From 54ec2e63b99ae6bd862934f65b6e97201eb69d37 Mon Sep 17 00:00:00 2001 From: Chris Berkhout Date: Fri, 5 Jun 2026 18:45:01 +0200 Subject: [PATCH 1/5] Clarify "enrichment" in the README. --- .../_dev/build/docs/README.md | 12 ++++++------ .../ti_google_threat_intelligence/docs/README.md | 12 ++++++------ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/packages/ti_google_threat_intelligence/_dev/build/docs/README.md b/packages/ti_google_threat_intelligence/_dev/build/docs/README.md index 0aa720c85d3..192a4ad2912 100644 --- a/packages/ti_google_threat_intelligence/_dev/build/docs/README.md +++ b/packages/ti_google_threat_intelligence/_dev/build/docs/README.md @@ -6,7 +6,7 @@ Google Threat Intelligence integration offers support for two APIs: 1. **[Threat List API](https://gtidocs.virustotal.com/reference/get-hourly-threat-list)** to deliver hourly data chunks. The Threat Lists feature allows customers to consume **Indicators of Compromise (IOCs)** categorized by various threat types. -2. **[IOC Stream API](https://gtidocs.virustotal.com/reference/get-objects-from-the-ioc-stream)** to deliver various types of **Indicators of Compromise (IOCs)** originating from multiple sources. Depending on the source of the notification, different context-specific attributes are added to enrich the IOCs. +2. **[IOC Stream API](https://gtidocs.virustotal.com/reference/get-objects-from-the-ioc-stream)** to deliver various types of **Indicators of Compromise (IOCs)** originating from multiple sources. Depending on the source of the notification, different context-specific attributes are added to the IOCs. ## Threat List API Feeds @@ -114,15 +114,15 @@ A **retention policy** is used to remove data older than the default retention p In this integration, all data streams have a **retention period of 30 days**. -### Enrichment with Detection Rules +### Customizing Detection Rules -Detection Rules match the user's Elastic environment data with GTI data, generating an alert if a match is found. To access detection rules: +Detection Rules match the user's data with GTI data, generating an alert if a match is found. To access detection rules: 1. Navigate to **Security > Rules > Detection Rules** and click on **Add Elastic Rules**. 2. Search for **Google Threat Intelligence** to find prebuilt Elastic detection rules. 3. Four detection rules are available for **IP, URL, File, and Domain**. Users can install one or more rules as needed. -To tailor a rule based on Elastic environment: +To customize a rule for your Elastic environment: 1. Click the three dots on the right side of any detection rule. 2. Select **Duplicate Rule**. @@ -154,12 +154,12 @@ The following are the names of the eight sample rules: - Detected IOC Transform (ID: `logs-ti_google_threat_intelligence.rule`) - Detected IOC from IOC stream Transform (ID: `logs-ti_google_threat_intelligence.rule_ioc_st`) -These transforms are automatically started to populate `Threat Intelligence`, `Adversary Intelligence` and `IOC Stream Threat Intelligence` dashboards. The `data_stream.dataset: ti_google_threat_intelligence.enriched_ioc` and `data_stream.dataset: ti_google_threat_intelligence.enriched_ioc_stream` field represents logs for enriched threat intelligence data, which can be analyzed in the **Discover** section. +These transforms are automatically started to populate `Threat Intelligence`, `Adversary Intelligence` and `IOC Stream Threat Intelligence` dashboards. The `data_stream.dataset: ti_google_threat_intelligence.enriched_ioc` and `data_stream.dataset: ti_google_threat_intelligence.enriched_ioc_stream` field represents logs for current threat intelligence data, which can be analyzed in the **Discover** section. ## Limitations 1. If an event contains multiple matching mappings (e.g., two file hash fields within the same event match GTI data), only one alert per detection rule will be generated for that event. -2. If an IOC from the user's Elasticsearch index is enriched with GTI information, and the GTI information is updated later, the changes are not reflected in the dashboards because Elastic detection rules only run on live data. +2. If GTI information is ingested and procesed by a transform, and the GTI source information is updated later, the changes are not reflected in the dashboards because the Elastic detection rules only run on the transformed (destination) data. ## Troubleshooting diff --git a/packages/ti_google_threat_intelligence/docs/README.md b/packages/ti_google_threat_intelligence/docs/README.md index 540de8b0484..b3b5b279a6c 100644 --- a/packages/ti_google_threat_intelligence/docs/README.md +++ b/packages/ti_google_threat_intelligence/docs/README.md @@ -6,7 +6,7 @@ Google Threat Intelligence integration offers support for two APIs: 1. **[Threat List