Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cylance,ti_opencti: fix up package validation issues #10134

Merged
merged 5 commits into from
Jun 18, 2024

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Jun 11, 2024

Proposed commit message

cylance: fix kibana.version syntax in manifest
ti_opencti: use extended list of expected_values for indicator type

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@efd6 efd6 added enhancement New feature or request Integration:cylance CylanceProtect Logs Integration:ti_opencti OpenCTI Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations] labels Jun 11, 2024
@efd6 efd6 self-assigned this Jun 11, 2024
@efd6 efd6 force-pushed the st9309-ecs-bis branch from 0adbb3f to 64978f0 Compare June 11, 2024 22:19
@elasticmachine
Copy link

elasticmachine commented Jun 11, 2024

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@efd6 efd6 marked this pull request as ready for review June 11, 2024 23:05
@efd6 efd6 requested a review from a team as a code owner June 11, 2024 23:05
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. But we should wait for @chrisberkhout to take look.

@andrewkroh andrewkroh requested a review from a team June 11, 2024 23:26
@efd6
Copy link
Contributor Author

efd6 commented Jun 12, 2024

Agreed. That's why I did not include this in the previous batch. I'm not wildly satisfied with the available labels.

@efd6 efd6 force-pushed the st9309-ecs-bis branch 2 times, most recently from e6a37ce to f79920f Compare June 12, 2024 12:27
@chrisberkhout
Copy link
Contributor

The expected values issue seems to keep coming up.

Regarding the validation of expected values

When I created the OpenCTI integration I included pipeline test examples for each type of indicator that I had data for, which included some that weren't in the expected_values list for threat.indicator.type, so elastic-package failed the build.

When the expected_values config option was added it wasn't intended to be a list of the only possible values. The available documentation still says:

expected_values (optional): An array of expected values for the field. Schema consumers can validate integrations and mapped data against the listed values. These values are the recommended convention, but users may also use other values.

There's also an allowed_values config option that is different.

I raised the issue in elastic/elastic-package#1472 and it was decided that when we have expected values, we'll continue to enforce those as the only valid values, but we'll allow integrations to override those settings with a different list of expected values (implemented in elastic/package-spec#616).

I had different variations of the config that got the build to pass at different times. The last version overrode the definition of threat.indicator.type, but without providing a list of expected values. I guess that stopped working? The best update might be to add a list of expected_values to that definition.

Regarding the expected values themselves

The ECS documentation of threat.indicator.type describes it as:

Type of indicator as represented by Cyber Observable in STIX 2.0.

However, the list of expected values misses some types from STIX and adds some others. OpenCTI uses STIX 2.1 type names but adds several extras. In colums D-G of the "OpenCTI observable types" tab of the "OpenCTI Mappings" spreadsheet, I made a summary of all the type names and which lists they are in.

I'm not sure if alert rules or Security UI features depend on having specific threat.indicator.type values, but if so an unknown extra value might still be better than changing to the closest type in the expected list.

The STIX standard has a fixed list of types and no defined way to mark an extra type or unknown type.

I think the ECS documentation should be updated to say threat.indicator.type uses names from STIX 2.1 where possible, but allows other values. The list of expected values could be updated and remain, or it could be changed to a list of example values. If necessary the OpenCTI integration can override the definition with an expanded list. I do think we should keep the expanded list for OpenCTI. However, if we did remove values from threat.indicator.type, we should keep the original value in a new field opencti.indicator.type and update a README section.

Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

@elasticmachine
Copy link

💚 Build Succeeded

History

cc @efd6

Copy link
Contributor

@chrisberkhout chrisberkhout left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a couple of commits.

@efd6
Copy link
Contributor Author

efd6 commented Jun 18, 2024

Thanks

@efd6 efd6 merged commit 3c75ae6 into elastic:main Jun 18, 2024
5 checks passed
@elasticmachine
Copy link

Package cylance - 0.19.3 containing this change is available at https://epr.elastic.co/search?package=cylance

@elasticmachine
Copy link

Package ti_opencti - 2.2.0 containing this change is available at https://epr.elastic.co/search?package=ti_opencti

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request Integration:cylance CylanceProtect Logs Integration:ti_opencti OpenCTI Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations]
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants