Skip to content

Commit df03b65

Browse files
Initial release ti ticura 0.1.0 (#19280)
WHAT: Added the ti_ticura integration with all required assets, including pipelines, data streams, rules, searches, dashboards, and fields. This is the first release of this integration. WHY: To make the ti_ticura integration available to users via the Elastic Package Registry.
1 parent 9667bf1 commit df03b65

57 files changed

Lines changed: 5036 additions & 0 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/CODEOWNERS

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -574,6 +574,7 @@
574574
/packages/ti_strider @elastic/security-service-integrations @elastic/sit-crest-contractors
575575
/packages/ti_threatconnect @elastic/security-service-integrations @elastic/sit-crest-contractors
576576
/packages/ti_threatq @elastic/security-service-integrations @elastic/sit-crest-contractors
577+
/packages/ti_ticura @elastic/security-service-integrations @elastic/sit-crest-contractors
577578
/packages/ti_util @elastic/security-service-integrations @elastic/sit-crest-contractors
578579
/packages/tines @elastic/security-service-integrations @elastic/sit-crest-contractors
579580
/packages/tomcat @elastic/obs-infraobs-integrations
Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
dependencies:
2+
ecs:
3+
reference: git@v9.3.0

packages/ti_ticura/_dev/build/docs/README.md

Lines changed: 385 additions & 0 deletions
Large diffs are not rendered by default.
Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
version: "2.3"
2+
services:
3+
cel:
4+
image: docker.elastic.co/observability/stream:v0.18.0
5+
ports:
6+
- 8080
7+
volumes:
8+
- ./files:/files:ro
9+
environment:
10+
PORT: 8080
11+
command:
12+
- http-server
13+
- --addr=:8080
14+
- --config=/files/config.yml
Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,71 @@
1+
rules:
2+
# ── Standard feed (10 indicators, all IOC types) ─────────────────────────
3+
# Used by: test-default-config.yml, test-tracer-config.yml,
4+
# test-preserve-original-config.yml
5+
- path: /v1/feeds/download/full
6+
methods: ["GET"]
7+
query_params:
8+
targetFormat: "ECSV1"
9+
request_headers:
10+
x-api-key: "test-token"
11+
responses:
12+
- status_code: 200
13+
headers:
14+
Content-Type:
15+
- "application/x-ndjson"
16+
body: |
17+
{{file "/files/ticura-feed.ndjson"}}
18+
# ── Expired-indicator feed (10 normal + 1 already-expired) ───────────────
19+
# Used by: test-expired-config.yml
20+
# The 11th indicator has ages_out in the past → the transform retention_policy
21+
# drops it from the latest index (it is still indexed in the raw stream).
22+
- path: /v1/feeds/expired/full
23+
methods: ["GET"]
24+
query_params:
25+
targetFormat: "ECSV1"
26+
request_headers:
27+
x-api-key: "test-token"
28+
responses:
29+
- status_code: 200
30+
headers:
31+
Content-Type:
32+
- "application/x-ndjson"
33+
body: |
34+
{{file "/files/ticura-feed-expired.ndjson"}}
35+
# ── Malformed-events feed (10 good + 2 malformed) ────────────────────────
36+
# Used by: test-malformed-config.yml
37+
# Two bad lines: one with no ticura block, one with ticura.indicator.uuid absent.
38+
# Both must be silently dropped → hit_count still 10.
39+
- path: /v1/feeds/malformed/full
40+
methods: ["GET"]
41+
query_params:
42+
