-
Notifications
You must be signed in to change notification settings - Fork 458
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cylance,ti_opencti: fix up package validation issues #10134
Conversation
🚀 Benchmarks reportTo see the full report comment with |
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. But we should wait for @chrisberkhout to take look.
Agreed. That's why I did not include this in the previous batch. I'm not wildly satisfied with the available labels. |
e6a37ce
to
f79920f
Compare
The expected values issue seems to keep coming up. Regarding the validation of expected valuesWhen I created the OpenCTI integration I included pipeline test examples for each type of indicator that I had data for, which included some that weren't in the When the
There's also an I raised the issue in elastic/elastic-package#1472 and it was decided that when we have expected values, we'll continue to enforce those as the only valid values, but we'll allow integrations to override those settings with a different list of expected values (implemented in elastic/package-spec#616). I had different variations of the config that got the build to pass at different times. The last version overrode the definition of Regarding the expected values themselvesThe ECS documentation of
However, the list of expected values misses some types from STIX and adds some others. OpenCTI uses STIX 2.1 type names but adds several extras. In colums D-G of the "OpenCTI observable types" tab of the "OpenCTI Mappings" spreadsheet, I made a summary of all the type names and which lists they are in. I'm not sure if alert rules or Security UI features depend on having specific The STIX standard has a fixed list of types and no defined way to mark an extra type or unknown type. I think the ECS documentation should be updated to say |
Quality Gate passedIssues Measures |
💚 Build Succeeded
History
cc @efd6 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a couple of commits.
Thanks |
Package cylance - 0.19.3 containing this change is available at https://epr.elastic.co/search?package=cylance |
Package ti_opencti - 2.2.0 containing this change is available at https://epr.elastic.co/search?package=ti_opencti |
Proposed commit message
Checklist
changelog.yml
file.Author's Checklist
How to test this PR locally
Related issues
Screenshots