-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution][Detections] Set default indicator path to reduce friction with new filebeat modules #92081
Changes from all commits
7c90377
d35a8fc
c9ec203
40c280b
4790415
d5c24d4
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -6,7 +6,6 @@ | |
*/ | ||
|
||
import { get, isObject } from 'lodash'; | ||
import { DEFAULT_INDICATOR_PATH } from '../../../../../common/constants'; | ||
|
||
import type { SignalSearchResponse, SignalSourceHit } from '../types'; | ||
import type { | ||
|
@@ -92,7 +91,11 @@ export const enrichSignalThreatMatches = async ( | |
if (!isObject(threat)) { | ||
throw new Error(`Expected threat field to be an object, but found: ${threat}`); | ||
} | ||
const existingIndicatorValue = get(signalHit._source, DEFAULT_INDICATOR_PATH) ?? []; | ||
// We are not using INDICATOR_DESTINATION_PATH here because the code above | ||
// and below make assumptions about its current value, 'threat.indicator', | ||
// and making this code dynamic on an arbitrary path would introduce several | ||
// new issues. | ||
const existingIndicatorValue = get(signalHit._source, 'threat.indicator') ?? []; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. we could use the previously declared There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm inclined to leave this hardcoded string for now, as the check above and the object generation below this line both make assumptions about this string in different ways. |
||
const existingIndicators = [existingIndicatorValue].flat(); // ensure indicators is an array | ||
|
||
return { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this could be simplified as
threatIndicatorPath || DEFAULT_INDICATOR_SOURCE_PATH
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch, thanks!