targetFormat: "ECSV1"
43+
request_headers:
44+
x-api-key: "test-token"
45+
responses:
46+
- status_code: 200
47+
headers:
48+
Content-Type:
49+
- "application/x-ndjson"
50+
body: |
51+
{{file "/files/ticura-feed-malformed.ndjson"}}
52+
# ── Update-detection feed (fingerprint-based _id) ────────────────────────
53+
# Used by: test-update-config.yml
54+
# 4 lines: the same uuid (upd00001) appears at TWO fingerprints (a content
55+
# update with an unchanged last_seen) plus 2 other indicators. Because _id =
56+
# fingerprint(uuid + ticura.indicator.fingerprint), all 4 are distinct _ids →
57+
# hit_count 4. A regression to a uuid-only _id would collide the two versions
58+
# of upd00001 → hit_count 3.
59+
- path: /v1/feeds/update/full
60+
methods: ["GET"]
61+
query_params:
62+
targetFormat: "ECSV1"
63+
request_headers:
64+
x-api-key: "test-token"
65+
responses:
66+
- status_code: 200
67+
headers:
68+
Content-Type:
69+
- "application/x-ndjson"
70+
body: |
71+
{{file "/files/ticura-feed-update.ndjson"}}
Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
{"threat": {"indicator": {"id": "aaaa0001-0001-0001-0001-000000000001", "confidence": "High", "description": "Test IPv4 malicious IP.", "first_seen": "2026-05-01T10:00:00Z", "last_seen": "2026-05-28T10:00:00Z", "ip": "192.0.2.10", "marking": {"tlp": "CLEAR", "tlp_version": "2.0"}, "modified_at": "2026-05-28T12:00:00Z", "name": "192.0.2.10", "provider": "Ticura", "type": ["ipv4-addr"]}, "feed": [{"name": "Ticura Curated", "reference": "https://www.ticura.io", "description": "License: n/a"}]}, "event": {"kind": "enrichment", "category": "threat", "type": "indicator", "risk_score": 80}, "ticura": {"indicator": {"uuid": "aaaa0001-0001-0001-0001-000000000001", "main_type": "IPV4", "sub_type": "IPV4", "is_inbound": false, "confidence": 75, "risk": 80, "risk_category": "high", "confidence_category": "high", "ages_out": "2026-06-28T12:00:00Z", "fingerprint": "4210a52f45deada10decb7547d4f5804155ffe7e6ab179d9ce517ec3a849468d"}}, "tags": ["type:Curated"]}
2+
{"threat": {"indicator": {"id": "aaaa0002-0002-0002-0002-000000000002", "confidence": "High", "description": "Test IPv4+Port C2 indicator.", "first_seen": "2026-05-02T10:00:00Z", "last_seen": "2026-05-28T10:00:00Z", "ip": "198.51.100.10", "port": 4444, "marking": {"tlp": "CLEAR", "tlp_version": "2.0"}, "modified_at": "2026-05-28T12:00:00Z", "name": "198.51.100.10:4444", "provider": "Ticura", "type": ["ipv4-addr", "port"]}, "feed": [{"name": "ThreatFox Curated", "reference": "https://threatfox.abuse.ch", "description": "License: n/a"}]}, "event": {"kind": "enrichment", "category": "threat", "type": "indicator", "risk_score": 90}, "ticura": {"indicator": {"uuid": "aaaa0002-0002-0002-0002-000000000002", "main_type": "IPV4", "sub_type": "IPV4PORT", "is_inbound": false, "confidence": 80, "risk": 90, "risk_category": "high", "confidence_category": "high", "ages_out": "2026-06-28T12:00:00Z", "fingerprint": "09ff9ff8dac9539042ebb9c104078a17342155bf1638af75ec233ac628eaed11"}}, "tags": ["C2", "type:Curated"]}
3+
