Don't discard matched event as sighting context

tenzir · Dec 14, 2021 · a6a6586 · a6a6586
1 parent 51b92e3
commit a6a6586
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 5 deletions.
diff --git a/apps/vast/CHANGELOG.md b/apps/vast/CHANGELOG.md
@@ -12,6 +12,12 @@ Every entry has a category for which we use the following visual abbreviations:
 
 ## Unreleased
 
+- ⚠️ `vast-threatbus` no longer adds a `source` field to the `x_threatbus_sighting_context`
+  field of generated sightings.
+
+- ⚠️ `vast-threatbus` now adds the matched event to the `x_threatbus_sighting_context`
+  for results coming from live matcher.
+
 - 🐞 `vast-threatbus` now handles sightings generated by VAST matchers using
   probabilistic filters. Note that to correlate sighting and indicator an exact
   filter must be used, as probabilistic filters do not store the STIX

diff --git a/apps/vast/vast_threatbus/message_mapping.py b/apps/vast/vast_threatbus/message_mapping.py
@@ -100,7 +100,6 @@ def query_result_to_sighting(
         return None
     try:
         context = json.loads(query_result)
-        context["source"] = "VAST"
         ts = context.get("ts", context.get("timestamp", None))
         if not ts:
             logger.error(f"Could not find timestamp")
@@ -154,8 +153,7 @@ def matcher_result_to_sighting(matcher_result: str) -> Union[Sighting, None]:
     if ref is None:
         # All zeroes is no valid UUIDv4, at least these two bits must be set.
         ref = f"note--00000000-0000-4000-8000-000000000000"
-    context = {}
-    context["source"] = "VAST"
+    context = event
     return Sighting(
         last_seen=ts,
         sighting_of_ref=ref,

diff --git a/apps/vast/vast_threatbus/test_message_mapping.py b/apps/vast/vast_threatbus/test_message_mapping.py
@@ -139,7 +139,6 @@ def test_query_result_to_sighting(self):
             in parsed_sighting
         )
         expected_context = json.loads(self.valid_query_result)
-        expected_context["source"] = "VAST"
         self.assertEqual(parsed_sighting.x_threatbus_sighting_context, expected_context)
 
     def test_invalid_matcher_result_to_sighting(self):
@@ -162,5 +161,5 @@ def test_matcher_result_to_sighting(self):
             ThreatBusSTIX2Constants.X_THREATBUS_SIGHTING_CONTEXT.value
             in parsed_sighting
         )
-        expected_context = {"source": "VAST"}
+        expected_context = json.loads(self.valid_matcher_result)["event"]
         self.assertEqual(parsed_sighting.x_threatbus_sighting_context, expected_context)