Enrichment Policy does not match the values of an array/object

stephenb · October 4, 2022, 11:18pm

@hanna See if you can follow this...

Actually I can't believe I got this to work. I used the foreach processor + enrich.

Unfortunately the enrich fields will need to go inside the Array of CVEs I could not figure out (pretty sure it can not be done) as a separate array somewhere else in the doc... BUT I think that will actually make it easy to get to the data / definitions later as they will be in the same path of the CVE

Its a little shorter version you will need to be carefull with the field names etc.

I used your mapping above for the cve-source

Here you go ... This was cool I learned something

# Put in your mapings for my source index from your logstash-knowncves

# Source / Lookup Doc
POST cve-source/_doc
{
  "log": {
    "file": {
      "path": "/usr/share/threatintel/criticalvulns/known_exploited_cisa.csv"
    }
  },
  "event": {
    "original": "\"CVE-2013-2597\",\"Code Aurora\",\"ACDB Audio Driver\",\"Code Aurora ACDB Audio Driver Stack-based Buffer Overflow Vulnerability\",\"2022-09-15\",\"The Code Aurora audio calibration database (acdb) audio driver contains a stack-based buffer overflow vulnerability which allows for privilege escalation. Code Aurora is used in third-party products such as Qualcomm and Android.\",\"Apply updates per vendor instructions.\",\"2022-10-06\",\"https://web.archive.org/web/20161226013354/https:/www.codeaurora.org/news/security-advisories/stack-based-buffer-overflow-acdb-audio-driver-cve-2013-2597\"\r"
  },
  "host": {
    "name": "logstash1"
  },
  "column9": "https://web.archive.org/web/20161226013354/https:/www.codeaurora.org/news/security-advisories/stack-based-buffer-overflow-acdb-audio-driver-cve-2013-2597",
  "requiredAction": "Apply updates per vendor instructions.",
  "vuln": "Code Aurora ACDB Audio Driver Stack-based Buffer Overflow Vulnerability",
  "product": "ACDB Audio Driver",
  "@version": "1",
  "cveID": "CVE-2013-2597",
  "vendorproject": "Code Aurora",
  "@timestamp": "2022-09-21T22:00:08.575055Z",
  "dueDate": "2022-10-06",
  "dateAdded": "2022-09-15",
  "shortDescription": "The Code Aurora audio calibration database (acdb) audio driver contains a stack-based buffer overflow vulnerability which allows for privilege escalation. Code Aurora is used in third-party products such as Qualcomm and Android."
}

# Source / Lookup Doc
POST cve-source/_doc
{
  "log": {
    "file": {
      "path": "/usr/share/threatintel/criticalvulns/known_exploited_cisa.csv"
    }
  },
  "event": {
    "original": "\"CVE-2013-2596\",\"Linux\",\"Kernel\",\"Linux Kernel Integer Overflow Vulnerability\",\"2022-09-15\",\"Linux kernel fb_mmap function in drivers/video/fbmem.c contains an integer overflow vulnerability which allows for privilege escalation.\",\"Apply updates per vendor instructions.\",\"2022-10-06\",\"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fc9bbca8f650e5f738af8806317c0a041a48ae4a\"\r"
  },
  "host": {
    "name": "logstash1"
  },
  "column9": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fc9bbca8f650e5f738af8806317c0a041a48ae4a",
  "requiredAction": "Apply updates per vendor instructions.",
  "vuln": "Linux Kernel Integer Overflow Vulnerability",
  "product": "Kernel",
  "@version": "1",
  "cveID": "CVE-2013-2596",
  "vendorproject": "Linux",
  "@timestamp": "2022-09-21T22:00:08.575162Z",
  "dueDate": "2022-10-06",
  "dateAdded": "2022-09-15",
  "shortDescription": "Linux kernel fb_mmap function in drivers/video/fbmem.c contains an integer overflow vulnerability which allows for privilege escalation."
}

# Enrich Policy
PUT _enrich/policy/cve_enrichment_policy
{
  "match": {
    "indices": "cve-source",
    "match_field": "cveID",
    "enrich_fields": [
      "event.original"
    ]
  }
}

