ti_recordedfuture: triggered_alert field is incorrectly mapped as keyword

[efd6]

The primary_entity field in the ti_recordedfuture.triggered_alert data stream is mapped as keyword in fields.yml, but the Recorded Future v3 alerts API returns it as an object with name, id, and type fields. When this happens, Elasticsearch rejects the document with a document_parsing_exception:

failed to parse field [recordedfuture.triggered_alert.primary_entity] of type [keyword].
Preview of field's value: '{name=Ransomware, id=J0Nl-p, type=MalwareCategory}'
caused_by: illegal_argument_exception: Expected text at 1:10642 but found START_OBJECT

The primary_entity field has the same shape as individual items in the entities array, which is already correctly mapped as a group with id, name, and type subfields. All existing test fixtures use "primary_entity": null, so the object case was never exercised.

Fix

Change primary_entity in fields/fields.yml from type: keyword to a group with id, name, type subfields (all keyword), matching the entities field structure. Add test data with a non-null primary_entity object, for example, {"name": "Ransomware", "id": "J0Nl-p", "type": "MalwareCategory"}.

Versions

• Integration: ti_recordedfuture 2.4.1
• Agent: 9.3.2

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[github-actions]

tl;dr: recordedfuture.triggered_alert itself is currently mapped as a group (object), but one nested field appears mismatched: recordedfuture.triggered_alert.rule.use_case_deprecation is mapped as keyword while test/sample payloads provide an object ({"description": null}), which can trigger mapping conflicts.

Recommendation

Update recordedfuture.triggered_alert.rule.use_case_deprecation from keyword to group and define its child field(s), then regenerate package docs/assets and run package validation tests.

Findings

• packages/ti_recordedfuture/data_stream/triggered_alert/fields/fields.yml:4-5 defines triggered_alert as type: group (so the top-level field is not keyword).
• packages/ti_recordedfuture/data_stream/triggered_alert/fields/fields.yml:109-110 defines:
  • name: use_case_deprecation
  • type: keyword
• packages/ti_recordedfuture/data_stream/triggered_alert/_dev/test/pipeline/test-triggered-alert.log:1 contains "rule":{"use_case_deprecation":{"description":null},...} (object payload).
• packages/ti_recordedfuture/data_stream/triggered_alert/sample_event.json:29 contains the same object shape in event.original.
• packages/ti_recordedfuture/data_stream/triggered_alert/elasticsearch/ingest_pipeline/default.yml:40-44 parses event.original JSON into recordedfuture.triggered_alert directly.
• Docs currently also show recordedfuture.triggered_alert.rule.use_case_deprecation as keyword:
  • packages/ti_recordedfuture/docs/README.md:446

Integrity constraint note: I could not read issue/PR bodies via MCP for related discussion (access gate), so findings are based on local repository verification.

Verification

I validated with local file inspection and grep:

$ grep -n "use_case_deprecation" packages/ti_recordedfuture/data_stream/triggered_alert/fields/fields.yml
109:            - name: use_case_deprecation

$ grep -n "use_case_deprecation" packages/ti_recordedfuture/data_stream/triggered_alert/_dev/test/pipeline/test-triggered-alert.log | head -n 1
1:{..."rule":{"use_case_deprecation":{"description":null},...}}

$ grep -n "target_field: recordedfuture.triggered_alert" packages/ti_recordedfuture/data_stream/triggered_alert/elasticsearch/ingest_pipeline/default.yml
43:      target_field: recordedfuture.triggered_alert

I also checked whether elastic-package is available in this runner; it is not installed here, so I could not execute package tests in this environment.

Detailed Action Plan

1. Edit packages/ti_recordedfuture/data_stream/triggered_alert/fields/fields.yml:

   • At rule.use_case_deprecation (around lines 109-110), change type: keyword → type: group.
   • Add child fields under it (at minimum description; choose type per integration conventions, likely keyword if it remains scalar text).

2. Regenerate package docs/assets so field docs match mappings:

   • packages/ti_recordedfuture/docs/README.md should no longer show recordedfuture.triggered_alert.rule.use_case_deprecation as keyword.

3. Run existing package validation/tests for ti_recordedfuture (pipeline and package checks) to confirm no mapping conflicts.

4. Optionally add/adjust a fixture assertion in triggered_alert pipeline test data to keep this object shape covered and prevent regressions.

Related Items

Type	Item	Relevance
File	packages/ti_recordedfuture/data_stream/triggered_alert/fields/fields.yml	Source of mapping definition
File	packages/ti_recordedfuture/data_stream/triggered_alert/elasticsearch/ingest_pipeline/default.yml	Parses JSON into recordedfuture.triggered_alert
File	packages/ti_recordedfuture/data_stream/triggered_alert/_dev/test/pipeline/test-triggered-alert.log	Shows object payload for use_case_deprecation
File	packages/ti_recordedfuture/data_stream/triggered_alert/sample_event.json	Same object payload in sample event
File	packages/ti_recordedfuture/docs/README.md	Generated docs currently reflect keyword mapping
Commit	a9f0f621	Recent commit touching triggered_alert fields file

Note

🔒 Integrity filtering filtered 11 items

Integrity filtering activated and filtered the following items during workflow execution.
This happens when a tool call accesses a resource that does not meet the required integrity or secrecy level of the workflow.

• issue:ti_recordedfuture: triggered_alert field is incorrectly mapped as keyword #18136 (issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)
• #18136 (search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)
• #14159 (search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)
• #16194 (search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)
• #16114 (search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)
• #17560 (search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)
• #14648 (search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)
• #14814 (search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)
• issue:#unknown (search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)
• pr:[ti_recordedfuture] Add Support for Playbook and Triggered Alerts #13494 (pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)
• pr:Fix Network Flows dashboard for ECS-mapped flows #18058 (pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)

---

What is this? | From workflow: Issue Triage

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.