From 53e596d29b0b6f597529e6a06fb47eb23ccf0e41 Mon Sep 17 00:00:00 2001
From: Marius Iversen <marius.iversen@elastic.co>
Date: Mon, 22 Feb 2021 12:28:32 +0100
Subject: [PATCH] indicator type url is in upper case (#24152) (#24153)

(cherry picked from commit e315d66b518acc2aa82b028532912e4bc8f5f40e)
---
 x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml
index ffd95787726..a4a16035111 100644
--- a/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml
@@ -89,7 +89,7 @@ processors:
     field: threatintel.otx.indicator
     target_field: threatintel.indicator.url.full
     ignore_missing: true
-    if: "ctx?.threatintel?.otx?.type == 'url' && ctx?.threatintel?.indicator?.url?.original == null"
+    if: "ctx?.threatintel?.otx?.type == 'URL' && ctx?.threatintel?.indicator?.url?.original == null"
 - rename:
     field: threatintel.otx.indicator
     target_field: threatintel.indicator.url.path