# Execute
PUT _enrich/policy/cve_enrichment_policy/_execute

# The pipeline that loops through the array and call enrich
PUT _ingest/pipeline/cve_enrichment_pipeline
{
  "processors": [
    {
      "foreach": {
        "field": "nvt.refs.ref", <!-- The Path to the Array
        "processor": {
          "enrich": {
            "field": "_ingest._value.@id",  <!--- The Field in the array to match 
            "policy_name": "cve_enrichment_policy",
            "target_field": "_ingest._value.cveintel", <!--- The Field in the array to put the enrich data 
            "ignore_missing": true,
            "max_matches": 128
          }
        }
      }
    }
  ]
}

# Simulate
POST _ingest/pipeline/cve_enrichment_pipeline/_simulate
{
  "docs": [
    {
      "_source": {
        "nvt": {
          "refs": {
            "ref": [
              {
                "@type": "cve",
                "@id": "CVE-2013-2596"
              },
              {
                "@type": "cve",
                "@id": "CVE-2013-2597"
              }
            ]
          }
        }
      }
    }
  ]
}


# Post a doc
POST cve-logs/_doc/?pipeline=cve_enrichment_pipeline
{
  "nvt": {
    "refs": {
      " ref": [
        {
          "@type": "cve",
          "@id": "CVE-2013-2596"
        },
        {
          "@type": "cve",
          "@id": "CVE-2013-2597"
        }
      ]
    }
  }
}

# See the results 
GET cve-logs/_search

# Results

{
  "took": 0,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 1,
      "relation": "eq"
    },
    "max_score": 1,
    "hits": [
      {
        "_index": "cve-logs",
        "_id": "Z4dDpYMBSVkvcWRyi5AU",
        "_score": 1,
        "_ignored": [
          "ref.cveintel.event.original.keyword"
        ],
        "_source": {
          "ref": [
            {
              "@type": "cve",
              "@id": "CVE-2013-2596",
              "cveintel": [
                {
                  "event": {
                    "original": "\"CVE-2013-2596\",\"Linux\",\"Kernel\",\"Linux Kernel Integer Overflow Vulnerability\",\"2022-09-15\",\"Linux kernel fb_mmap function in drivers/video/fbmem.c contains an integer overflow vulnerability which allows for privilege escalation.\",\"Apply updates per vendor instructions.\",\"2022-10-06\",\"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fc9bbca8f650e5f738af8806317c0a041a48ae4a\"\r"
                  },
                  "cveID": "CVE-2013-2596"
                }
              ]
            },
            {
              "@type": "cve",
              "@id": "CVE-2013-2597",
              "cveintel": [
                {
                  "event": {
                    "original": "\"CVE-2013-2597\",\"Code Aurora\",\"ACDB Audio Driver\",\"Code Aurora ACDB Audio Driver Stack-based Buffer Overflow Vulnerability\",\"2022-09-15\",\"The Code Aurora audio calibration database (acdb) audio driver contains a stack-based buffer overflow vulnerability which allows for privilege escalation. Code Aurora is used in third-party products such as Qualcomm and Android.\",\"Apply updates per vendor instructions.\",\"2022-10-06\",\"https://web.archive.org/web/20161226013354/https:/www.codeaurora.org/news/security-advisories/stack-based-buffer-overflow-acdb-audio-driver-cve-2013-2597\"\r"
                  },
                  "cveID": "CVE-2013-2597"
                }
              ]
            }
          ]
        }
      }
    ]
  }
}

Topic		Replies	Views
Problems with enrichments Elastic Search	36	232	March 11, 2025
Enrichement process not consistently enrching Elasticsearch ingest-pipeline	16	163	December 12, 2024
Enrich policy working only on some documents Elasticsearch ingest-pipeline	2	81	July 3, 2024
Elastic enrich data based on two matching fields Elasticsearch ingest-pipeline	9	2413	March 27, 2023
Enrich processor is sometimes not enriching Elasticsearch ingest-pipeline	2	448	January 13, 2023

Enrichment Policy does not match the values of an array/object

Related topics