[CrowdStrike Falcon Intelligence]: IOC enrichment failed for custom IOCs except IP

[sitharhlaing]

Integration Name

CrowdStrike [crowdstrike]

Dataset Name

ti_crowdstrike.ioc

Integration Version

v1.1.7

Agent Version

8.13.3

Agent Output Type

elasticsearch

Elasticsearch Version

8.13.3

OS Version and Architecture

Oracle Linux Server 9.4

Software/API Version

No response

Error Message

Ignored value (The value in this field is malformed and can't be searched or filtered) --

Event Original

{"action":"no_action","applied_globally":false,"created_by":"[email protected]","created_on":"2024-11-11T09:17:03.445826361Z","deleted":false,"description":"Test hash IOC","expired":false,"from_parent":false,"host_groups":["my_host_group"],"id":"a3redactedredactedredactedredactedredactedef21","metadata":{},"modified_by":"[email protected]","modified_on":"2024-11-11T09:17:03.445826361Z","platforms":["windows"],"severity":"medium","type":"md5","value":"65efdcbd4bc64e6e48d82bfa31f710fd"}

What did you do?

I added custom IOCs of different types (hashes, domains, IPs) in crowdstrike portal

What did you see?

In kibana, I found the IOC values are just enriched to IPs regardless of the original type which caused this issue if the IOC type is not IP address

Just IP address IOC types are enriched as intended.

What did you expect to see?

All the IOC types should enriched as intended.

Anything else?

To search, filter and correlate with ti_crowdstrike.ioc.value field, we need that field to be well enriched regardless of the IOC type.

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[efd6]

@sitharhlaing Thank you for reporting this. I have sent a change. Unfortunately, this will require that you re-index to pick up the fix.

[kcreddy]

We also have ECS field threat.indicator.name of type keyword which should have a copy of the value from ti_crowdstrike.ioc.value as per ingest pipeline.