[ti_cyware_threat_intelligence] Initial release of Cyware Threat Intelligence #14500

muskan-agarwal26 · 2025-07-11T05:58:48Z

Proposed commit message

The initial release includes an indicator data stream for supporting indicators via REST API, along with their corresponding dashboards and visualizations.

Cyware Threat Intelligence fields are mapped to their corresponding ECS fields where possible.

Test samples were derived from documentation.

Checklist

I have reviewed tips for building integrations and this pull request is aligned with them.
I have verified that all data streams collect metrics or logs.
I have added an entry to my package's changelog.yml file.
I have verified that Kibana version constraints are current according to guidelines.
I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

Clone integrations repo.
Install elastic package locally.
Start elastic stack using elastic-package.
Move to integrations/packages/ti_cyware_threat_intelligence directory.
Run the following command to run tests.

elastic-package test

elastic-package test
2025/07/10 21:56:01  INFO New version is available - v0.112.0. Download from: https://github.com/elastic/elastic-package/releases/tag/v0.112.0
Run asset tests for the package
2025/07/10 21:56:01  INFO License text found in "/root/GITHUB/integrations/LICENSE.txt" will be included in package
--- Test results for package: ti_cyware_threat_intelligence - START ---
╭───────────────────────────────┬─────────────┬───────────┬────────────────────────────────────────────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE                       │ DATA STREAM │ TEST TYPE │ TEST NAME                                                                              │ RESULT │ TIME ELAPSED │
├───────────────────────────────┼─────────────┼───────────┼────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────┤
│ ti_cyware_threat_intelligence │             │ asset     │ dashboard ti_cyware_threat_intelligence-56ee88b2-39b0-44f1-a122-46ff83bdbcb0 is loaded │ PASS   │      3.112µs │
│ ti_cyware_threat_intelligence │             │ asset     │ search ti_cyware_threat_intelligence-d3c12e4c-1d77-4c81-8223-5f909ffb433f is loaded    │ PASS   │      1.017µs │
│ ti_cyware_threat_intelligence │ indicator   │ asset     │ index_template logs-ti_cyware_threat_intelligence.indicator is loaded                  │ PASS   │      1.005µs │
│ ti_cyware_threat_intelligence │ indicator   │ asset     │ ingest_pipeline logs-ti_cyware_threat_intelligence.indicator-0.1.0 is loaded           │ PASS   │        570ns │
╰───────────────────────────────┴─────────────┴───────────┴────────────────────────────────────────────────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: ti_cyware_threat_intelligence - END   ---
Done
Run pipeline tests for the package
--- Test results for package: ti_cyware_threat_intelligence - START ---
╭───────────────────────────────┬─────────────┬───────────┬───────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE                       │ DATA STREAM │ TEST TYPE │ TEST NAME                                     │ RESULT │ TIME ELAPSED │
├───────────────────────────────┼─────────────┼───────────┼───────────────────────────────────────────────┼────────┼──────────────┤
│ ti_cyware_threat_intelligence │ indicator   │ pipeline  │ (ingest pipeline warnings test-indicator.log) │ PASS   │ 1.917131341s │
│ ti_cyware_threat_intelligence │ indicator   │ pipeline  │ test-indicator.log                            │ PASS   │ 663.276696ms │
╰───────────────────────────────┴─────────────┴───────────┴───────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: ti_cyware_threat_intelligence - END   ---
Done
Run policy tests for the package
--- Test results for package: ti_cyware_threat_intelligence - START ---
No test results
--- Test results for package: ti_cyware_threat_intelligence - END   ---
Done
Run static tests for the package
--- Test results for package: ti_cyware_threat_intelligence - START ---
╭───────────────────────────────┬─────────────┬───────────┬──────────────────────────┬────────┬──────────────╮
│ PACKAGE                       │ DATA STREAM │ TEST TYPE │ TEST NAME                │ RESULT │ TIME ELAPSED │
├───────────────────────────────┼─────────────┼───────────┼──────────────────────────┼────────┼──────────────┤
│ ti_cyware_threat_intelligence │ indicator   │ static    │ Verify sample_event.json │ PASS   │  444.10598ms │
╰───────────────────────────────┴─────────────┴───────────┴──────────────────────────┴────────┴──────────────╯
--- Test results for package: ti_cyware_threat_intelligence - END   ---
Done
Run system tests for the package
2025/07/10 21:56:15  INFO License text found in "/root/GITHUB/integrations/LICENSE.txt" will be included in package
2025/07/10 21:57:25  INFO Write container logs to file: /root/GITHUB/integrations/build/container-logs/ti_cyware_threat_intelligence-1752164845393050794.log
2025/07/10 21:57:29  INFO Write container logs to file: /root/GITHUB/integrations/build/container-logs/elastic-agent-1752164849581505460.log
--- Test results for package: ti_cyware_threat_intelligence - START ---
╭───────────────────────────────┬─────────────┬───────────┬───────────┬────────┬────────────────╮
│ PACKAGE                       │ DATA STREAM │ TEST TYPE │ TEST NAME │ RESULT │   TIME ELAPSED │
├───────────────────────────────┼─────────────┼───────────┼───────────┼────────┼────────────────┤
│ ti_cyware_threat_intelligence │ indicator   │ system    │ default   │ PASS   │ 1m2.440650535s │
╰───────────────────────────────┴─────────────┴───────────┴───────────┴────────┴────────────────╯
--- Test results for package: ti_cyware_threat_intelligence - END   ---
Done

