elastic · chemamartinez · Dec 2, 2025 · Nov 27, 2025 · Nov 27, 2025 · Nov 27, 2025
@@ -57,7 +57,7 @@ Elastic Agent must be installed. For more details, check the Elastic Agent [inst
 - An API key will be used to authenticate your request.
 - **Time Selection of Initial Interval and Interval**:
   - Users need to specify the **initial interval** and **interval** in an hourly format, such as **2h**, **3h**, etc.
-**Note:** Please make sure both initial interval and interval are in hours and greater than 1 hour.
+**Note:** Please make sure both initial interval and interval are in hours and the initial interval is greater than 2 hours.
 
 ### Enabling the integration in Elastic:
 
@@ -163,7 +163,7 @@ These transforms are automatically started to populate `Threat Intelligence`, `A
 
 ## Troubleshooting
 
-1. If you see an error like `Package 2025031310 is not available until 2025-03-13 at 11:00 UTC because of privacy policy.`, ensure that your initial interval and interval are set in hours and are greater than one hour.
+1. If you see an error like `Package 2025031310 is not available until 2025-03-13 at 11:00 UTC because of privacy policy.`, ensure that your initial interval and interval are set in hours and the initial interval is greater than two hours.
 2. If events are not appearing in the transformed index, check if transforms are running without errors. If you encounter issues, refer to [Troubleshooting transforms](https://www.elastic.co/guide/en/elasticsearch/reference/current/transform-troubleshooting.html).
 3. If detection rules take longer to run, ensure you have specified index patterns and applied queries to make your source events more specific.
    **Note:** More events in index patterns mean more time needed for detection rules to run.

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.8.0"
+  changes:
+    - description: Update default initial interval for threat list data streams to account for the API's 2-hour delay in data availability.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/16145
 - version: "0.7.0"
   changes:
     - description: Add ingest pipeline references to the transforms.

@@ -33,7 +33,7 @@ program: |
         ?"query": has(state.query) ? optional.of([state.query]) : optional.none(),
         "limit": ["4000"],
         "x-tool": ["Elastic"],
-        "User-Agent": ["v0.6.1"], // Keep this in sync with 'version' in package level manifest.yml.
+        "User-Agent": ["v0.8.0"], // Keep this in sync with 'version' in package level manifest.yml.
       }.format_query()
     ).with({
       "Header": {

@@ -13,12 +13,12 @@ streams:
         multi: false
         required: true
         show_user: true
-        default: 1h
-        description: How far back to pull Cryptominer events from the Google Threat Intelligence API. It must be set greater than 1 hour due to API limitations, with supported units being h.
+        default: 2h
+        description: How far back to pull Cryptominer events from the Google Threat Intelligence API. Must be at least 2h because the API has a 2-hour delay in data availability. Supported units are h.
       - name: interval
         type: text
         title: Interval
-        description: Duration between consecutive requests to the Google Threat Intelligence API. It must be set to a value greater than 1 hour due to API limitations, with supported units being h.
+        description: Duration between consecutive requests to the Google Threat Intelligence API. It must be set to a value greater than 1 hour as threat lists are generated hourly and the API returns errors when requesting data prematurely. Supported units are h.
         default: 1h
         multi: false
         required: true

@@ -33,7 +33,7 @@ program: |
         ?"query": has(state.query) ? optional.of([state.query]) : optional.none(),
         "limit": ["4000"],
         "x-tool": ["Elastic"],
-        "User-Agent": ["v0.6.1"], // Keep this in sync with 'version' in package level manifest.yml.
+        "User-Agent": ["v0.7.0"], // Keep this in sync with 'version' in package level manifest.yml.
       }.format_query()
     ).with({
       "Header": {

@@ -13,12 +13,12 @@ streams:
         multi: false
         required: true
         show_user: true
-        default: 1h
-        description: How far back to pull First Stage Delivery Vectors events from the Google Threat Intelligence API. It must be set greater than 1 hour due to API limitations, with supported units being h.
+        default: 2h
+        description: How far back to pull First Stage Delivery Vectors events from the Google Threat Intelligence API. Must be at least 2h because the API has a 2-hour delay in data availability. Supported units are h.
       - name: interval
         type: text
         title: Interval
-        description: Duration between consecutive requests to the Google Threat Intelligence API. It must be set to a value greater than 1 hour due to API limitations, with supported units being h.
+        description: Duration between consecutive requests to the Google Threat Intelligence API. It must be set to a value greater than 1 hour as threat lists are generated hourly and the API returns errors when requesting data prematurely. Supported units are h.
         default: 1h
         multi: false
         required: true

