Skip to content

ti_custom: add support for alternative token auth types #14258

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
+170 −3
Draft

ti_custom: add support for alternative token auth types #14258

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
134 changes: 134 additions & 0 deletions packages/ti_custom/_dev/deploy/docker/files/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,140 @@ rules:
}
]
}
- path: /taxii2/root/collections/e554c1d6-a37a-4267-9ff0-e8b9806b48c4/objects/
methods: ["GET"]
request_headers:
Authorization:
- 'Token abcd1234'
query_params:
next: null
responses:
- status_code: 200
headers:
X-TAXII-Date-Added-Last: "2024-05-15T09:12:16.432Z"
Content-Type: "application/taxii+json;version=2.1"
body: |-
{
"more": true,
"objects": [
{
"id": "indicator--1a8517ec-5cdc-5f05-a691-8e46324c6977",
"spec_version": "2.1",
"type": "indicator",
"extensions": {
"extension-definition--ea279b3e-5c71-4632-ac08-831c66a786ba": {
"extension_type": "property-extension",
"id": "e653ef87-a277-4560-b794-baab37b5bd22",
"type": "Indicator",
"created_at": "2023-10-18T07:51:26.467Z",
"updated_at": "2023-10-18T07:51:52.360Z",
"is_inferred": false,
"creator_ids": [
"dcc3e7fa-d844-475d-a225-4143a443b6bc"
],
"labels_ids": [
"d5e520fc-4a74-4350-892c-9805c6834d3e",
"5d237aa8-0bf8-4751-8aae-fe3c8ee23beb",
"7475d5c3-9e4a-49a7-bc76-70d60ecbfc7d",
"66c72efe-2771-47c6-86ec-aab7d2de50e4",
"066ef6bf-b554-4f6d-b887-a3aa5ca9b67c"
],
"created_by_ref_id": "f2a38ab9-95c4-4e7d-9e50-97bb0ecdbb2c",
"detection": true,
"score": 30,
"main_observable_type": "StixFile"
},
"extension-definition--322b8f77-262a-4cb8-a915-1e441e00329b": {
"extension_type": "property-extension"
}
},
"created": "2024-03-16T09:04:23.000Z",
"modified": "2024-07-18T07:51:52.360Z",
"revoked": true,
"confidence": 20,
"lang": "en",
"labels": [
"osint",
"moderate",
"perpetual",
"certainty-50",
"very-likely"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"created_by_ref": "identity--4f347cc9-4658-59ee-9707-134f434f9d1c",
"name": "fe53c08e692d7ef6bfd379f9f34d48bd1f4b8c1c72c6d8d33d6e9ca234414aa9",
"description": "RiskIQ expansion",
"pattern": "[file:hashes.'SHA-256' = 'fe53c08e692d7ef6bfd379f9f34d48bd1f4b8c1c72c6d8d33d6e9ca234414aa9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-03-24T14:31:50.000Z",
"valid_until": "2024-09-02T14:31:50.000Z"
},
{
"type": "indicator",
"spec_version": "2.1",
"pattern_type": "stix",
"id": "indicator--329ae6e9-25bd-49e8-89d1-aae4ca52e4a7",
"created": "2024-05-15T09:12:16.432Z",
"modified": "2024-05-15T09:12:16.432Z",
"name": "www.webserver.dynssl.com",
"description": "www.webserver.dynssl.com resolved to 113.10.246.30, 219.90.112.203, 219.90.112.203, 75.126.95.138, 21990.112.197, and 202.65.222.45, which overlap with the gwx@123 IP addresses.",
"pattern": "[domain-name:value = 'www.webserver.dynssl.com' OR ipv4-addr:value = '113.10.246.30' OR ipv4-addr:value ='219.90.112.203' OR ipv4-addr:value = '75.126.95.138' OR ipv4-addr:value = '219.90.112.197' OR ipv4-addr:value = '20265.222.45']",
"indicator_types": [
"malicious-activity",
"attribution"
],
"valid_from": "2024-05-15T09:12:16.432678Z"
}
],
"next": "next_page"
}
- path: /taxii2/root/collections/e554c1d6-a37a-4267-9ff0-e8b9806b48c4/objects/
methods: ["GET"]
request_headers:
Authorization:
- 'Token abcd1234'
query_params:
next: 'next_page'
responses:
- status_code: 200
headers:
X-TAXII-Date-Added-Last: "2020-03-24T14:31:50.000Z"
Content-Type: "application/taxii+json;version=2.1"
body: |-
{
"more": false,
"objects": [
