Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve CSV mapper for IOCs #6270

Closed
jborozco opened this issue Mar 4, 2024 · 1 comment
Closed

Improve CSV mapper for IOCs #6270

jborozco opened this issue Mar 4, 2024 · 1 comment
Labels
feature use for describing a new feature to develop wontfix use to identify issue that won’t be worked on

Comments

@jborozco
Copy link
Member

jborozco commented Mar 4, 2024
edited
Loading

Use case

  1. For an indicator to be ingested, it needs to have a formatted pattern.

This "[url:value = 'http://219.155.17.110:39399/i']" is a valid a STIX patern => The indicator will be ingested

This "http://219.155.17.110:39399/i'" is not, the indicator will not be ingested.

In the case of CSV feeds, we often treat raw info without the right formatting and CSV Mapper doesn't allow us to reformat, which leads to many indicators not being ingested.

  1. In the CSV mapper, we can only map one column at the time but it would make sense to import multiple column to create complex pattern.

Current Workaround

None

Proposed Solution

To ingest indicators in the right format, in our CSV mapper, we need to be able to:

  • Choose the type of pattern (STIX at least)
  • Write down the format we want to use and have placeholders for the CSV Values
  • Be able to call multiple column
  • Test if the format is right.

Additional Information

Feed to import:
https://www.loldrivers.io/api/drivers.csv

[drivers.csv](https://prod-files-secure.s3.us-west-2.amazonaws.com/aafc277c-e0cd-4c16-ad83-b076df0f9eef/c492f738-4e49-422e-bceb-84000bb89738/drivers.csv)

Important columns for the mapping :
R: hash265
K: External reference
AA: filename/Tool

If the feature request is approved, would you be willing to submit a PR?

Yes
@jborozco jborozco added feature use for describing a new feature to develop needs triage use to identify issue needing triage from Filigran Product team labels Mar 4, 2024
@jborozco jborozco mentioned this issue Mar 7, 2024
Closed
@jborozco jborozco added this to the Short-term candidates milestone Mar 18, 2024
@jborozco jborozco removed the needs triage use to identify issue needing triage from Filigran Product team label Mar 18, 2024
@Jipegien Jipegien modified the milestones: Short-term candidates, Release 6.4.0 Apr 17, 2024
@SamuelHassine SamuelHassine added filigran team use to identify PR from the Filigran team and removed filigran team use to identify PR from the Filigran team labels Apr 20, 2024
@nino-filigran nino-filigran mentioned this issue Jun 17, 2024
Closed
@nino-filigran nino-filigran removed this from the Release 6.4.0 milestone Jun 25, 2024
@nino-filigran nino-filigran changed the title Improve CSV mapper Improve CSV mapper for IOCs Aug 22, 2024
@nino-filigran nino-filigran mentioned this issue Oct 4, 2024
Closed
@nino-filigran
Copy link

Closing this issue since in the end we will not do it as such.
To answer the first use case explained above, the solution is to ingest the data as an bservable & trhough automation to promote the associated IOC.

To answer the second use case, the goal would be to be able to introduce some computation to be able for instance to concatenate some values. Ticket to follow is this one: #9148

@nino-filigran nino-filigran added the wontfix use to identify issue that won’t be worked on label Nov 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature use for describing a new feature to develop wontfix use to identify issue that won’t be worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@SamuelHassine @jborozco @Jipegien @nino-filigran