Related issues

Closes [New Integration] Cyware Threat Intelligence eXchange (CTIX) #14406

Screenshots

elasticmachine · 2025-07-11T10:56:35Z

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

kcreddy · 2025-07-11T10:56:39Z

/test

elastic-vault-github-plugin-prod · 2025-07-11T11:20:17Z

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

elastic-sonarqube · 2025-07-11T11:20:25Z

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
89.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

elasticmachine · 2025-07-11T11:20:31Z

💚 Build Succeeded

Buildkite Build
Commit: 0b0c1b0

efd6 · 2025-07-13T22:52:23Z

packages/ti_cyware_threat_intelligence/data_stream/indicator/agent/stream/cel.yml.hbs

+          })
+        ).flatten(),
+        "want_more": has(body.next) && body.next != null,
+        "page_number": has(body.next) && body.next != null ? int(state.?page_number.orValue(1)) + 1 : 1,


Please split this over lines.

What happens when state.page_number does not exist and body.next does and is not null? Then we start at 2. Is that intended? Can it ever happen?

efd6 · 2025-07-13T22:53:16Z

packages/ti_cyware_threat_intelligence/data_stream/indicator/agent/stream/cel.yml.hbs

+        },
+      })
+    :
+      {


In this branch, we lose all the accumulated state fields. Is that acceptable?

muskan-crest added 2 commits July 10, 2025 22:00

Initial Release of Cyware Threat Intelligence

23176a0

Updated tag in default.yml

facf19e

muskan-agarwal26 requested a review from a team as a code owner July 11, 2025 05:58

Updated changelog entry

0b0c1b0

kcreddy added dashboard Relates to a Kibana dashboard bug, enhancement, or modification. New Integration Issue or pull request for creating a new integration package. Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Jul 11, 2025

kcreddy added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Crest Contributions from Crest developement team. labels Jul 11, 2025

efd6 reviewed Jul 13, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[ti_cyware_threat_intelligence] Initial release of Cyware Threat Intelligence #14500

[ti_cyware_threat_intelligence] Initial release of Cyware Threat Intelligence #14500

muskan-agarwal26 commented Jul 11, 2025

Uh oh!

elasticmachine commented Jul 11, 2025

Uh oh!

kcreddy commented Jul 11, 2025

Uh oh!

elastic-vault-github-plugin-prod bot commented Jul 11, 2025

Uh oh!

elastic-sonarqube bot commented Jul 11, 2025

Uh oh!

elasticmachine commented Jul 11, 2025

Uh oh!

efd6 Jul 13, 2025

Uh oh!

efd6 Jul 13, 2025

Uh oh!

Uh oh!

[ti_cyware_threat_intelligence] Initial release of Cyware Threat Intelligence #14500

Are you sure you want to change the base?

[ti_cyware_threat_intelligence] Initial release of Cyware Threat Intelligence #14500

Conversation

muskan-agarwal26 commented Jul 11, 2025

Proposed commit message

Checklist

How to test this PR locally

Related issues

Screenshots

Uh oh!

elasticmachine commented Jul 11, 2025

Uh oh!

kcreddy commented Jul 11, 2025

Uh oh!

elastic-vault-github-plugin-prod bot commented Jul 11, 2025

🚀 Benchmarks report

Uh oh!

elastic-sonarqube bot commented Jul 11, 2025

Quality Gate passed

Uh oh!

elasticmachine commented Jul 11, 2025

💚 Build Succeeded

Uh oh!

efd6 Jul 13, 2025

Choose a reason for hiding this comment

Uh oh!

efd6 Jul 13, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!