{
"id": "indicator--33041420-b509-504c-b30d-9a8ec505d7ee",
"spec_version": "2.1",
"type": "indicator",
"created": "2020-03-24T14:31:50.000Z",
"modified": "2023-10-18T07:51:59.171Z",
"revoked": true,
"confidence": 20,
"lang": "en",
"labels": [
"certainty-50",
"perpetual",
"osint"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"created_by_ref": "identity--4f347cc9-4658-59ee-9707-134f434f9d1c",
"name": "abbbe10e3c6e5ed480a0743c540dbaba62ecaaf6",
"description": "RiskIQ expansion",
"pattern": "[file:hashes.'SHA-1' = 'abbbe10e3c6e5ed480a0743c540dbaba62ecaaf6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-03-24T14:31:50.000Z",
"valid_until": "2021-03-24T14:31:50.000Z"
}
]
}
- path: /taxii2/root/collections/e5a96f14-8d19-4c66-80d5-46b330d1280f/objects/
methods: ["GET"]
request_headers:
Expand Down
5 changes: 5 additions & 0 deletions packages/ti_custom/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.1.0"
changes:
- description: Add support for alternative token authorization types.
type: enhancement
link: https://github.com/elastic/integrations/pull/14258
- version: "1.0.0"
changes:
- description: Release package as GA.
Expand Down
17 changes: 17 additions & 0 deletions packages/ti_custom/data_stream/indicator/_dev/test/system/test-taxii-token-config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
input: cel
service: stix-taxii
vars: ~
data_stream:
vars:
url: http://{{Hostname}}:{{Port}}/taxii2/root/collections/e554c1d6-a37a-4267-9ff0-e8b9806b48c4/objects/
api_key: abcd1234
key_type: Token
interval: 30s
enable_taxii: true
enable_request_tracer: true
preserve_original_event: true
ioc_expiration_duration: 5d
feed_name: STIX Provider
feed_reference: https://stix-example.com
assert:
hit_count: 3
5 changes: 4 additions & 1 deletion packages/ti_custom/data_stream/indicator/agent/stream/cel.yml.hbs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,9 @@ state:
want_more: false
{{#if api_key}}
api_key: {{api_key}}
{{#if key_type}}
key_type: {{key_type}}
{{/if}}
{{/if}}
{{#if username}}
{{#if password}}
Expand Down Expand Up @@ -91,7 +94,7 @@ program: |
"Accept": [string(state.accept_header)],
?"Content-Type": state.?content_header.orValue("") != "" ? optional.of([state.content_header]) : optional.none(),
"Authorization": (has(state.api_key) && state.api_key != "") ?
["Bearer " + string(state.api_key)]
[state.?key_type.orValue("Bearer") + " " + string(state.api_key)]
: (state.?username.orValue("") != "" && state.?password.orValue("") != "") ?
["Basic " + (state.username + ":" + state.password).base64()]
:
Expand Down
10 changes: 9 additions & 1 deletion packages/ti_custom/data_stream/indicator/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,15 @@ streams:
show_user: false
secret: true
description: >
API key that the API server may require for Bearer authorization.
API key that the API server may require for token authorization.
- name: key_type
type: text
title: API Key Type
multi: false
required: false
show_user: false
description: >
The authentication key type for token authorization. If it is not provided, Bearer authorization is used. An example alternative would be "Token".

- name: username
type: text
Expand Down
2 changes: 1 addition & 1 deletion packages/ti_custom/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: ti_custom
title: Custom Threat Intelligence
description: Ingest threat intelligence data in STIX 2.1 format with Elastic Agent
type: integration
version: 1.0.0
version: 1.1.0
categories:
- custom
- security
Expand Down