Morning. I found this integration in pre-release, Custom Threat Intelligence, and it fits perfect into our TI feed for hashes with a Trend Micro server we have. But I'm running into an issue, where I'm getting a CEL error:
failed eval: ERROR: :32:22: no such key: objects
| ).do_request().as(resp, (resp.StatusCode == 200 || resp.StatusCode == 206) ?
| .....................^,
Processor "conditional" with tag "" in pipeline "logs-ti_custom.indicator-0.6.0" failed with message "Error during CEL program evaluation"
User efd6 told me that this would be better placed here. He also stated: " From the error you have posted, you are likely using the built-in CEL program. What is happening is that the document being returned by the API endpoint does not contain a field "objects", which the program expects (you can see that here)."
If anyone has had this issue with this integration, it would be greatly appreciated for your help.
That's right. The built-in CEL program in that integration is designed to support TI feeds compatible with the TAXII protocol. Servers that follow that protocol should send indicators inside the objects field, and it seems that the feed server you are targeting to doesn't follow that specification.
I recommend you verify that point, and in case it doesn't support TAXII, you need to disable the option Enable TAXII 2.1 in the integration configuration, as well as add a custom CEL program that meets the feed server specifications.
First, thank you for the response. I'll look into what you've said and sent. Second, if I have any issues, I'll get back to you, and hopefully you can help! Thank you again!
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.