threatq: Adjust transform fields

elastic · Jun 4, 2024 · 23d53dc · 23d53dc
1 parent a41de26
commit 23d53dc
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 15 deletions.
diff --git a/packages/ti_threatq/changelog.yml b/packages/ti_threatq/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.27.1"
+  changes:
+    - description: Adjust field mappings for transform destination index.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1111
 - version: "1.27.0"
   changes:
     - description: Improve handling of empty responses.

diff --git a/packages/ti_threatq/elasticsearch/transform/latest_ioc/fields/base-fields.yml b/packages/ti_threatq/elasticsearch/transform/latest_ioc/fields/base-fields.yml
@@ -7,18 +7,6 @@
 - name: data_stream.namespace
   type: constant_keyword
   description: Data stream namespace.
-- name: event.module
-  type: constant_keyword
-  description: Event module
-  value: ti_threatq
-- name: threat.feed.dashboard_id
-  type: constant_keyword
-  description: Dashboard ID used for Kibana CTI UI
-  value: ti_threatq-a05fd810-78f1-11ec-a97c-7db1518ab848
-- name: event.dataset
-  type: constant_keyword
-  description: Event dataset
-  value: ti_threatq.threat
 - name: "@timestamp"
   type: date
   description: Event timestamp.
diff --git a/packages/ti_threatq/elasticsearch/transform/latest_ioc/fields/ecs.yml b/packages/ti_threatq/elasticsearch/transform/latest_ioc/fields/ecs.yml
@@ -62,3 +62,18 @@
   name: threat.indicator.file.hash.sha512
 - external: ecs
   name: threat.indicator.marking.tlp
+# Below fields to be moved into base-fields.yml after kibana.version changed to >= 8.14 
+# Related to fix: https://github.com/elastic/kibana/pull/177608
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: ti_threatq
+- name: threat.feed.dashboard_id
+  type: constant_keyword
+  description: Dashboard ID used for Kibana CTI UI
+  value: ti_threatq-a05fd810-78f1-11ec-a97c-7db1518ab848
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: ti_threatq.threat
+
diff --git a/packages/ti_threatq/elasticsearch/transform/latest_ioc/transform.yml b/packages/ti_threatq/elasticsearch/transform/latest_ioc/transform.yml
@@ -9,7 +9,7 @@ source:
 # us that ability in order to prevent having duplicate IoC data and prevent query
 # time field type conflicts.
 dest:
-  index: "logs-ti_threatq_latest.dest_threat-1"
+  index: "logs-ti_threatq_latest.dest_threat-2"
   aliases:
     - alias: "logs-ti_threatq_latest.threat"
       move_on_creation: true
@@ -32,4 +32,4 @@ retention_policy:
 _meta:
   managed: true
   # Bump this version to delete, reinstall, and restart the transform during package.
-  fleet_transform_version: 0.1.0
+  fleet_transform_version: 0.2.0
diff --git a/packages/ti_threatq/manifest.yml b/packages/ti_threatq/manifest.yml
@@ -1,6 +1,6 @@
 name: ti_threatq
 title: ThreatQuotient
-version: "1.27.0"
+version: "1.27.1"
 description: Ingest threat intelligence indicators from ThreatQuotient with Elastic Agent.
 type: integration
 format_version: "3.0.2"