Skip to content

ti_abusech: Quality - Improve ECS compatibility and tests #14395

New issue
New issue
Closed
#14586
Closed
ti_abusech: Quality - Improve ECS compatibility and tests#14395
#14586
Assignees
navnit-elastic
Labels
Category: Integration qualityCategory: Quality used for SI planningIntegration:ti_abusechabuse.chTeam:Sit-CrestCrest developers on the Security Integrations team [elastic/sit-crest-contractors]enhancementNew feature or request
@kcreddy

Description

@kcreddy
kcreddy
opened on Jul 2, 2025

Check and update following areas to improve ECS compatability.

  • Required ECS fields should be mapped, the standard list of ECS fields can be found here https://www.elastic.co/guide/en/security/current/siem-field-reference.html
  • Review ECS mapping and enrichment
    • For threat intel indicators more fields are required for detection rules. More details: https://www.elastic.co/docs/reference/ecs/ecs-threat-usage, https://github.com/elastic/detection-rules/tree/main/rules/threat_intel
      • event.kind: enrichment
      • event.category: threat
      • event.type: indicator
      • event.module equals threatintel or matches ti_* pattern.
      • labels.is_ioc_transform_source: true in transform's source data and labels.is_ioc_transform_source: false in destination.
      • threat.indicator.type exists
      • Based on threat.indicator.type, presence of other fields, namely threat.indicator.ip, hreat.indicator.email.address, threat.indicator.file.hash or threat.indicator.file.pe.imphash, threat.indicator.registry.path, and threat.indicator.url.full
    • Security > Intelligence view.
      • Filter out events containing CEL errors, these are showing up in Intelligence view. Add fail/terminate processors and filter out inside transform error.message: cel_failure.
      • Needs threat.feed.name and threat.feed.dashboard_id fields to be populated.
      • Last seen column in the view is currently empty for most indicators. Check if threat.indicator.last_seen can be populated.
      • When the document inside this view is expanded, TLP Marking and Confidence is empty for all documents. Check if these can be populated.
        • As per Abusech Threatfox documentation, all indicators are marked as TLP:WHITE.
        • threat.indicator.confidence is only populated in threatfox. In malware and url, this can be probably derived from virustotal.percent. If the confidence cannot be derived, the default should be Not Specified as per ECS.

System tests:

Metadata

Metadata

Assignees

Labels

Category: Integration qualityCategory: Quality used for SI planningIntegration:ti_abusechabuse.chTeam:Sit-CrestCrest developers on the Security Integrations team [elastic/sit-crest-contractors]enhancementNew feature or request

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions