[Google Threat Intelligence] Add Integration Package

[niraj-crest]

• Enhancement

What does this PR do?

• Added 4 data streams (cryptominer, first_stage_delivery_vectors, infostealer, iot).
• Added data collection logic for the data streams.
• Added the ingest pipeline for the data streams.
• Mapped fields according to the ECS schema and added Fields metadata in the appropriate yaml files.
• Added dashboards and visualizations.
• Added system test cases for the data stream.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

• Clone integrations repo.
• Install elastic-package locally.
• Start elastic stack using elastic-package.
• Move to integrations/packages/ti_google_threat_intelligence) directory.
• Run the following command to run tests. elastic-package test

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[niraj-crest]

Hey @jamiehynds & @andrewkroh
Can anyone please add reviewers to this PR?

[kcreddy]

/test

[kcreddy]

@niraj-crest, could you fix the CI error?

Error: there is no owner for "packages/ti_google_threat_intelligence" in ".github/CODEOWNERS"

by adding a line into .github/CODEOWNERS

[niraj-crest]

Hello @kcreddy,
Added codeowners, can please run the tests again?

[kcreddy]

/test

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[kcreddy]

@niraj-crest, looks like the PR is failing Check for blocked path changes.
The git diff git diff --name-only f9794072abccfc51e4549ecd7510d0d2248f2c72 1b3d6ddc5affe5f7215b2668ecdd1db7682202e9 is identifying files from blocked_paths.

Can you re-sync your branch with elastic:main?

[niraj-crest]

@niraj-crest, looks like the PR is failing Check for blocked path changes. The git diff git diff --name-only f9794072abccfc51e4549ecd7510d0d2248f2c72 1b3d6ddc5affe5f7215b2668ecdd1db7682202e9 is identifying files from blocked_paths.

Can you re-sync your branch with elastic:main?

Done @kcreddy.

[kcreddy]

@niraj-crest, I don't think its done.

[kcreddy]

/test

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
82.1% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[niraj-crest]

Hello @kcreddy,
CI is passing now, i guess you can start reviewing the PR.

[kcreddy]

@kcreddy,
CI is passing now, i guess you can start reviewing the PR.

@niraj-crest I've added few comments. I haven't looked into the entire PR yet. Will do.

[kcreddy]

/test

[niraj-crest]

Hello @kcreddy / @efd6 /@andrewkroh
Please let me know if we have any other review comments.

[efd6]

Suggested change

	state.with({
	"start_time": state.?cursor.last_timestamp.orValue((now - duration(state.initial_interval)).format("2006010215"))
	}).as(state, state.with(
	state.?cursor.last_timestamp.orValue((now - duration(state.initial_interval)).format("2006010215")).as(start_time,

since this is overwritten for every eval it doesn't need to be put in state. This will need bracket fixups.

Though, I would also reconsider doing the format here. Instead, that way you don't need to reparse each time you make an adjustment.

[niraj-crest]

Thank you for the suggestion!
We’ve updated the code to use start_time directly as recommended, which definitely helped simplify things.

Regarding your additional point about reconsidering the formatting, we explored that approach but ran into a timing issue due to the API's behavior. Specifically, the API enforces a 1-hour delay, and if we don’t round precisely to the hour, we risk calling a future window too early.

For example, if the current time is 10:21 and we start with an initial interval of 2h, we’ll fetch data for 08 and 09. When checking whether to proceed to the next hour, (09:21 + 1h) becomes 10:21, which might still be less than now (say 10:22) by the time the check happens. This leads us to attempt a 10:00 call prematurely and receive an error.

To avoid this, we’ve kept the strict hour-to-hour comparison using formatted values.
Please let us know if you have any further thoughts.

[efd6]

OK. That is also unfortunate. What we'd really like is a timestamp round function. elastic/mito#92

[efd6]

Suggested change

	state.url.trim_right("/") + "/api/v3/threat_lists/cryptominer/" + state.start_time + "?" + {
	state.url.trim_right("/") + "/api/v3/threat_lists/cryptominer/" + start_time + "?" + {

[efd6]

Suggested change

	"want_more": (state.start_time.parse_time("2006010215") + duration("1h")) < (now.format("2006010215")).parse_time("2006010215")
	"want_more": (start_time.parse_time("2006010215") + duration("1h")) < (now.format("2006010215")).parse_time("2006010215")

[efd6]

Same comments as above.

[niraj-crest]

Hello @kcreddy / @efd6 ,
We’ve addressed all the review comments.
Kindly let us know if you have any additional suggestions. If everything looks good to you, we’d appreciate it if we could proceed with merging this PR.

[kcreddy]

/test

[kcreddy]

This is indeed confusing as this PR change is dependent on future PRs. We should avoid this if possible in the future.

What is the difference between IOCs ingested from this PR's API i..e., Get Hourly Threat List vs the /ioc_stream API thats added in #13449?
Is one API better than the other, if so why don't we add only the better one?

[kcreddy]

Please kindly make a note of all these after items and create a follow up PR. Thanks!

[kcreddy]

After adding the pipeline, the transform turns Healthy as expected.

This behaviour is very strange. run_as_kibana_system shouldn't impact the transform health from a pipeline not being present, especially when we don't even have a pipeline by default #13189 (comment).

If its not too much, could you please kindly add a video capturing this behaviour?

[efd6]

My concerns have been addressed, but please wait for @kcreddy.

[efd6]

Suggested change

	"User-Agent": ["v0.1.0"], // Include integration version here; must match the 'version' in package level manifest.yml
	"User-Agent": ["v0.1.0"], // Keep this in sync with 'version' in package level manifest.yml.

Same change elsewhere that this comment exists.

[efd6]

✅

[efd6]

OK. That is also unfortunate. What we'd really like is a timestamp round function. elastic/mito#92

[kcreddy]

/test

[kcreddy]

Only waiting on 1 outstanding comment: #13189 (comment)

[kcreddy]

/test

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: addde76

History

• 💚 Build #27316 succeeded e3bab0f
• 💚 Build #27046 succeeded b4ebf3e
• 💚 Build #26864 succeeded 87040d1
• 💚 Build #26467 succeeded 595a25b
• 💚 Build #26231 succeeded 86489a7
• 💚 Build #26104 succeeded 8b256a6

[elastic-sonarqube]

Quality Gate failed

Failed conditions
64.3% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube

[kcreddy]

LGTM. Thank you!
#14287 tracks list of pending issues for making the integration GA.

[elastic-vault-github-plugin-prod]

Package ti_google_threat_intelligence - 0.1.0 containing this change is available at https://epr.elastic.co/package/ti_google_threat_intelligence/0.1.0/