Skip to content

[Google Threat Intelligence] Add IOC Stream data stream #13449

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

[Google Threat Intelligence] Add IOC Stream data stream #13449

wants to merge 7 commits into from
+26,820 −0

Conversation

niraj-crest
Copy link
Contributor

  • Enhancement

What does this PR do?

  • Added ioc_stream data stream.
  • Added data collection

logic for the data stream.

  • Added the ingest pipeline for the data stream.
  • Mapped fields according to the ECS schema and added Fields metadata in the appropriate yaml files.
  • Added dashboards and visualizations.
  • Added system test cases for the data stream.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

  • Clone integrations repo.
  • Install elastic-package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/ti_google_threat_intelligence) directory.
  • Run the following command to run tests. elastic-package test

@niraj-crest niraj-crest requested a review from a team as a code owner April 7, 2025 15:31
@andrewkroh andrewkroh added dashboard Relates to a Kibana dashboard bug, enhancement, or modification. Crest Contributions from Crest developement team. New Integration Issue or pull request for creating a new integration package. labels Apr 7, 2025
@botelastic
Copy link

botelastic bot commented May 7, 2025

Hi! We just realized that we haven't looked into this PR in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

@botelastic botelastic bot added the Stalled label May 7, 2025
@niraj-crest niraj-crest requested a review from a team as a code owner May 19, 2025 12:14
@botelastic botelastic bot removed the Stalled label May 19, 2025
@niraj-crest niraj-crest mentioned this pull request May 30, 2025
Merged
4 tasks
@andrewkroh andrewkroh added the Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] label Jun 23, 2025
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@andrewkroh andrewkroh added the Integration:ti_google_threat_intelligence Google Threat Intelligence (Partner supported) label Jun 23, 2025
@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Jul 1, 2025
efd6
efd6 reviewed Jul 6, 2025
View reviewed changes
packages/ti_google_threat_intelligence/_dev/deploy/docker/docker-compose.yml
version: '2.3'
services:
ti_google_threat_intelligence:
image: docker.elastic.co/observability/stream:v0.15.0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
image: docker.elastic.co/observability/stream:v0.15.0
image: docker.elastic.co/observability/stream:v0.18.0

packages/ti_google_threat_intelligence/data_stream/ioc_stream/agent/stream/cel.yml.hbs
request(
"GET",
state.url.trim_right("/") + "/api/v3/ioc_stream?" + {
"limit": ["40"],
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this hardcoded?

Copy link
Contributor Author

@niraj-crest niraj-crest Jul 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maximum Limit of endpoint,
We kept it hardcoded to reduce network calls.

packages/ti_google_threat_intelligence/data_stream/ioc_stream/agent/stream/cel.yml.hbs
"Header": {
"x-apikey": [state.access_token],
"x-tool": ["Elastic"],
"User-Agent": ["v0.1.0"], // Include integration version here; used for identifying and monitoring requests
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"User-Agent": ["v0.1.0"], // Include integration version here; used for identifying and monitoring requests
"User-Agent": ["v0.1.0"], // Keep this in sync with 'version' in package level manifest.yml.

to maintain consistency with other data streams.

packages/ti_google_threat_intelligence/data_stream/ioc_stream/agent/stream/cel.yml.hbs
"last_timestamp": has(body.?meta.cursor) ? state.start_time : state.end_time,
},
"want_more": has(body.?meta.cursor),
"next_page": has(body.?meta.cursor) ? body.meta.cursor : null
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"next_page": has(body.?meta.cursor) ? body.meta.cursor : null
"next": {
?"page": body.?meta.cursor,
"interval": interval,
},

Please don't use null to indicate absence.

packages/ti_google_threat_intelligence/data_stream/ioc_stream/agent/stream/cel.yml.hbs
Comment on lines +48 to +53
"events": ( has(body.data) && size(body.data) > 0 ?
body.data.map(e, {
"message": e.encode_json()
})
:
[{"message": "retry"}]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"events": ( has(body.data) && size(body.data) > 0 ?
body.data.map(e, {
"message": e.encode_json()
})
:
[{"message": "retry"}]
"events": ( has(body.data) && size(body.data) > 0 ?
body.data.map(e, {
"message": e.encode_json()
})
:
[{"message": "retry"}]

..._google_threat_intelligence/data_stream/ioc_stream/elasticsearch/ingest_pipeline/default.yml
Comment on lines +23 to +30
- set:
field: observer.vendor
tag: set_observer_vendor
value: Google
- set:
field: observer.product
tag: set_observer_product
value: Threat Intelligence
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can these be constant_keyword?

..._google_threat_intelligence/data_stream/ioc_stream/elasticsearch/ingest_pipeline/default.yml
Comment on lines +65 to +69
- convert:
field: json.attributes.asn
tag: convert_attributes_asn_to_long
target_field: gti.ioc_stream.attributes.asn
type: long
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this always safe? (ref) (same below)

..._google_threat_intelligence/data_stream/ioc_stream/elasticsearch/ingest_pipeline/default.yml
Comment on lines +2458 to +2463
if (ctx.threat == null) {
ctx.threat = new HashMap();
}
if (ctx.threat.indicator == null) {
ctx.threat.indicator = new HashMap();
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (ctx.threat == null) {
ctx.threat = new HashMap();
}
if (ctx.threat.indicator == null) {
ctx.threat.indicator = new HashMap();
}
ctx.threat = ctx.thread ?: [:];
ctx.threat.indicator = ctx.thread.indicator ?: [:];

..._google_threat_intelligence/data_stream/ioc_stream/elasticsearch/ingest_pipeline/default.yml
- append:
field: tags
value: preserve_original_event
allow_duplicates: false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Final new line.

..._google_threat_intelligence/data_stream/ioc_stream/elasticsearch/ingest_pipeline/default.yml
Comment on lines +2491 to +2495
- set:
field: event.kind
tag: set_pipeline_error_into_event_kind
value: pipeline_error
if: ctx.error?.message != null
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note discussion about this being an array?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@efd6 efd6 efd6 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Crest Contributions from Crest developement team. dashboard Relates to a Kibana dashboard bug, enhancement, or modification. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:ti_google_threat_intelligence Google Threat Intelligence (Partner supported) New Integration Issue or pull request for creating a new integration package. Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@niraj-crest @elasticmachine @efd6 @andrewkroh