[production] Promote packages from snapshot (carbon_black_cloud-0.1.0, checkpoint-1.3.5, cisco_ftd-2.0.3, ti_abusech-1.2.3, ti_anomali-1.2.3, ti_cybersixgill-1.3.2, ti_misp-1.2.2, ti_otx-1.2.2, ti_recordedfuture-0.1.2, ti_threatq-1.2.2)

packages/carbon_black_cloud/0.1.0/changelog.yml

@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: 0.1.0
+  changes:
+    - description: Initial draft of the package.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2760

packages/carbon_black_cloud/0.1.0/data_stream/alert/agent/stream/aws-s3.yml.hbs

@@ -0,0 +1,24 @@
+bucket_arn: {{bucket_arn}}
+number_of_workers: {{number_of_workers}}
+bucket_list_interval: {{interval}}
+access_key_id: {{access_key_id}}
+secret_access_key: {{secret_access_key}}
+bucket_list_prefix: {{bucket_list_prefix}}
+expand_event_list_from_field: Records
+{{#if proxy_url}}
+proxy_url: {{proxy_url}}
+{{/if}}
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}

packages/carbon_black_cloud/0.1.0/data_stream/alert/agent/stream/httpjson.yml.hbs

@@ -0,0 +1,52 @@
+config_version: 2
+interval: {{interval}}
+request.timeout: 2m
+request.method: POST
+
+{{#if proxy_url}}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+
+request.url: {{hostname}}/appservices/v6/orgs/{{org_key}}/alerts/_search
+request.transforms:
+  - set:
+      target: header.X-Auth-Token
+      value: {{custom_api_secret_key}}/{{custom_api_id}}
+  - set:
+      target: body.criteria.last_update_time.start
+      value: '[[.cursor.last_update_timestamp]]'
+      default: '[[formatDate ((now (parseDuration "-{{initial_interval}}")).Add (parseDuration "-15m")) "RFC3339"]]'
+  - set:
+      target: body.criteria.last_update_time.end
+      value: '[[formatDate (now (parseDuration "-15m")) "RFC3339"]]'
+  - set:
+      target: body.sort
+      value: '[{ "field": "last_update_time", "order": "ASC"}]'
+      value_type: json
+response.pagination: 
+  - set:
+      target: body.criteria.last_update_time.start
+      value: '[[if (ne .last_response.body.num_found .last_response.body.num_available)]][[.last_event.last_update_time]][[else]][[.last_response.terminate_pagination]][[end]]'
+      fail_on_template_error: true
+cursor:
+  last_update_timestamp:
+    value: '[[.last_event.last_update_time]]'
+response.split:
+  target: body.results
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}

packages/carbon_black_cloud/0.1.0/data_stream/alert/elasticsearch/ingest_pipeline/default.yml