@@ -33,7 +33,7 @@ program: |
         ?"query": has(state.query) ? optional.of([state.query]) : optional.none(),
         "limit": ["4000"],
         "x-tool": ["Elastic"],
-        "User-Agent": ["v0.6.1"], // Keep this in sync with 'version' in package level manifest.yml.
+        "User-Agent": ["v0.7.0"], // Keep this in sync with 'version' in package level manifest.yml.
       }.format_query()
     ).with({
       "Header": {

@@ -13,12 +13,12 @@ streams:
         multi: false
         required: true
         show_user: true
-        default: 1h
-        description: How far back to pull Infostealer events from the Google Threat Intelligence API. It must be set greater than 1 hour due to API limitations, with supported units being h.
+        default: 2h
+        description: How far back to pull Infostealer events from the Google Threat Intelligence API. Must be at least 2h because the API has a 2-hour delay in data availability. Supported units are h.
       - name: interval
         type: text
         title: Interval
-        description: Duration between consecutive requests to the Google Threat Intelligence API. It must be set to a value greater than 1 hour due to API limitations, with supported units being h.
+        description: Duration between consecutive requests to the Google Threat Intelligence API. It must be set to a value greater than 1 hour as threat lists are generated hourly and the API returns errors when requesting data prematurely. Supported units are h.
         default: 1h
         multi: false
         required: true

@@ -41,7 +41,7 @@ program: |
       "Header": {
         "x-apikey": [state.access_token],
         "x-tool": ["Elastic"],
-        "User-Agent": ["v0.6.1"], // Keep this in sync with 'version' in package level manifest.yml.
+        "User-Agent": ["v0.7.0"], // Keep this in sync with 'version' in package level manifest.yml.
       }
     }).do_request().as(resp, resp.StatusCode == 200 ?
       resp.Body.decode_json().as(body, {

@@ -33,7 +33,7 @@ program: |
         ?"query": has(state.query) ? optional.of([state.query]) : optional.none(),
         "limit": ["4000"],
         "x-tool": ["Elastic"],
-        "User-Agent": ["v0.6.1"], // Keep this in sync with 'version' in package level manifest.yml.
+        "User-Agent": ["v0.7.0"], // Keep this in sync with 'version' in package level manifest.yml.
       }.format_query()
     ).with({
       "Header": {

@@ -13,12 +13,12 @@ streams:
         multi: false
         required: true
         show_user: true
-        default: 1h
-        description: How far back to pull Internet of Things events from the Google Threat Intelligence API. It must be set greater than 1 hour due to API limitations, with supported units being h.
+        default: 2h
+        description: How far back to pull Internet of Things events from the Google Threat Intelligence API. Must be at least 2h because the API has a 2-hour delay in data availability. Supported units are h.
       - name: interval
         type: text
         title: Interval
-        description: Duration between consecutive requests to the Google Threat Intelligence API. It must be set to a value greater than 1 hour due to API limitations, with supported units being h.
+        description: Duration between consecutive requests to the Google Threat Intelligence API. It must be set to a value greater than 1 hour as threat lists are generated hourly and the API returns errors when requesting data prematurely. Supported units are h.
         default: 1h
         multi: false
         required: true

@@ -33,7 +33,7 @@ program: |
         ?"query": has(state.query) ? optional.of([state.query]) : optional.none(),
         "limit": ["4000"],
         "x-tool": ["Elastic"],
-        "User-Agent": ["v0.6.1"], // Keep this in sync with 'version' in package level manifest.yml.
+        "User-Agent": ["v0.7.0"], // Keep this in sync with 'version' in package level manifest.yml.
       }.format_query()
     ).with({
       "Header": {

@@ -13,12 +13,12 @@ streams:
         multi: false
         required: true
         show_user: true
-        default: 1h
-        description: How far back to pull Linux events from the Google Threat Intelligence API. It must be set greater than 1 hour due to API limitations, with supported units being h.
+        default: 2h
+        description: How far back to pull Linux events from the Google Threat Intelligence API. Must be at least 2h because the API has a 2-hour delay in data availability. Supported units are h.
       - name: interval
         type: text
         title: Interval
-        description: Duration between consecutive requests to the Google Threat Intelligence API. It must be set to a value greater than 1 hour due to API limitations, with supported units being h.
+        description: Duration between consecutive requests to the Google Threat Intelligence API. It must be set to a value greater than 1 hour as threat lists are generated hourly and the API returns errors when requesting data prematurely. Supported units are h.
         default: 1h
         multi: false
         required: true

