Skip to content

ti_google_threat_intelligence: update default initial interval #16145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Dec 2, 2025
Merged

ti_google_threat_intelligence: update default initial interval #16145

merged 5 commits into from
Dec 2, 2025

Conversation

@chemamartinez
Copy link
Contributor

@chemamartinez chemamartinez commented Nov 27, 2025

Proposed commit message

API specifications for Google Threat Lists changed the availability time range of generated lists from one hour to two hours back.

Threat Lists are hourly generated as IoCs packages, with 2 hours difference from the current time. This means that if the current time in UTC is T you can get T-2h Threat List but any more recent than that.

Default initial intervals have been updated to align with that requirement.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

@chemamartinez chemamartinez self-assigned this Nov 27, 2025
@chemamartinez chemamartinez added enhancement New feature or request Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Integration:ti_google_threat_intelligence Google Threat Intelligence (Partner supported) labels Nov 27, 2025
@chemamartinez chemamartinez marked this pull request as ready for review November 27, 2025 15:21
@chemamartinez chemamartinez requested a review from a team as a code owner November 27, 2025 15:21
@elasticmachine
Copy link

elasticmachine commented Nov 27, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Nov 27, 2025

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Nov 27, 2025
kcreddy
kcreddy reviewed Dec 2, 2025
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.
For initial_interval and interval, we should consider the duration type with min_duration option to help with such validations.

@chemamartinez
Copy link
Contributor Author

chemamartinez commented Dec 2, 2025

Thanks, @kcreddy

For initial_interval and interval, we should consider the duration type with min_duration option to help with such validations.

It is a good point, the problem I see right now is that would force the integration to bump its minimum Kibana version to 9.2.0, and this is related to an SDH so I'd wait to add this change for now.

kcreddy
kcreddy approved these changes Dec 2, 2025
View reviewed changes
packages/ti_google_threat_intelligence/data_stream/cryptominer/agent/stream/cel.yml.hbs Outdated
"limit": ["4000"],
"x-tool": ["Elastic"],
"User-Agent": ["v0.6.1"], // Keep this in sync with 'version' in package level manifest.yml.
"User-Agent": ["v0.7.0"], // Keep this in sync with 'version' in package level manifest.yml.
Copy link
Contributor

@kcreddy kcreddy Dec 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"User-Agent": ["v0.7.0"], // Keep this in sync with 'version' in package level manifest.yml.
"User-Agent": ["v0.8.0"], // Keep this in sync with 'version' in package level manifest.yml.

Nit.
@chemamartinez, please update them accordingly.

Copy link
Contributor Author

@chemamartinez chemamartinez Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the reminder!

@elasticmachine
Copy link

elasticmachine commented Dec 2, 2025

💚 Build Succeeded

History

cc @chemamartinez

@chemamartinez chemamartinez merged commit 205a288 into elastic:main Dec 2, 2025
8 checks passed
@chemamartinez chemamartinez deleted the ti_google_threat_intelligence-fix-default-initial-interval branch December 2, 2025 15:48
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Dec 2, 2025

Package ti_google_threat_intelligence - 0.8.0 containing this change is available at https://epr.elastic.co/package/ti_google_threat_intelligence/0.8.0/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kcreddy kcreddy kcreddy approved these changes

Assignees

@chemamartinez chemamartinez

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:ti_google_threat_intelligence Google Threat Intelligence (Partner supported) Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@chemamartinez @elasticmachine @kcreddy @andrewkroh