{"threat": {"indicator": {"id": "aaaa0003-0003-0003-0003-000000000003", "confidence": "High", "description": "Test malicious domain.", "first_seen": "2026-05-03T10:00:00Z", "last_seen": "2026-05-28T10:00:00Z", "url": {"domain": "malicious-test-domain.example.com"}, "marking": {"tlp": "CLEAR", "tlp_version": "2.0"}, "modified_at": "2026-05-28T12:00:00Z", "name": "malicious-test-domain.example.com", "provider": "Ticura", "type": ["domain-name"]}, "feed": [{"name": "CIRCL OSINT Feed", "reference": "https://www.circl.lu/doc/misp/feed-osint/", "description": "License: n/a"}], "technique": {"id": ["T1566"], "name": ["Phishing"], "reference": ["https://attack.mitre.org/techniques/T1566"]}}, "event": {"kind": "enrichment", "category": "threat", "type": "indicator", "risk_score": 70}, "ticura": {"indicator": {"uuid": "aaaa0003-0003-0003-0003-000000000003", "main_type": "DOMAIN", "sub_type": "DOMAIN", "is_inbound": false, "confidence": 65, "risk": 70, "risk_category": "high", "confidence_category": "medium", "ages_out": "2026-06-28T12:00:00Z", "technique": {"id": ["T1566"], "name": ["Phishing"], "reference": ["https://attack.mitre.org/techniques/T1566"]}, "additional_info": {"valid_from": "2026-05-03T10:00:00Z", "dns_first_seen": "2025-12-01T10:00:00Z", "dns_last_seen": "2026-05-28T09:00:00Z", "threat_types": ["Phishing"]}, "fingerprint": "5957ed7c69197334d3925cc11d0dd865286f4556686bba14c3651ba22bef8b40"}}, "dns": {"answers": [{"class": "IN", "data": "192.0.2.100", "name": "malicious-test-domain.example.com", "type": "A"}], "question": {"class": "IN", "name": "malicious-test-domain.example.com", "registered_domain": "example.com", "top_level_domain": "com"}, "op_code": "QUERY", "resolved_ip": ["192.0.2.100"], "response_code": "NOERROR", "type": ["query", "answer"]}, "tags": ["Phishing", "type:OSINT"]}
4+
{"threat": {"indicator": {"id": "aaaa0004-0004-0004-0004-000000000004", "confidence": "High", "description": "Test phishing URL.", "first_seen": "2026-05-04T10:00:00Z", "last_seen": "2026-05-28T10:00:00Z", "url": {"full": "http://phishing-test.example.com/steal-creds", "domain": "phishing-test.example.com", "scheme": "http", "path": "/steal-creds", "original": "http://phishing-test.example.com/steal-creds"}, "marking": {"tlp": "AMBER", "tlp_version": "2.0"}, "modified_at": "2026-05-28T12:00:00Z", "name": "http://phishing-test.example.com/steal-creds", "provider": "Ticura", "type": ["url"]}, "feed": [{"name": "URLhaus-Recent Additions", "reference": "https://urlhaus.abuse.ch", "description": "License: n/a"}]}, "event": {"kind": "enrichment", "category": "threat", "type": "indicator", "risk_score": 85}, "ticura": {"indicator": {"uuid": "aaaa0004-0004-0004-0004-000000000004", "main_type": "URL", "sub_type": "IPV4", "is_inbound": false, "confidence": 80, "risk": 85, "risk_category": "high", "confidence_category": "high", "ages_out": "2026-06-28T12:00:00Z", "additional_info": {"valid_from": "2026-05-04T10:00:00Z", "threat_types": ["Phishing"], "online": {"is_online": true, "last_online": "2026-05-28T09:00:00Z"}}, "fingerprint": "482ad3e7483b4e6ea2ac218977d8359e7ebbb20e7fe18110d74439bce4a0fbfe"}}, "tags": ["Phishing", "type:Curated"]}
5+