@@ -33,7 +33,7 @@ program: |
         ?"query": has(state.query) ? optional.of([state.query]) : optional.none(),
         "limit": ["4000"],
         "x-tool": ["Elastic"],
-        "User-Agent": ["v0.6.1"], // Keep this in sync with 'version' in package level manifest.yml.
+        "User-Agent": ["v0.7.0"], // Keep this in sync with 'version' in package level manifest.yml.
       }.format_query()
     ).with({
       "Header": {

@@ -12,12 +12,12 @@ streams:
         multi: false
         required: true
         show_user: true
-        default: 1h
-        description: How far back to pull Malicious Network Infrastructure events from the Google Threat Intelligence API. It must be set greater than 1 hour due to API limitations, with supported units being h.
+        default: 2h
+        description: How far back to pull Malicious Network Infrastructure events from the Google Threat Intelligence API. Must be at least 2h because the API has a 2-hour delay in data availability. Supported units are h.
       - name: interval
         type: text
         title: Interval
-        description: Duration between consecutive requests to the Google Threat Intelligence API. It must be set to a value greater than 1 hour due to API limitations, with supported units being h.
+        description: Duration between consecutive requests to the Google Threat Intelligence API. It must be set to a value greater than 1 hour as threat lists are generated hourly and the API returns errors when requesting data prematurely. Supported units are h.
         default: 1h
         multi: false
         required: true

@@ -33,7 +33,7 @@ program: |
         ?"query": has(state.query) ? optional.of([state.query]) : optional.none(),
         "limit": ["4000"],
         "x-tool": ["Elastic"],
-        "User-Agent": ["v0.6.1"], // Keep this in sync with 'version' in package level manifest.yml.
+        "User-Agent": ["v0.7.0"], // Keep this in sync with 'version' in package level manifest.yml.
       }.format_query()
     ).with({
       "Header": {

@@ -13,12 +13,12 @@ streams:
         multi: false
         required: true
         show_user: true
-        default: 1h
-        description: How far back to pull Malware events from the Google Threat Intelligence API. It must be set greater than 1 hour due to API limitations, with supported units being h.
+        default: 2h
+        description: How far back to pull Malware events from the Google Threat Intelligence API. Must be at least 2h because the API has a 2-hour delay in data availability. Supported units are h.
       - name: interval
         type: text
         title: Interval
-        description: Duration between consecutive requests to the Google Threat Intelligence API. It must be set to a value greater than 1 hour due to API limitations, with supported units being h.
+        description: Duration between consecutive requests to the Google Threat Intelligence API. It must be set to a value greater than 1 hour as threat lists are generated hourly and the API returns errors when requesting data prematurely. Supported units are h.
         default: 1h
         multi: false
         required: true

@@ -33,7 +33,7 @@ program: |
         ?"query": has(state.query) ? optional.of([state.query]) : optional.none(),
         "limit": ["4000"],
         "x-tool": ["Elastic"],
-        "User-Agent": ["v0.6.1"], // Keep this in sync with 'version' in package level manifest.yml.
+        "User-Agent": ["v0.7.0"], // Keep this in sync with 'version' in package level manifest.yml.
       }.format_query()
     ).with({
       "Header": {

@@ -13,12 +13,12 @@ streams:
         multi: false
         required: true
         show_user: true
-        default: 1h
-        description: How far back to pull Mobile events from the Google Threat Intelligence API. It must be set greater than 1 hour due to API limitations, with supported units being h.
+        default: 2h
+        description: How far back to pull Mobile events from the Google Threat Intelligence API. Must be at least 2h because the API has a 2-hour delay in data availability. Supported units are h.
       - name: interval
         type: text
         title: Interval
-        description: Duration between consecutive requests to the Google Threat Intelligence API. It must be set to a value greater than 1 hour due to API limitations, with supported units being h.
+        description: Duration between consecutive requests to the Google Threat Intelligence API. It must be set to a value greater than 1 hour as threat lists are generated hourly and the API returns errors when requesting data prematurely. Supported units are h.
         default: 1h
         multi: false
         required: true

@@ -33,7 +33,7 @@ program: |
         ?"query": has(state.query) ? optional.of([state.query]) : optional.none(),
         "limit": ["4000"],
         "x-tool": ["Elastic"],
-        "User-Agent": ["v0.6.1"], // Keep this in sync with 'version' in package level manifest.yml.
+        "User-Agent": ["v0.7.0"], // Keep this in sync with 'version' in package level manifest.yml.
       }.format_query()
     ).with({
       "Header": {

@@ -13,12 +13,12 @@ streams:
         multi: false
         required: true
         show_user: true
-        default: 1h
-        description: How far back to pull OS X events from the Google Threat Intelligence API. It must be set greater than 1 hour due to API limitations, with supported units being h.
+        default: 2h
+        description: How far back to pull OS X events from the Google Threat Intelligence API. Must be at least 2h because the API has a 2-hour delay in data availability. Supported units are h.
       - name: interval
         type: text
         title: Interval
-        description: Duration between consecutive requests to the Google Threat Intelligence API. It must be set to a value greater than 1 hour due to API limitations, with supported units being h.
+        description: Duration between consecutive requests to the Google Threat Intelligence API. It must be set to a value greater than 1 hour as threat lists are generated hourly and the API returns errors when requesting data prematurely. Supported units are h.
         default: 1h
         multi: false
         required: true

@@ -33,7 +33,7 @@ program: |
         ?"query": has(state.query) ? optional.of([state.query]) : optional.none(),
         "limit": ["4000"],
         "x-tool": ["Elastic"],
-        "User-Agent": ["v0.6.1"], // Keep this in sync with 'version' in package level manifest.yml.
+        "User-Agent": ["v0.7.0"], // Keep this in sync with 'version' in package level manifest.yml.
       }.format_query()
     ).with({
       "Header": {

@@ -13,12 +13,12 @@ streams:
         multi: false
         required: true
         show_user: true
-        default: 1h
-        description: How far back to pull Phishing events from the Google Threat Intelligence API. It must be set greater than 1 hour due to API limitations, with supported units being h.
+        default: 2h
+        description: How far back to pull Phishing events from the Google Threat Intelligence API. Must be at least 2h because the API has a 2-hour delay in data availability. Supported units are h.
       - name: interval
         type: text
         title: Interval
-        description: Duration between consecutive requests to the Google Threat Intelligence API. It must be set to a value greater than 1 hour due to API limitations, with supported units being h.
+        description: Duration between consecutive requests to the Google Threat Intelligence API. It must be set to a value greater than 1 hour as threat lists are generated hourly and the API returns errors when requesting data prematurely. Supported units are h.
         default: 1h
         multi: false
         required: true

@@ -33,7 +33,7 @@ program: |
         ?"query": has(state.query) ? optional.of([state.query]) : optional.none(),
         "limit": ["4000"],
         "x-tool": ["Elastic"],
-        "User-Agent": ["v0.6.1"], // Keep this in sync with 'version' in package level manifest.yml.
+        "User-Agent": ["v0.7.0"], // Keep this in sync with 'version' in package level manifest.yml.
       }.format_query()
     ).with({
       "Header": {

@@ -12,12 +12,12 @@ streams:
         multi: false
         required: true
         show_user: true
-        default: 1h
-        description: How far back to pull Ransomware events from the Google Threat Intelligence API. It must be set greater than 1 hour due to API limitations, with supported units being h.
+        default: 2h
+        description: How far back to pull Ransomware events from the Google Threat Intelligence API. Must be at least 2h because the API has a 2-hour delay in data availability. Supported units are h.
       - name: interval
         type: text
         title: Interval
-        description: Duration between consecutive requests to the Google Threat Intelligence API. It must be set to a value greater than 1 hour due to API limitations, with supported units being h.
+        description: Duration between consecutive requests to the Google Threat Intelligence API. It must be set to a value greater than 1 hour as threat lists are generated hourly and the API returns errors when requesting data prematurely. Supported units are h.
         default: 1h
         multi: false
         required: true

@@ -33,7 +33,7 @@ program: |
         ?"query": has(state.query) ? optional.of([state.query]) : optional.none(),
         "limit": ["4000"],
         "x-tool": ["Elastic"],
-        "User-Agent": ["v0.6.1"], // Keep this in sync with 'version' in package level manifest.yml.
+        "User-Agent": ["v0.7.0"], // Keep this in sync with 'version' in package level manifest.yml.
       }.format_query()
     ).with({
       "Header": {