diff --git a/mocks/details.json b/mocks/details.json index 1529c26..4d743eb 100644 --- a/mocks/details.json +++ b/mocks/details.json @@ -40,303 +40,83 @@ "uuid": "report-uuid-def-456" } ], - "indicators": { - "tool": { - "name": "elastic", - "version": "7.10" + "indicators": [ + { + "created_at": "2024-01-01T00:00:00Z", + "last_seen_at": "2026-02-27T07:36:19.093000Z", + "latest_sighting": { + "description": "Observation: cobaltstrike [2026-02-27T04:19:50.126Z]", + "sighted_at": "2026-02-27T04:19:50.126000Z", + "source": "flashpoint_extraction", + "tags": [ + "beacontype:hybrid http dns", + "extracted_config:true", + "httpposturi:/n4215/adj/amzn.us.sr.aps", + "malware:cobaltstrike", + "source:flashpoint_extraction", + "type:backdoor" + ] + }, + "modified_at": "2026-02-27T09:25:27.557000Z", + "score": { + "last_scored_at": "2025-07-30T07:26:25.981000Z", + "value": "malicious" + }, + "total_sightings": 344776, + "type": "domain", + "value": "ns8.softline.top" }, - "took": 145, - "hits": { - "total": 3, - "hits": [ - { - "_id": "indicator_id_001", - "_source": { - "fpid": "fp_indicator_88776", - "uuid": "indicator-uuid-aaa-111", - "event_uuid": "event-uuid-bbb-222", - "header_": "some_internal_header", - "first_observed_at": { - "date-time": "2024-01-05T10:20:30Z", - "timestamp": 1704450030 - }, - "last_observed_at": { - "date-time": "2024-01-15T16:45:22Z", - "timestamp": 1705337122 - }, - "Attribute": { - "type": "ip-dst", - "category": "Network activity", - "value": "192.168.100.50", - "timestamp": "1704450030" - }, - "mitre": { - "fpid": "fp_mitre_55443", - "created_at": { - "date-time": "2023-12-20T09:00:00Z", - "timestamp": 1703062800 - }, - "last_observed_at": { - "date-time": "2024-01-15T14:20:10Z", - "timestamp": 1705328410 - }, - "site": { - "fpid": "fp_site_33221", - "title": "MITRE ATT&CK Framework", - "description": { - "raw": "Adversarial tactics and techniques based on real-world observations", - "sanitized": "Adversarial tactics..." - }, - "created_at": { - "date-time": "2020-01-01T00:00:00Z", - "timestamp": 1577836800 - }, - "updated_at": { - "date-time": "2024-01-01T00:00:00Z", - "timestamp": 1704067200 - } - }, - "body": { - "text/html-sanitized": "
HTML body content
", - "text/plain": "Plain text body content", - "enrichments": { - "links": [ - { - "href": "https://attack.mitre.org/techniques/T1566/", - "title": "Phishing" - }, - { - "href": "https://attack.mitre.org/techniques/T1059/", - "title": "Command and Scripting Interpreter" - } - ] - } - } - }, - "nist": { - "fpid": "fp_nist_77665", - "created_at": { - "date-time": "2023-11-15T08:30:00Z", - "timestamp": 1700036600 - }, - "updated_at": { - "date-time": "2024-01-10T12:00:00Z", - "timestamp": 1704888000 - }, - "last_observed_at": { - "date-time": "2024-01-14T18:25:33Z", - "timestamp": 1705257933 - }, - "site": { - "fpid": "fp_nist_site_44332", - "title": "NIST Vulnerability Database", - "description": { - "raw": "National Vulnerability Database providing CVE information", - "sanitized": "National Vulnerability..." - }, - "created_at": { - "date-time": "2019-01-01T00:00:00Z", - "timestamp": 1546300800 - }, - "updated_at": { - "date-time": "2024-01-15T00:00:00Z", - "timestamp": 1705276800 - }, - "tags": [ - { - "name": "vulnerability", - "id": "tag_001" - }, - { - "name": "cve", - "id": "tag_002" - }, - { - "name": "exploit", - "id": "tag_003" - } - ] - }, - "body": { - "enrichments": { - "links": [ - { - "href": "https://nvd.nist.gov/vuln/detail/CVE-2023-12345", - "title": "CVE-2023-12345" - }, - { - "href": "https://nvd.nist.gov/vuln/detail/CVE-2023-67890", - "title": "CVE-2023-67890" - } - ] - } - } - }, - "cve": { - "nist": { - "configurations": [ - {"nodes": [{"operator": "OR", "cpe_match": ["cpe:2.3:a:vendor:product:1.0"]}]}, - {"nodes": [{"operator": "OR", "cpe_match": ["cpe:2.3:a:vendor:product:1.1"]}]}, - {"nodes": [{"operator": "OR", "cpe_match": ["cpe:2.3:a:vendor:product:1.2"]}]}, - {"nodes": [{"operator": "OR", "cpe_match": ["cpe:2.3:a:vendor:product:1.3"]}]}, - {"nodes": [{"operator": "OR", "cpe_match": ["cpe:2.3:a:vendor:product:1.4"]}]}, - {"nodes": [{"operator": "OR", "cpe_match": ["cpe:2.3:a:vendor:product:1.5"]}]}, - {"nodes": [{"operator": "OR", "cpe_match": ["cpe:2.3:a:vendor:product:1.6"]}]}, - {"nodes": [{"operator": "OR", "cpe_match": ["cpe:2.3:a:vendor:product:1.7"]}]}, - {"nodes": [{"operator": "OR", "cpe_match": ["cpe:2.3:a:vendor:product:1.8"]}]}, - {"nodes": [{"operator": "OR", "cpe_match": ["cpe:2.3:a:vendor:product:1.9"]}]}, - {"nodes": [{"operator": "OR", "cpe_match": ["cpe:2.3:a:vendor:product:2.0"]}]}, - {"nodes": [{"operator": "OR", "cpe_match": ["cpe:2.3:a:vendor:product:2.1"]}]}, - {"nodes": [{"operator": "OR", "cpe_match": ["cpe:2.3:a:vendor:product:2.2"]}]}, - {"nodes": [{"operator": "OR", "cpe_match": ["cpe:2.3:a:vendor:product:2.3"]}]}, - {"nodes": [{"operator": "OR", "cpe_match": ["cpe:2.3:a:vendor:product:2.4"]}]} - ] - } - }, - "enrichments": { - "v1": { - "email_addresses": [ - { - "email_address": "threat.actor@malicious.com", - "positions": [[0, 27]] - }, - { - "email_address": "contact@bad-domain.ru", - "positions": [[50, 72]] - } - ], - "urls": [ - { - "url": "https://malicious-site.com/payload", - "positions": [[100, 135]] - }, - { - "url": "http://phishing-domain.net/login", - "positions": [[200, 231]] - } - ], - "ip_addresses": [ - { - "ip_address": "45.123.67.89", - "positions": [[300, 313]] - }, - { - "ip_address": "198.51.100.42", - "positions": [[350, 364]] - } - ], - "vulnerability": [ - { - "CVE-2023-12345": { - "vulnerability": "CVE-2023-12345", - "cvss_score": 9.8 - }, - "positions": [[400, 414]] - }, - { - "CVE-2023-67890": { - "vulnerability": "CVE-2023-67890", - "cvss_score": 7.5 - }, - "positions": [[450, 464]] - }, - { - "CVE-2023-11111": { - "vulnerability": "CVE-2023-11111", - "cvss_score": 8.1 - }, - "positions": [[500, 514]] - }, - { - "CVE-2023-22222": { - "vulnerability": "CVE-2023-22222", - "cvss_score": 6.5 - }, - "positions": [[550, 564]] - }, - { - "CVE-2023-33333": { - "vulnerability": "CVE-2023-33333", - "cvss_score": 7.8 - }, - "positions": [[600, 614]] - }, - { - "CVE-2023-44444": { - "vulnerability": "CVE-2023-44444", - "cvss_score": 9.1 - }, - "positions": [[650, 664]] - }, - { - "CVE-2023-55555": { - "vulnerability": "CVE-2023-55555", - "cvss_score": 5.3 - }, - "positions": [[700, 714]] - }, - { - "CVE-2023-66666": { - "vulnerability": "CVE-2023-66666", - "cvss_score": 8.8 - }, - "positions": [[750, 764]] - }, - { - "CVE-2023-77777": { - "vulnerability": "CVE-2023-77777", - "cvss_score": 7.2 - }, - "positions": [[800, 814]] - }, - { - "CVE-2023-88888": { - "vulnerability": "CVE-2023-88888", - "cvss_score": 6.8 - }, - "positions": [[850, 864]] - }, - { - "CVE-2023-99999": { - "vulnerability": "CVE-2023-99999", - "cvss_score": 