diff --git a/packages/ti_custom/_dev/deploy/docker/files/config.yml b/packages/ti_custom/_dev/deploy/docker/files/config.yml index b7e13eea834..2ba10211cc5 100644 --- a/packages/ti_custom/_dev/deploy/docker/files/config.yml +++ b/packages/ti_custom/_dev/deploy/docker/files/config.yml @@ -133,6 +133,140 @@ rules: } ] } + - path: /taxii2/root/collections/e554c1d6-a37a-4267-9ff0-e8b9806b48c4/objects/ + methods: ["GET"] + request_headers: + Authorization: + - 'Token abcd1234' + query_params: + next: null + responses: + - status_code: 200 + headers: + X-TAXII-Date-Added-Last: "2024-05-15T09:12:16.432Z" + Content-Type: "application/taxii+json;version=2.1" + body: |- + { + "more": true, + "objects": [ + { + "id": "indicator--1a8517ec-5cdc-5f05-a691-8e46324c6977", + "spec_version": "2.1", + "type": "indicator", + "extensions": { + "extension-definition--ea279b3e-5c71-4632-ac08-831c66a786ba": { + "extension_type": "property-extension", + "id": "e653ef87-a277-4560-b794-baab37b5bd22", + "type": "Indicator", + "created_at": "2023-10-18T07:51:26.467Z", + "updated_at": "2023-10-18T07:51:52.360Z", + "is_inferred": false, + "creator_ids": [ + "dcc3e7fa-d844-475d-a225-4143a443b6bc" + ], + "labels_ids": [ + "d5e520fc-4a74-4350-892c-9805c6834d3e", + "5d237aa8-0bf8-4751-8aae-fe3c8ee23beb", + "7475d5c3-9e4a-49a7-bc76-70d60ecbfc7d", + "66c72efe-2771-47c6-86ec-aab7d2de50e4", + "066ef6bf-b554-4f6d-b887-a3aa5ca9b67c" + ], + "created_by_ref_id": "f2a38ab9-95c4-4e7d-9e50-97bb0ecdbb2c", + "detection": true, + "score": 30, + "main_observable_type": "StixFile" + }, + "extension-definition--322b8f77-262a-4cb8-a915-1e441e00329b": { + "extension_type": "property-extension" + } + }, + "created": "2024-03-16T09:04:23.000Z", + "modified": "2024-07-18T07:51:52.360Z", + "revoked": true, + "confidence": 20, + "lang": "en", + "labels": [ + "osint", + "moderate", + "perpetual", + "certainty-50", + "very-likely" + ], + "object_marking_refs": [ + "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" + ], + "created_by_ref": "identity--4f347cc9-4658-59ee-9707-134f434f9d1c", + "name": "fe53c08e692d7ef6bfd379f9f34d48bd1f4b8c1c72c6d8d33d6e9ca234414aa9", + "description": "RiskIQ expansion", + "pattern": "[file:hashes.'SHA-256' = 'fe53c08e692d7ef6bfd379f9f34d48bd1f4b8c1c72c6d8d33d6e9ca234414aa9']", + "pattern_type": "stix", + "pattern_version": "2.1", + "valid_from": "2024-03-24T14:31:50.000Z", + "valid_until": "2024-09-02T14:31:50.000Z" + }, + { + "type": "indicator", + "spec_version": "2.1", + "pattern_type": "stix", + "id": "indicator--329ae6e9-25bd-49e8-89d1-aae4ca52e4a7", + "created": "2024-05-15T09:12:16.432Z", + "modified": "2024-05-15T09:12:16.432Z", + "name": "www.webserver.dynssl.com", + "description": "www.webserver.dynssl.com resolved to 113.10.246.30, 219.90.112.203, 219.90.112.203, 75.126.95.138, 21990.112.197, and 202.65.222.45, which overlap with the gwx@123 IP addresses.", + "pattern": "[domain-name:value = 'www.webserver.dynssl.com' OR ipv4-addr:value = '113.10.246.30' OR ipv4-addr:value ='219.90.112.203' OR ipv4-addr:value = '75.126.95.138' OR ipv4-addr:value = '219.90.112.197' OR ipv4-addr:value = '20265.222.45']", + "indicator_types": [ + "malicious-activity", + "attribution" + ], + "valid_from": "2024-05-15T09:12:16.432678Z" + } + ], + "next": "next_page" + } + - path: /taxii2/root/collections/e554c1d6-a37a-4267-9ff0-e8b9806b48c4/objects/ + methods: ["GET"] + request_headers: + Authorization: + - 'Token abcd1234' + query_params: + next: 'next_page' + responses: + - status_code: 200 + headers: + X-TAXII-Date-Added-Last: "2020-03-24T14:31:50.000Z" + Content-Type: "application/taxii+json;version=2.1" + body: |- + { + "more": false, + "objects": [ + { + "id": "indicator--33041420-b509-504c-b30d-9a8ec505d7ee", + "spec_version": "2.1", + "type": "indicator", + "created": "2020-03-24T14:31:50.000Z", + "modified": "2023-10-18T07:51:59.171Z", + "revoked": true, + "confidence": 20, + "lang": "en", + "labels": [ + "certainty-50", + "perpetual", + "osint" + ], + "object_marking_refs": [ + "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" + ], + "created_by_ref": "identity--4f347cc9-4658-59ee-9707-134f434f9d1c", + "name": "abbbe10e3c6e5ed480a0743c540dbaba62ecaaf6", + "description": "RiskIQ expansion", + "pattern": "[file:hashes.'SHA-1' = 'abbbe10e3c6e5ed480a0743c540dbaba62ecaaf6']", + "pattern_type": "stix", + "pattern_version": "2.1", + "valid_from": "2020-03-24T14:31:50.000Z", + "valid_until": "2021-03-24T14:31:50.000Z" + } + ] + } - path: /taxii2/root/collections/e5a96f14-8d19-4c66-80d5-46b330d1280f/objects/ methods: ["GET"] request_headers: diff --git a/packages/ti_custom/changelog.yml b/packages/ti_custom/changelog.yml index 8479d4ec882..3cd6abb0163 100644 --- a/packages/ti_custom/changelog.yml +++ b/packages/ti_custom/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.0" + changes: + - description: Add support for alternative token authorization types. + type: enhancement + link: https://github.com/elastic/integrations/pull/14258 - version: "1.0.0" changes: - description: Release package as GA. diff --git a/packages/ti_custom/data_stream/indicator/_dev/test/system/test-taxii-token-config.yml b/packages/ti_custom/data_stream/indicator/_dev/test/system/test-taxii-token-config.yml new file mode 100644 index 00000000000..8ded57e74f3 --- /dev/null +++ b/packages/ti_custom/data_stream/indicator/_dev/test/system/test-taxii-token-config.yml @@ -0,0 +1,17 @@ +input: cel +service: stix-taxii +vars: ~ +data_stream: + vars: + url: http://{{Hostname}}:{{Port}}/taxii2/root/collections/e554c1d6-a37a-4267-9ff0-e8b9806b48c4/objects/ + api_key: abcd1234 + key_type: Token + interval: 30s + enable_taxii: true + enable_request_tracer: true + preserve_original_event: true + ioc_expiration_duration: 5d + feed_name: STIX Provider + feed_reference: https://stix-example.com +assert: + hit_count: 3 diff --git a/packages/ti_custom/data_stream/indicator/agent/stream/cel.yml.hbs b/packages/ti_custom/data_stream/indicator/agent/stream/cel.yml.hbs index 9a77e058605..f0286c3b8d4 100644 --- a/packages/ti_custom/data_stream/indicator/agent/stream/cel.yml.hbs +++ b/packages/ti_custom/data_stream/indicator/agent/stream/cel.yml.hbs @@ -45,6 +45,9 @@ state: want_more: false {{#if api_key}} api_key: {{api_key}} +{{#if key_type}} + key_type: {{key_type}} +{{/if}} {{/if}} {{#if username}} {{#if password}} @@ -91,7 +94,7 @@ program: | "Accept": [string(state.accept_header)], ?"Content-Type": state.?content_header.orValue("") != "" ? optional.of([state.content_header]) : optional.none(), "Authorization": (has(state.api_key) && state.api_key != "") ? - ["Bearer " + string(state.api_key)] + [state.?key_type.orValue("Bearer") + " " + string(state.api_key)] : (state.?username.orValue("") != "" && state.?password.orValue("") != "") ? ["Basic " + (state.username + ":" + state.password).base64()] : diff --git a/packages/ti_custom/data_stream/indicator/manifest.yml b/packages/ti_custom/data_stream/indicator/manifest.yml index 939d6bb2fe9..7152fb3b1e1 100644 --- a/packages/ti_custom/data_stream/indicator/manifest.yml +++ b/packages/ti_custom/data_stream/indicator/manifest.yml @@ -55,7 +55,15 @@ streams: show_user: false secret: true description: > - API key that the API server may require for Bearer authorization. + API key that the API server may require for token authorization. + - name: key_type + type: text + title: API Key Type + multi: false + required: false + show_user: false + description: > + The authentication key type for token authorization. If it is not provided, Bearer authorization is used. An example alternative would be "Token". - name: username type: text diff --git a/packages/ti_custom/manifest.yml b/packages/ti_custom/manifest.yml index aee0772f9fd..bb8a1828efa 100644 --- a/packages/ti_custom/manifest.yml +++ b/packages/ti_custom/manifest.yml @@ -3,7 +3,7 @@ name: ti_custom title: Custom Threat Intelligence description: Ingest threat intelligence data in STIX 2.1 format with Elastic Agent type: integration -version: 1.0.0 +version: 1.1.0 categories: - custom - security