API](https://gtidocs.virustotal.com/reference/get-hourly-threat-list)** to deliver hourly data chunks. The Threat Lists feature allows customers to consume **Indicators of Compromise (IOCs)** categorized by various threat types. -2. **[IOC Stream API](https://gtidocs.virustotal.com/reference/get-objects-from-the-ioc-stream)** to deliver various types of **Indicators of Compromise (IOCs)** originating from multiple sources. Depending on the source of the notification, different context-specific attributes are added to enrich the IOCs. +2. **[IOC Stream API](https://gtidocs.virustotal.com/reference/get-objects-from-the-ioc-stream)** to deliver various types of **Indicators of Compromise (IOCs)** originating from multiple sources. Depending on the source of the notification, different context-specific attributes are added to the IOCs. ## Threat List API Feeds @@ -114,15 +114,15 @@ A **retention policy** is used to remove data older than the default retention p In this integration, all data streams have a **retention period of 30 days**. -### Enrichment with Detection Rules +### Customizing Detection Rules -Detection Rules match the user's Elastic environment data with GTI data, generating an alert if a match is found. To access detection rules: +Detection Rules match the user's data with GTI data, generating an alert if a match is found. To access detection rules: 1. Navigate to **Security > Rules > Detection Rules** and click on **Add Elastic Rules**. 2. Search for **Google Threat Intelligence** to find prebuilt Elastic detection rules. 3. Four detection rules are available for **IP, URL, File, and Domain**. Users can install one or more rules as needed. -To tailor a rule based on Elastic environment: +To customize a rule for your Elastic environment: 1. Click the three dots on the right side of any detection rule. 2. Select **Duplicate Rule**. @@ -154,12 +154,12 @@ The following are the names of the eight sample rules: - Detected IOC Transform (ID: `logs-ti_google_threat_intelligence.rule`) - Detected IOC from IOC stream Transform (ID: `logs-ti_google_threat_intelligence.rule_ioc_st`) -These transforms are automatically started to populate `Threat Intelligence`, `Adversary Intelligence` and `IOC Stream Threat Intelligence` dashboards. The `data_stream.dataset: ti_google_threat_intelligence.enriched_ioc` and `data_stream.dataset: ti_google_threat_intelligence.enriched_ioc_stream` field represents logs for enriched threat intelligence data, which can be analyzed in the **Discover** section. +These transforms are automatically started to populate `Threat Intelligence`, `Adversary Intelligence` and `IOC Stream Threat Intelligence` dashboards. The `data_stream.dataset: ti_google_threat_intelligence.enriched_ioc` and `data_stream.dataset: ti_google_threat_intelligence.enriched_ioc_stream` field represents logs for current threat intelligence data, which can be analyzed in the **Discover** section. ## Limitations 1. If an event contains multiple matching mappings (e.g., two file hash fields within the same event match GTI data), only one alert per detection rule will be generated for that event. -2. If an IOC from the user's Elasticsearch index is enriched with GTI information, and the GTI information is updated later, the changes are not reflected in the dashboards because Elastic detection rules only run on live data. +2. If GTI information is ingested and procesed by a transform, and the GTI source information is updated later, the changes are not reflected in the dashboards because the Elastic detection rules only run on the transformed (destination) data. ## Troubleshooting From 00db59e691c97b2434eb5a77a4d4515cb7db26e1 Mon Sep 17 00:00:00 2001 From: Chris Berkhout Date: Fri, 5 Jun 2026 18:47:45 +0200 Subject: [PATCH 2/5] Version bump, changelog entry. --- packages/ti_google_threat_intelligence/changelog.yml | 5 +++++ packages/ti_google_threat_intelligence/manifest.yml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/packages/ti_google_threat_intelligence/changelog.yml b/packages/ti_google_threat_intelligence/changelog.yml index 40b1986d7dc..24a307f98c6 100644 --- a/packages/ti_google_threat_intelligence/changelog.yml +++ b/packages/ti_google_threat_intelligence/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.0" + changes: + - description: Clarify "enhanced" in the README. + type: enhancement + link: https://github.com/elastic/integrations/pull/19411 - version: "1.0.0" changes: - description: Fix IOC stream correlation pipeline field mappings for indicator enrichment. diff --git a/packages/ti_google_threat_intelligence/manifest.yml b/packages/ti_google_threat_intelligence/manifest.yml index bde8b920b17..c7d9cf9a429 100644 --- a/packages/ti_google_threat_intelligence/manifest.yml +++ b/packages/ti_google_threat_intelligence/manifest.yml @@ -3,7 +3,7 @@ name: ti_google_threat_intelligence title: Google Threat Intelligence # This version must match the User-Agent version used in CEL code. # Remember to update the User-Agent in CEL code when changing this version. -version: "1.0.0" +version: "1.1.0" description: Collect Threat Intelligence Events from Google Threat Intelligence using Elastic Agent, and perform enrichment on Elasticsearch by correlating Indicators of Compromise (IOCs). type: integration categories: From c0864ed66984cb6ddb342f042a6fc1a310f49af3 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Wed, 10 Jun 2026 08:30:07 +0930 Subject: [PATCH 3/5] Update packages/ti_google_threat_intelligence/changelog.yml --- packages/ti_google_threat_intelligence/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/ti_google_threat_intelligence/changelog.yml b/packages/ti_google_threat_intelligence/changelog.yml index 24a307f98c6..cf2d58f0835 100644 --- a/packages/ti_google_threat_intelligence/changelog.yml +++ b/packages/ti_google_threat_intelligence/changelog.yml @@ -1,7 +1,7 @@ # newer versions go on top - version: "1.1.0" changes: - - description: Clarify "enhanced" in the README. + - description: Clarify "enrichment" in the README. type: enhancement link: https://github.com/elastic/integrations/pull/19411 - version: "1.0.0" From 07eb59977618429c50fbe1989091c23b731e2ebd Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Wed, 10 Jun 2026 08:36:57 +0930 Subject: [PATCH 4/5] Apply suggestions from code review Co-authored-by: Dan Kortschak --- .../ti_google_threat_intelligence/_dev/build/docs/README.md | 2 +- packages/ti_google_threat_intelligence/changelog.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/ti_google_threat_intelligence/_dev/build/docs/README.md b/packages/ti_google_threat_intelligence/_dev/build/docs/README.md index 192a4ad2912..f490840888b 100644 --- a/packages/ti_google_threat_intelligence/_dev/build/docs/README.md +++ b/packages/ti_google_threat_intelligence/_dev/build/docs/README.md @@ -159,7 +159,7 @@ These transforms are automatically started to populate `Threat Intelligence`, `A ## Limitations 1. If an event contains multiple matching mappings (e.g., two file hash fields within the same event match GTI data), only one alert per detection rule will be generated for that event. -2. If GTI information is ingested and procesed by a transform, and the GTI source information is updated later, the changes are not reflected in the dashboards because the Elastic detection rules only run on the transformed (destination) data. +2. If GTI information is ingested and processed by a transform, and the GTI source information is updated later, the changes are not reflected in the dashboards because the Elastic detection rules only run on the transformed (destination) data. ## Troubleshooting diff --git a/packages/ti_google_threat_intelligence/changelog.yml b/packages/ti_google_threat_intelligence/changelog.yml index cf2d58f0835..f7736fdd242 100644 --- a/packages/ti_google_threat_intelligence/changelog.yml +++ b/packages/ti_google_threat_intelligence/changelog.yml @@ -1,7 +1,7 @@ # newer versions go on top - version: "1.1.0" changes: - - description: Clarify "enrichment" in the README. + - description: Rename detection rules section to avoid confusion with data enrichment. type: enhancement link: https://github.com/elastic/integrations/pull/19411 - version: "1.0.0" From ad142be34ecbc273b14e90771f2e63bae5f68119 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Wed, 10 Jun 2026 11:30:20 +0930 Subject: [PATCH 5/5] Update packages/ti_google_threat_intelligence/docs/README.md --- packages/ti_google_threat_intelligence/docs/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/ti_google_threat_intelligence/docs/README.md b/packages/ti_google_threat_intelligence/docs/README.md index b3b5b279a6c..1f0342c2e64 100644 --- a/packages/ti_google_threat_intelligence/docs/README.md +++ b/packages/ti_google_threat_intelligence/docs/README.md @@ -159,7 +159,7 @@ These transforms are automatically started to populate `Threat Intelligence`, `A ## Limitations 1. If an event contains multiple matching mappings (e.g., two file hash fields within the same event match GTI data), only one alert per detection rule will be generated for that event. -2. If GTI information is ingested and procesed by a transform, and the GTI source information is updated later, the changes are not reflected in the dashboards because the Elastic detection rules only run on the transformed (destination) data. +2. If GTI information is ingested and processed by a transform, and the GTI source information is updated later, the changes are not reflected in the dashboards because the Elastic detection rules only run on the transformed (destination) data. ## Troubleshooting