9.3 - }, - "positions": [[900, 914]] - }, - { - "CVE-2024-00001": { - "vulnerability": "CVE-2024-00001", - "cvss_score": 8.5 - }, - "positions": [[950, 964]] - } - ] - } - }, - "_meta": { - "size": 45632, - "enrichments": { - "v1": { - "email_addresses": { - "enriched_at": "2024-01-15T10:00:00Z", - "version": "1.0" - }, - "urls": { - "enriched_at": "2024-01-15T10:00:00Z", - "version": "1.0" - }, - "vulnerability": { - "enriched_at": "2024-01-15T10:00:00Z", - "version": "1.0" - } - } - } - } - } - } - ] + { + "created_at": "2024-01-01T00:00:00Z", + "last_seen_at": "2026-02-27T07:36:19.019000Z", + "latest_sighting": { + "description": "Observation: cobaltstrike [2026-02-27T04:19:50.126Z]", + "sighted_at": "2026-02-27T04:19:50.126000Z", + "source": "flashpoint_extraction", + "tags": [ + "beacontype:hybrid http dns", + "extracted_config:true", + "httpposturi:/n4215/adj/amzn.us.sr.aps", + "malware:cobaltstrike", + "source:flashpoint_extraction", + "type:backdoor" + ] + }, + "modified_at": "2026-02-27T09:25:25.234000Z", + "score": { + "last_scored_at": "2025-07-30T07:26:22.823000Z", + "value": "malicious" + }, + "total_sightings": 345024, + "type": "domain", + "value": "ns7.softline.top" + }, + { + "created_at": "2024-01-01T00:00:00Z", + "last_seen_at": "2026-02-27T07:36:19.093000Z", + "latest_sighting": { + "description": "Observation: cobaltstrike [2026-02-27T04:24:23.734Z]", + "sighted_at": "2026-02-27T04:24:23.734000Z", + "source": "flashpoint_extraction", + "tags": [ + "beacontype:hybrid http dns", + "extracted_config:true", + "httpposturi:/n4215/adj/amzn.us.sr.aps", + "malware:cobaltstrike", + "source:flashpoint_extraction", + "type:backdoor" + ] + }, + "modified_at": "2026-02-27T09:25:18.078000Z", + "score": { + "last_scored_at": "2025-07-30T07:26:35.100000Z", + "value": "malicious" + }, + "total_sightings": 344874, + "type": "domain", + "value": "ns9.softline.top" } - }, + ], "vulnerabilities": [ { "cve_id": "CVE-2023-12345", diff --git a/package-lock.json b/package-lock.json index 242cd54..c7bec1d 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "Flashpoint", - "version": "3.6.0", + "version": "3.6.1", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "Flashpoint", - "version": "3.6.0", + "version": "3.6.1", "dependencies": { "async": "^3.2.6", "bottleneck": "^2.19.5", @@ -1746,13 +1746,26 @@ "license": "MIT" }, "node_modules/brace-expansion": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz", - "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==", + "version": "5.0.3", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.3.tgz", + "integrity": "sha512-fy6KJm2RawA5RcHkLa1z/ScpBeA762UF9KmZQxwIbDtRJrgLzM10depAiEQ+CXYcoiqW1/m96OAAoke2nE9EeA==", "dev": true, "license": "MIT", "dependencies": { - "balanced-match": "^1.0.0" + "balanced-match": "^4.0.2" + }, + "engines": { + "node": "18 || 20 || >=22" + } + }, + "node_modules/brace-expansion/node_modules/balanced-match": { + "version": "4.0.4", + "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-4.0.4.tgz", + "integrity": "sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==", + "dev": true, + "license": "MIT", + "engines": { + "node": "18 || 20 || >=22" } }, "node_modules/braces": { @@ -3750,13 +3763,13 @@ } }, "node_modules/minimatch": { - "version": "9.0.5", - "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz", - "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==", + "version": "9.0.8", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.8.tgz", + "integrity": "sha512-reYkDYtj/b19TeqbNZCV4q9t+Yxylf/rYBsLb42SXJatTv4/ylq5lEiAmhA/IToxO7NI2UzNMghHoHuaqDkAjw==", "dev": true, "license": "ISC", "dependencies": { - "brace-expansion": "^2.0.1" + "brace-expansion": "^5.0.2" }, "engines": { "node": ">=16 || 14 >=14.17" @@ -4760,9 +4773,9 @@ } }, "node_modules/test-exclude/node_modules/minimatch": { - "version": "3.1.2", - "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", - "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", + "version": "3.1.5", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz", + "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==", "dev": true, "license": "ISC", "dependencies": { diff --git a/package.json b/package.json index e1f1f7f..29a485e 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "Flashpoint", - "version": "3.6.0", + "version": "3.6.1", "main": "./integration.js", "private": true, "scripts": { diff --git a/reducers/details.json b/reducers/details.json index dd101b5..2023c6f 100644 --- a/reducers/details.json +++ b/reducers/details.json @@ -45,180 +45,12 @@ { "op": "drop", "paths": [ - "reduced_results.indicators.tool", - "reduced_results.indicators.took", - "reduced_results[].fpid", - "reduced_results[].timestamp", - "reduced_results[].text/html+sanitized", - "reduced_results[].text/html-sanitized", - "reduced_results[].text/plain", - "reduced_results[].href", - "reduced_results[].uuid", - "reduced_results[].event_uuid", - "reduced_results.indicators.hits.hits[]._id", - "reduced_results.indicators.hits.hits[]._source.fpid", - "reduced_results.indicators.hits.hits[]._source.header_", - "reduced_results.indicators.hits.hits[]._source._meta.size" - ] - }, - { - "op": "transform", - "path": "reduced_results.indicators.hits.hits[]._source.first_observed_at", - "function": "extract_field", - "field": "date-time" - }, - { - "op": "transform", - "path": "reduced_results.indicators.hits.hits[]._source.last_observed_at", - "function": "extract_field", - "field": "date-time" - }, - { - "op": "transform", - "path": "reduced_results.indicators.hits.hits[]._source.mitre.created_at", - "function": "extract_field", - "field": "date-time" - }, - { - "op": "transform", - "path": "reduced_results.indicators.hits.hits[]._source.mitre.last_observed_at", - "function": "extract_field", - "field": "date-time" - }, - { - "op": "transform", - "path": "reduced_results.indicators.hits.hits[]._source.mitre.site.created_at", - "function": "extract_field", - "field": "date-time" - }, - { - "op": "transform", - "path": "reduced_results.indicators.hits.hits[]._source.mitre.site.updated_at", - "function": "extract_field", - "field": "date-time" - }, - { - "op": "transform", - "path": "reduced_results.indicators.hits.hits[]._source.mitre.site.description", - "function": "extract_field", - "field": "raw" - }, - { - "op": "transform", - "path": "reduced_results.indicators.hits.hits[]._source.mitre.body.enrichments.links[].href", - "function": "collect_to_array" - }, - { - "op": "drop", - "paths": [ - "reduced_results.indicators.hits.hits[]._source.mitre.site.fpid", - "reduced_results.indicators.hits.hits[]._source.mitre.body.text/html-sanitized", - "reduced_results.indicators.hits.hits[]._source.mitre.body.text/plain", - "reduced_results.indicators.hits.hits[]._source.mitre.fpid" - ] - }, - { - "op": "transform", - "path": "reduced_results.indicators.hits.hits[]._source.nist.created_at", - "function": "extract_field", - "field": "date-time" - }, - { - "op": "transform", - "path": "reduced_results.indicators.hits.hits[]._source.nist.updated_at", - "function": "extract_field", - "field": "date-time" - }, - { - "op": "transform", - "path": "reduced_results.indicators.hits.hits[]._source.nist.last_observed_at", - "function": "extract_field", - "field": "date-time" - }, - { - "op": "transform", - "path": "reduced_results.indicators.hits.hits[]._source.nist.site.created_at", - "function": "extract_field", - "field": "date-time" - }, - { - "op": "transform", - "path": "reduced_results.indicators.hits.hits[]._source.nist.site.updated_at", - "function": "extract_field", - "field": "date-time" - }, - { - "op": "transform", - "path": "reduced_results.indicators.hits.hits[]._source.nist.site.description", - "function": "extract_field", - "field": "raw" - }, - { - "op": "transform", - "path": "reduced_results.indicators.hits.hits[]._source.nist.site.tags[].name", - "function": "collect_to_array" - }, - { - "op": "transform", - "path": "reduced_results.indicators.hits.hits[]._source.nist.body.enrichments.links[].href", - "function": "collect_to_array" - }, - { - "op": "drop", - "paths": [ - "reduced_results.indicators.hits.hits[]._source.nist.site.fpid", - "reduced_results.indicators.hits.hits[]._source.nist.fpid" - ] - }, - { - "op": "truncate_list", - "path": "reduced_results.indicators.hits.hits[]._source.cve.nist.configurations", - "max_size": 10, - "shape": { - "reduced_results.indicators.hits.hits[]._source.cve.nist.configurations": { - "configurationsCount": "$original_count", - "firstTenConfigurations": "$truncated" - } - }, - "condition": { - "min_size": 11 - } - }, - { - "op": "transform", - "path": "reduced_results.indicators.hits.hits[]._source.enrichments.v1.email_addresses[].email_address", - "function": "collect_to_array" - }, - { - "op": "transform", - "path": "reduced_results.indicators.hits.hits[]._source.enrichments.v1.urls[].url", - "function": "collect_to_array" - }, - { - "op": "transform", - "path": "reduced_results.indicators.hits.hits[]._source.enrichments.v1.ip_addresses[].ip_address", - "function": "collect_to_array" - }, - { - "op": "truncate_list", - "path": "reduced_results.indicators.hits.hits[]._source.enrichments.v1.vulnerability", - "max_size": 10, - "shape": { - "reduced_results.indicators.hits.hits[]._source.enrichments.v1.vulnerability": { - "vulnerabilityCount": "$original_count", - "firstTenVulnerabilities": "$truncated" - } - }, - "condition": { - "min_size": 11 - } - }, - { - "op": "drop", - "paths": [ - "reduced_results.indicators.hits.hits[]._source.enrichments.v1.vulnerability[].positions", - "reduced_results.indicators.hits.hits[]._source._meta.enrichments.v1[].enriched_at", - "reduced_results.indicators.hits.hits[]._source._meta.enrichments.v1[].version" + "reduced_results.indicators[].sort_date", + "reduced_results.indicators[].entity_type", + "reduced_results.indicators[].href", + "reduced_results.indicators[].sightings", + "reduced_results.indicators[].latest_sighting.id", + "reduced_results.indicators[].latest_sighting.href" ] }, { @@ -235,4 +67,4 @@ "output": { "result": "$working.reduced_results" } -} +} \ No newline at end of file