ti_opencti: read indicators from STIX pattern when no observables are present (#16531)

Extracts indicator fields from the STIX pattern when observables_count is 0, so indicators without observables still populate ECS fields.

Author: chemamartinez

packages/ti_opencti/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.11.0"
+  changes:
+    - description: Read indicators from STIX pattern when no observables are present.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/16531
 - version: "2.10.1"
   changes:
     - description: Fix null reference errors in ingest pipelines.

packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-cryptocurrency-wallet.json-expected.json

@@ -75,4 +75,4 @@
             }
         }
     ]
-}
+}

packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-domain-name-with-external-reference.json

@@ -64,6 +64,61 @@
             "x_opencti_detection": false,
             "x_opencti_main_observable_type": "Domain-Name",
             "x_opencti_score": 60
+        },
+        {
+            "confidence": 0,
+            "created": "2023-11-02T00:17:00.295Z",
+            "createdBy": {
+                "identity_class": "organization",
+                "name": "Stopforumspam"
+            },
+            "description": "Stopforumspam",
+            "externalReferences": {
+                "edges": [
+                    {
+                        "node": {
+                            "description": "Stopforumspam feed URL",
+                            "source_name": "stopforumspam",
+                            "url": "https://www.stopforumspam.com/downloads/toxic_domains_whole_filtered_50000.txt"
+                        }
+                    },
+                    {
+                        "node": {
+                            "external_id": null,
+                            "source_name": "MISC",
+                            "url": "https://example.com/CVE-0079-1234",
+                            "description": null
+                        }
+                    }
+                ]
+            },
+            "id": "fcfa872e-a8b6-4525-847e-f3c756b70035",
+            "is_inferred": false,
+            "killChainPhases": [],
+            "lang": "en",
+            "modified": "2023-11-09T23:22:20.586Z",
+            "name": "freelifetimexxxdates.com",
+            "objectLabel": [
+                {
+                    "value": "spam"
+                }
+            ],
+            "objectMarking": [],
+            "observables": {
+                "edges": [],
+                "pageInfo": {
+                    "globalCount": 0
+                }
+            },
+            "pattern": "[domain-name:value = 'freelifetimexxxdates.com']",
+            "pattern_type": "stix",
+            "revoked": false,
+            "standard_id": "indicator--08a7e875-2ce4-50ab-a8de-2915addd93c4",
+            "valid_from": "2023-11-09T23:22:19.426Z",
+            "valid_until": "2024-11-08T23:22:19.426Z",
+            "x_opencti_detection": false,
+            "x_opencti_main_observable_type": "Domain-Name",
+            "x_opencti_score": 60
         }
     ]
 }

packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-domain-name-with-external-reference.json-expected.json

@@ -84,6 +84,83 @@
                     }
                 }
             }
+        },
+        {
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "category": [
+                    "threat"
+                ],
+                "created": "2023-11-02T00:17:00.295Z",
+                "id": "fcfa872e-a8b6-4525-847e-f3c756b70035",
+                "kind": "enrichment",
+                "type": [
+                    "indicator"
+                ]
+            },
+            "opencti": {
+                "indicator": {
+                    "creator_identity_class": "organization",
+                    "detection": false,
+                    "external_reference": {
+                        "description": "Stopforumspam feed URL",
+                        "source_name": [
+                            "stopforumspam",
+                            "MISC"
+                        ],
+                        "url": [
+                            "https://www.stopforumspam.com/downloads/toxic_domains_whole_filtered_50000.txt",
+                            "https://example.com/CVE-0079-1234"
+                        ]
+                    },
+                    "invalid_or_revoked_from": "2024-11-08T23:22:19.426Z",
+                    "is_inferred": false,
+                    "lang": "en",
+                    "observables_count": 0,
+                    "pattern": "[domain-name:value = 'freelifetimexxxdates.com']",
+                    "pattern_type": "stix",
+                    "revoked": false,
+                    "score": 60,
+                    "standard_id": "indicator--08a7e875-2ce4-50ab-a8de-2915addd93c4",
+                    "valid_from": "2023-11-09T23:22:19.426Z",
+                    "valid_until": "2024-11-08T23:22:19.426Z"
+                }
+            },
+            "related": {
+                "hosts": [
+                    "freelifetimexxxdates.com"
+                ]
+            },
+            "tags": [
+                "forwarded",
+                "opencti-indicator",
+                "spam",
+                "ecs-indicator-detail"
+            ],
+            "threat": {
+                "feed": {
+                    "dashboard_id": "ti_opencti-83b2bef0-591c-11ee-ba5f-49a63bb985cd",
+                    "description": "Indicator data from OpenCTI",
+                    "name": "OpenCTI",
+                    "reference": "https://docs.opencti.io/latest/usage/overview/"
+                },
+                "indicator": {
+                    "confidence": "None",
+                    "description": "Stopforumspam",
+                    "modified_at": "2023-11-09T23:22:20.586Z",
+                    "name": "freelifetimexxxdates.com",
+                    "provider": "Stopforumspam",
+                    "reference": "https://demo.opencti.io/dashboard/observations/indicators/fcfa872e-a8b6-4525-847e-f3c756b70035",
+                    "type": "domain-name",
+                    "url": {
+                        "domain": "freelifetimexxxdates.com",
+                        "registered_domain": "freelifetimexxxdates.com",
+                        "top_level_domain": "com"
+                    }
+                }
+            }
         }
     ]
-}
+}

packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-domain-name.json

@@ -57,6 +57,54 @@
                     "globalCount": 1
                 }
             }
+        },
+        {
+            "id": "74241a4b-45c8-412d-8cd5-20ddbefaf065",
+            "standard_id": "indicator--d187f4b2-ecd0-525f-8227-f1d7aecad5c6",
+            "is_inferred": false,
+            "revoked": true,
+            "confidence": 30,
+            "lang": "en",
+            "created": "2023-01-17T06:40:40.348Z",
+            "modified": "2023-01-17T07:07:01.972Z",
+            "pattern_type": "stix",
+            "pattern_version": "2.1",
+            "pattern": "[domain-name:value = 'mydomain1607.com']",
+            "name": "mydomain1607.com",
+            "description": "",
+            "valid_from": "2017-03-31T10:42:38.000Z",
+            "valid_until": "2018-03-31T10:42:38.000Z",
+            "x_opencti_score": 50,
+            "x_opencti_detection": false,
+            "x_opencti_main_observable_type": "Domain-Name",
+            "createdBy": {
+                "identity_class": "organization",
+                "name": "AlienVault"
+            },
+            "objectMarking": [
+                {
+                    "definition_type": "TLP",
+                    "definition": "TLP:CLEAR"
+                }
+            ],
+            "objectLabel": [
+                {
+                    "value": "iran"
+                },
+                {
+                    "value": "oilrig"
+                }
+            ],
+            "killChainPhases": [],
+            "externalReferences": {
+                "edges": []
+            },
+            "observables": {
+                "edges": [],
+                "pageInfo": {
+                    "globalCount": 0
+                }
+            }
         }
     ]
 }

packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-domain-name.json-expected.json

@@ -77,6 +77,76 @@
                     }
                 }
             }
+        },
+        {
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "category": [
+                    "threat"
+                ],
+                "created": "2023-01-17T06:40:40.348Z",
+                "id": "74241a4b-45c8-412d-8cd5-20ddbefaf065",
+                "kind": "enrichment",
+                "type": [
+                    "indicator"
+                ]
+            },
+            "opencti": {
+                "indicator": {
+                    "creator_identity_class": "organization",
+                    "detection": false,
+                    "invalid_or_revoked_from": "2018-03-31T10:42:38.000Z",
+                    "is_inferred": false,
+                    "lang": "en",
+                    "observables_count": 0,
+                    "pattern": "[domain-name:value = 'mydomain1607.com']",
+                    "pattern_type": "stix",
+                    "pattern_version": "2.1",
+                    "revoked": true,
+                    "score": 50,
+                    "standard_id": "indicator--d187f4b2-ecd0-525f-8227-f1d7aecad5c6",
+                    "valid_from": "2017-03-31T10:42:38.000Z",
+                    "valid_until": "2018-03-31T10:42:38.000Z"
+                }
+            },
+            "related": {
+                "hosts": [
+                    "mydomain1607.com"
+                ]
+            },
+            "tags": [
+                "forwarded",
+                "opencti-indicator",
+                "iran",
+                "oilrig",
+                "ecs-indicator-detail"
+            ],
+            "threat": {
+                "feed": {
+                    "dashboard_id": "ti_opencti-83b2bef0-591c-11ee-ba5f-49a63bb985cd",
+                    "description": "Indicator data from OpenCTI",
+                    "name": "OpenCTI",
+                    "reference": "https://docs.opencti.io/latest/usage/overview/"
+                },
+                "indicator": {
+                    "confidence": "Medium",
+                    "marking": {
+                        "tlp": "CLEAR"
+                    },
+                    "modified_at": "2023-01-17T07:07:01.972Z",
+                    "name": "mydomain1607.com",
+                    "provider": "AlienVault",
+                    "reference": "https://demo.opencti.io/dashboard/observations/indicators/74241a4b-45c8-412d-8cd5-20ddbefaf065",
+                    "type": "domain-name",
+                    "url": {
+                        "domain": "mydomain1607.com",
+                        "registered_domain": "mydomain1607.com",
+                        "top_level_domain": "com"
+                    }
+                }
+            }
         }
     ]
-}
+}

packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-email-addr.json

@@ -58,6 +58,54 @@
                     "globalCount": 1
                 }
             }
+        },
+        {
+            "id": "3a2616f1-b063-4c85-9c2f-bad7a61c547e",
+            "standard_id": "indicator--34da552c-ed45-5ee8-9a0a-833e7fb50713",
+            "is_inferred": false,
+            "revoked": true,
+            "confidence": 30,
+            "lang": "en",
+            "created": "2023-01-17T06:44:17.361Z",
+            "modified": "2023-01-17T09:13:06.584Z",
+            "pattern_type": "stix",
+            "pattern_version": "2.1",
+            "pattern": "[email-addr:value = '[email protected]']",
+            "name": "[email protected]",
+            "description": "",
+            "valid_from": "2017-08-04T09:57:02.000Z",
+            "valid_until": "2018-08-04T09:57:02.000Z",
+            "x_opencti_score": 50,
+            "x_opencti_detection": false,
+            "x_opencti_main_observable_type": "Email-Addr",
+            "createdBy": {
+                "identity_class": "organization",
+                "name": "AlienVault"
+            },
+            "objectMarking": [
+                {
+                    "definition_type": "TLP",
+                    "definition": "TLP:CLEAR"
+                }
+            ],
+            "objectLabel": [
+                {
+                    "value": "ransomware"
+                },
+                {
+                    "value": "gryphon"
+                }
+            ],
+            "killChainPhases": [],
+            "externalReferences": {
+                "edges": []
+            },
+            "observables": {
+                "edges": [],
+                "pageInfo": {
+                    "globalCount": 0
+                }
+            }
         }
     ]
 }