Skip to content

[ti_opencti] Support filtering of indicators and maintain state + deduplication mechanism #15332

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 7 commits into from
Closed

[ti_opencti] Support filtering of indicators and maintain state + deduplication mechanism #15332

wants to merge 7 commits into from

Conversation

@SamuelHassine
Copy link

@SamuelHassine SamuelHassine commented Sep 16, 2025

Proposed commit message

[ti_opencti] Support filtering, add deduplication, update logos

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Related issues

@SamuelHassine SamuelHassine requested a review from a team as a code owner September 16, 2025 07:34
@cla-checker-service
Copy link

cla-checker-service bot commented Sep 16, 2025
edited
Loading

💚 CLA has been signed

@andrewkroh andrewkroh added Integration:ti_opencti OpenCTI documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Sep 16, 2025
@elasticmachine
Copy link

elasticmachine commented Sep 16, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

efd6
efd6 reviewed Sep 19, 2025
View reviewed changes
packages/ti_opencti/data_stream/indicator/agent/stream/cel.yml.hbs
Comment on lines +40 to +54
"POST",
state.url.trim_suffix("graphql").trim_suffix("/") + "/graphql"
).with({
"Header": ({
"Content-Type": ["application/json"]
}).with(
has(state.api_key) && size(state.api_key) > 0 ?
{ "Authorization": ["Bearer " + state.api_key] }
:
{}
)
}).with({
"Body": {
"query": state.query,
"variables": {
Copy link
Contributor

@efd6 efd6 Sep 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please revert this change.

packages/ti_opencti/data_stream/indicator/agent/stream/cel.yml.hbs
fields:
- api_key
state:
url: {{url}}
Copy link
Contributor

@efd6 efd6 Sep 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not required.

packages/ti_opencti/data_stream/indicator/agent/stream/cel.yml.hbs
# Track last modified timestamp to avoid re-fetching
last_modified: null
# Filter configuration
pattern_types: {{#if pattern_types}}{{pattern_types}}{{else}}[]{{/if}}
Copy link
Contributor

@efd6 efd6 Sep 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These should be in the pattern

Suggested change
pattern_types: {{#if pattern_types}}{{pattern_types}}{{else}}[]{{/if}}
{{#if pattern_types}}
pattern_types: {{pattern_types}}
{{/if}}

but to aid the simpler construction of the filter parameter, probably more like

Suggested change
pattern_types: {{#if pattern_types}}{{pattern_types}}{{else}}[]{{/if}}
{{#if pattern_types}}
filter.pattern_types: {{pattern_types}}
{{/if}}

packages/ti_opencti/data_stream/indicator/agent/stream/cel.yml.hbs
) ?
{
"mode": "and",
"filters": (
Copy link
Contributor

@efd6 efd6 Sep 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be done more readably with an expression mapping over the set of filters.

@botelastic
Copy link

botelastic bot commented Oct 19, 2025

Hi! We just realized that we haven't looked into this PR in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Oct 19, 2025
@chemamartinez chemamartinez mentioned this pull request Nov 5, 2025
Open
5 tasks
@chemamartinez
Copy link
Contributor

chemamartinez commented Nov 5, 2025

Hi @SamuelHassine,

I hope you find well I made some changes to your contribution in order to make it work properly (@efd6 your comments were addressed too), but since I don't have permission to push changes to your repository I had to open a new pull request #15876.

@botelastic botelastic bot removed the Stalled label Nov 5, 2025
@chemamartinez
Copy link
Contributor

chemamartinez commented Nov 7, 2025

Closing this PR in favor of #15876. @SamuelHassine thanks for your contribution!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 efd6 left review comments

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:ti_opencti OpenCTI Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[ti_opencti]: Support filtering of indicators

5 participants

@SamuelHassine @elasticmachine @chemamartinez @efd6 @andrewkroh