@@ -0,0 +1,294 @@
+---
+description: Pipeline for parsing Carbon Black Cloud alerts.
+processors:
+  - set:
+      field: ecs.version
+      value: "8.0.0"
+  - rename:
+      field: message
+      target_field: event.original
+      ignore_missing: true
+  - json:
+      field: event.original
+      target_field: json
+      ignore_failure: true
+  - fingerprint:
+      fields:
+        - json.id
+        - json.create_time
+        - json.last_update_time
+      target_field: _id
+      ignore_missing: true
+  - date:
+      field: json.create_time
+      target_field: "@timestamp"
+      ignore_failure: true
+      formats:
+        - ISO8601
+  - set:
+      field: event.kind
+      value: alert
+  - rename:
+      field: json.id
+      target_field: event.id
+      ignore_missing: true
+  - rename:
+      field: json.first_event_time
+      target_field: event.start
+      ignore_missing: true
+  - rename:
+      field: json.last_event_time
+      target_field: event.end
+      ignore_missing: true
+  - rename:
+      field: json.severity
+      target_field: event.severity
+      ignore_missing: true
+  - urldecode:
+      field: json.alert_url
+      target_field: event.url
+      ignore_missing: true
+  - rename:
+      field: json.reason
+      target_field: event.reason
+      ignore_missing: true
+  - convert:
+      field: json.device_id
+      target_field: host.id
+      type: string
+      ignore_missing: true
+  - set:
+      field: host.os.type
+      value: windows
+      if: ctx?.json?.device_os == "WINDOWS"
+  - set:
+      field: host.os.type
+      value: linux
+      if: ctx?.json?.device_os == "LINUX"
+  - set:
+      field: host.os.type
+      value: macos
+      if: ctx?.json?.device_os == "MAC"
+  - set:
+      field: event.kind
+      value: alert
+  - rename:
+      field: json.device_os_version
+      target_field: host.os.version
+      ignore_missing: true
+  - rename:
+      field: json.device_name
+      target_field: host.hostname
+      ignore_missing: true
+  - append:
+      field: host.ip
+      value: "{{{json.device_internal_ip}}}"
+      if: ctx?.json?.device_internal_ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - append:
+      field: host.ip
+      value: "{{{json.device_external_ip}}}"
+      if: ctx?.json?.device_external_ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - rename:
+      field: json.device_username
+      target_field: user.name
+      ignore_missing: true
+  - append:
+      field: related.ip
+      value: 
+        - "{{{json.device_internal_ip}}}"
+        - "{{{json.device_external_ip}}}"
+      allow_duplicates: false
+  - append:
+      field: related.user
+      value: "{{{user.name}}}"
+      allow_duplicates: false
+  - append:
+      field: related.hosts
+      value: "{{{host.hostname}}}"
+      allow_duplicates: false
+  - append:
+      field: related.hash
+      value:
+        - "{{{json.threat_cause_actor_md5}}}"
+        - "{{{json.threat_cause_actor_sha256}}}"
+      allow_duplicates: false
+  - rename:
+      field: json.process_name
+      target_field: process.name
+      ignore_missing: true
+  - rename:
+      field: json.process_path
+      target_field: process.executable
+      ignore_missing: true
+  - rename:
+      field: json.process_guid
+      target_field: process.entity_id
+      ignore_missing: true
+  - rename:
+      field: json.vendor_name
+      target_field: carbon_black_cloud.alert.vendor_name
+      ignore_missing: true
+  - rename:
+      field: json.product_name
+      target_field: carbon_black_cloud.alert.product_name
+      ignore_missing: true
+  - rename:
+      field: json.serial_number
+      target_field: carbon_black_cloud.alert.serial_number
+      ignore_missing: true
+  - rename:
+      field: json.policy_id
+      target_field: carbon_black_cloud.alert.policy.id
+      ignore_missing: true
+  - rename:
+      field: json.policy_name
+      target_field: carbon_black_cloud.alert.policy.name
+      ignore_missing: true
+  - rename:
+      field: json.threat_id
+      target_field: carbon_black_cloud.alert.threat_id
+      ignore_missing: true
+  - rename:
+      field: json.policy_applied
+      target_field: carbon_black_cloud.alert.policy.applied
+      ignore_missing: true
+  - rename:
+      field: json.threat_activity_c2
+      target_field: carbon_black_cloud.alert.threat_activity.c2
+      ignore_missing: true
+  - rename:
+      field: json.threat_activity_dlp
