
|
||||
if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='email-addr') { if (doc['threat.indicator.email.address'].size()!=0 && doc['threat.indicator.email.address'].value!=null) { return emit('threat.indicator.email.address') } }
|
||||
if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='email-addr') { if (doc.containsKey('threat.indicator.email.address') && !doc['threat.indicator.email.address'].empty && doc['threat.indicator.email.address'].size()!=0 && doc['threat.indicator.email.address'].value!=null) { return emit('threat.indicator.email.address') } }
|
||||
|
||||
if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='unknown') { if (doc['_id'].size()!=0 && doc['_id'].value!=null) { return emit('_id') } }
|
||||
if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='email') { if (doc['_id'].size()!=0 && doc['_id'].value!=null) { return emit('_id') } }
|
||||
if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='email-message') { if (doc['_id'].size()!=0 && doc['_id'].value!=null) { return emit('_id') } }
|
||||
if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='unknown') { if (doc.containsKey('_id') && !doc['_id'].empty && doc['_id'].size()!=0 && doc['_id'].value!=null) { return emit('_id') } }
|
||||
if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='email') { if (doc.containsKey('_id') && !doc['_id'].empty && doc['_id'].size()!=0 && doc['_id'].value!=null) { return emit('_id') } }
|
||||
if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='email-message') { if (doc.containsKey('_id') && !doc['_id'].empty && doc['_id'].size()!=0 && doc['_id'].value!=null) { return emit('_id') } }
|
||||
|
||||
if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='windows-registry-key') { if (doc['threat.indicator.registry.key'].size()!=0 && doc['threat.indicator.registry.key'].value!=null) { return emit('threat.indicator.registry.key') } }
|
||||
if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='windows-registry-key') { if (doc.containsKey('threat.indicator.registry.key') && !doc['threat.indicator.registry.key'].empty && doc['threat.indicator.registry.key'].size()!=0 && doc['threat.indicator.registry.key'].value!=null) { return emit('threat.indicator.registry.key') } }
|
||||
|
||||
if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='autonomous-system') { if (doc['threat.indicator.as.number'].size()!=0 && doc['threat.indicator.as.number'].value!=null) { return emit('threat.indicator.as.number') } }
|
||||
if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='autonomous-system') { if (doc.containsKey('threat.indicator.as.number') && !doc['threat.indicator.as.number'].empty && doc['threat.indicator.as.number'].size()!=0 && doc['threat.indicator.as.number'].value!=null) { return emit('threat.indicator.as.number') } }
|
||||
|
||||
if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='mac-addr') { if (doc['threat.indicator.mac'].size()!=0 && doc['threat.indicator.mac'].value!=null) { return emit('threat.indicator.mac') } }
|
||||
if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='mac-addr') { if (doc.containsKey('threat.indicator.mac') && !doc['threat.indicator.mac'].empty && doc['threat.indicator.mac'].size()!=0 && doc['threat.indicator.mac'].value!=null) { return emit('threat.indicator.mac') } }
|
||||
|
||||
return emit('')"
|
||||
`);
|
||||
|
|
|
|||
|
|
@ -56,13 +56,13 @@ const mappingsArray: Mappings = [
|
|||
* Generates Painless condition checking if given `type` is matched
|
||||
*/
|
||||
const fieldTypeCheck = (type: string) =>
|
||||
`if (doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='${type.toLowerCase()}')`;
|
||||
`if (doc.containsKey('threat.indicator.type') && !doc['threat.indicator.type'].empty && doc['threat.indicator.type'].size()!=0 && doc['threat.indicator.type'].value!=null && doc['threat.indicator.type'].value.toLowerCase()=='${type.toLowerCase()}')`;
|
||||
|
||||
/**
|
||||
* Generates Painless condition checking if given `field` has value
|
||||
*/
|
||||
const fieldValueCheck = (field: string) =>
|
||||
`if (doc['${field}'].size()!=0 && doc['${field}'].value!=null)`;
|
||||
`if (doc.containsKey('${field}') && !doc['${field}'].empty && doc['${field}'].size()!=0 && doc['${field}'].value!=null)`;
|
||||
|
||||
/**
|
||||
* Converts Mapping to Painless script, computing `threat.indicator.name` value for given indicator types.
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ import {
|
|||
import {
|
||||
generateMockIndicator,
|
||||
generateMockUrlIndicator,
|
||||
Indicator,
|
||||
} from '../../../../common/types/indicator';
|
||||
import { TestProvidersComponent } from '../../../common/mocks/test_providers';
|
||||
|
||||
|
|
@ -29,6 +30,28 @@ describe('useInvestigateInTimeline()', () => {
|
|||
expect(hookResult.result.current).toEqual({});
|
||||
});
|
||||
|
||||
it('should return empty object if name_origin value is missing on the mapping investigate in timeline mapping', () => {
|
||||
const indicator: Indicator = generateMockUrlIndicator();
|
||||
indicator.fields['threat.indicator.name_origin'] = ['threat.indicator.url.missing'];
|
||||
|
||||
hookResult = renderHook(() => useInvestigateInTimeline({ indicator }), {
|
||||
wrapper: TestProvidersComponent,
|
||||
});
|
||||
|
||||
expect(hookResult.result.current).toEqual({});
|
||||
});
|
||||
|
||||
it('should return empty object if @timestamp is missing', () => {
|
||||
const indicator: Indicator = generateMockUrlIndicator();
|
||||
indicator.fields['@timestamp'] = undefined;
|
||||
|
||||
hookResult = renderHook(() => useInvestigateInTimeline({ indicator }), {
|
||||
wrapper: TestProvidersComponent,
|
||||
});
|
||||
|
||||
expect(hookResult.result.current).toEqual({});
|
||||
});
|
||||
|
||||
it('should return ', () => {
|
||||
const indicator = generateMockUrlIndicator();
|
||||
|
||||
|
|
|
|||
|
|
@ -40,17 +40,22 @@ export const useInvestigateInTimeline = ({
|
|||
const securitySolutionContext = useContext(SecuritySolutionContext);
|
||||
|
||||
const { key, value } = getIndicatorFieldAndValue(indicator, RawIndicatorFieldId.Name);
|
||||
if (!fieldAndValueValid(key, value)) {
|
||||
const sourceEventField = IndicatorFieldEventEnrichmentMap[key];
|
||||
if (!fieldAndValueValid(key, value) || !sourceEventField) {
|
||||
return {} as unknown as UseInvestigateInTimelineValue;
|
||||
}
|
||||
|
||||
const dataProviders: DataProvider[] = [...IndicatorFieldEventEnrichmentMap[key], key].map(
|
||||
(e: string) => generateDataProvider(e, value as string)
|
||||
const dataProviders: DataProvider[] = [...sourceEventField, key].map((e: string) =>
|
||||
generateDataProvider(e, value as string)
|
||||
);
|
||||
|
||||
const to = unwrapValue(indicator, RawIndicatorFieldId.TimeStamp) as string;
|
||||
const from = moment(to).subtract(10, 'm').toISOString();
|
||||
|
||||
if (!to || !from) {
|
||||
return {} as unknown as UseInvestigateInTimelineValue;
|
||||
}
|
||||
|
||||
const investigateInTimelineClick = securitySolutionContext?.getUseInvestigateInTimeline({
|
||||
dataProviders,
|
||||
from,
|
||||
|
|
|
|||
Binary file not shown.
File diff suppressed because it is too large
Load diff
Binary file not shown.
Loading…
Add table
Add a link
Reference in a new issue