+      target_field: carbon_black_cloud.alert.threat_activity.dlp
+      ignore_missing: true
+  - rename:
+      field: json.threat_activity_phish
+      target_field: carbon_black_cloud.alert.threat_activity.phish
+      ignore_missing: true
+  - rename:
+      field: json.threat_cause_actor_name
+      target_field: carbon_black_cloud.alert.threat_cause.actor.name
+      ignore_missing: true
+  - rename:
+      field: json.threat_cause_actor_process_pid
+      target_field: carbon_black_cloud.alert.threat_cause.actor.process_pid
+      ignore_missing: true
+  - rename:
+      field: json.threat_cause_actor_sha256
+      target_field: carbon_black_cloud.alert.threat_cause.actor.sha256
+      ignore_missing: true
+  - rename:
+      field: json.threat_cause_actor_md5
+      target_field: carbon_black_cloud.alert.threat_cause.actor.md5
+      ignore_missing: true
+  - rename:
+      field: json.threat_cause_cause_event_id
+      target_field: carbon_black_cloud.alert.threat_cause.cause_event_id
+      ignore_missing: true
+  - rename:
+      field: json.threat_cause_parent_guid
+      target_field: carbon_black_cloud.alert.threat_cause.process.parent.guid
+      ignore_missing: true
+  - rename:
+      field: json.threat_cause_process_guid
+      target_field: carbon_black_cloud.alert.threat_cause.process.guid
+      ignore_missing: true
+  - rename:
+      field: json.threat_cause_reputation
+      target_field: carbon_black_cloud.alert.threat_cause.reputation
+      ignore_missing: true
+  - rename:
+      field: json.threat_cause_threat_category
+      target_field: carbon_black_cloud.alert.threat_cause.threat_category
+      ignore_missing: true
+  - rename:
+      field: json.threat_cause_vector
+      target_field: carbon_black_cloud.alert.threat_cause.vector
+      ignore_missing: true
+  - rename:
+      field: json.ioc_field
+      target_field: carbon_black_cloud.alert.ioc.field
+      ignore_missing: true
+  - rename:
+      field: json.ioc_hit
+      target_field: carbon_black_cloud.alert.ioc.hit
+      ignore_missing: true
+  - rename:
+      field: json.ioc_id
+      target_field: carbon_black_cloud.alert.ioc.id
+      ignore_missing: true
+  - rename:
+      field: json.report_id
+      target_field: carbon_black_cloud.alert.report.id
+      ignore_missing: true
+  - rename:
+      field: json.report_name
+      target_field: carbon_black_cloud.alert.report.name
+      ignore_missing: true
+  - rename:
+      field: json.org_key
+      target_field: carbon_black_cloud.alert.organization_key
+      ignore_missing: true
+  - rename:
+      field: json.device_location
+      target_field: carbon_black_cloud.alert.device.location
+      ignore_missing: true
+  - rename:
+      field: json.device_os
+      target_field: carbon_black_cloud.alert.device.os
+      ignore_missing: true
+  - rename:
+      field: json.device_internal_ip
+      target_field: carbon_black_cloud.alert.device.internal_ip
+      ignore_missing: true
+  - rename:
+      field: json.device_external_ip
+      target_field: carbon_black_cloud.alert.device.external_ip
+      ignore_missing: true
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+  - lowercase:
+      field: json.category
+      ignore_missing: true
+  - script:
+      description: Adds all the remaining fields in fields under carbon_black_cloud.alert
+      lang: painless
+      if: ctx?.json != null
+      source: |
+        for (Map.Entry m : ctx.json.entrySet()) {
+          ctx.carbon_black_cloud.alert[m.getKey()] = m.getValue();
+        }
+  - remove:
+      field:
+        - json
+        - carbon_black_cloud.alert.create_time
+        - carbon_black_cloud.alert.device_id
+        - carbon_black_cloud.alert.alert_url
+      ignore_missing: true
+  - script:
+      description: Drops null/empty values recursively
+      lang: painless
+      source: |
+        boolean dropEmptyFields(Object object) {
+          if (object == null || object == "") {
+            return true;
+          } else if (object instanceof Map) {
+            ((Map) object).values().removeIf(value -> dropEmptyFields(value));
+            return (((Map) object).size() == 0);
+          } else if (object instanceof List) {
+            ((List) object).removeIf(value -> dropEmptyFields(value));
+            return (((List) object).length == 0);
+          }
+          return false;
+        }
+        dropEmptyFields(ctx);
+on_failure:
+  - set:
+      field: error.message
+      value: "{{{_ingest.on_failure_message}}}"