{"threat": {"indicator": {"id": "aaaa0005-0005-0005-0005-000000000005", "confidence": "High", "description": "Test SHA-256 malware hash.", "first_seen": "2026-04-01T10:00:00Z", "last_seen": "2026-05-28T10:00:00Z", "file": {"hash": {"sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"}, "name": "test-malware.exe", "size": 204800}, "marking": {"tlp": "RED", "tlp_version": "2.0"}, "modified_at": "2026-05-28T12:00:00Z", "name": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", "provider": "Ticura", "type": ["file"]}, "feed": [{"name": "MalwareBazaar-Recent Additions", "reference": "https://bazaar.abuse.ch", "description": "License: n/a"}], "technique": {"id": ["T1486"], "name": ["Data Encrypted for Impact"], "reference": ["https://attack.mitre.org/techniques/T1486"]}}, "event": {"kind": "enrichment", "category": "threat", "type": "indicator", "risk_score": 95}, "ticura": {"indicator": {"uuid": "aaaa0005-0005-0005-0005-000000000005", "main_type": "HASH", "sub_type": "HASHSHA256", "is_inbound": false, "confidence": 90, "risk": 95, "risk_category": "critical", "confidence_category": "high", "ages_out": "2026-06-28T12:00:00Z", "technique": {"id": ["T1486"], "name": ["Data Encrypted for Impact"], "reference": ["https://attack.mitre.org/techniques/T1486"]}, "additional_info": {"valid_from": "2026-04-01T10:00:00Z", "malware": {"name": "TestRansomware"}, "threat_types": ["Malware"]}, "fingerprint": "791327782be0c0a61a42367dc4bb8ad1324786987803473377b0536f1790583f"}}, "tags": ["Ransomware", "Malware"]}
6+
{"threat": {"indicator": {"id": "aaaa0006-0006-0006-0006-000000000006", "confidence": "Medium", "description": "Test MD5 trojan dropper hash.", "first_seen": "2026-04-10T10:00:00Z", "last_seen": "2026-05-28T10:00:00Z", "file": {"hash": {"md5": "5d41402abc4b2a76b9719d911017c592"}, "name": "dropper-test.dll"}, "marking": {"tlp": "AMBER", "tlp_version": "2.0"}, "modified_at": "2026-05-28T12:00:00Z", "name": "5d41402abc4b2a76b9719d911017c592", "provider": "Ticura", "type": ["file"]}, "feed": [{"name": "MalwareBazaar-Recent Additions", "reference": "https://bazaar.abuse.ch", "description": "License: n/a"}]}, "event": {"kind": "enrichment", "category": "threat", "type": "indicator", "risk_score": 65}, "ticura": {"indicator": {"uuid": "aaaa0006-0006-0006-0006-000000000006", "main_type": "HASH", "sub_type": "HASHMD5", "is_inbound": false, "confidence": 60, "risk": 65, "risk_category": "high", "confidence_category": "medium", "ages_out": "2026-06-28T12:00:00Z", "additional_info": {"valid_from": "2026-04-10T10:00:00Z", "threat_types": ["Malware"]}, "fingerprint": "321f63206fb7b0512bf61a93b554f68af9ee2d6829a4776207abd10bacd54d4b"}}, "tags": ["Trojan", "Malware"]}
7+
{"threat": {"indicator": {"id": "aaaa0007-0007-0007-0007-000000000007", "confidence": "Medium", "description": "Test malicious IPv6 C2.", "first_seen": "2026-05-05T10:00:00Z", "last_seen": "2026-05-28T10:00:00Z", "ip": "2001:db8::1", "marking": {"tlp": "GREEN", "tlp_version": "2.0"}, "modified_at": "2026-05-28T12:00:00Z", "name": "2001:db8::1", "provider": "Ticura", "type": ["ipv6-addr"]}, "feed": [{"name": "Ticura Curated", "reference": "https://www.ticura.io", "description": "License: n/a"}]}, "event": {"kind": "enrichment", "category": "threat", "type": "indicator", "risk_score": 60}, "ticura": {"indicator": {"uuid": "aaaa0007-0007-0007-0007-000000000007", "main_type": "IPV6", "sub_type": "IPV6", "is_inbound": false, "confidence": 55, "risk": 60, "risk_category": "medium", "confidence_category": "medium", "ages_out": "2026-06-28T12:00:00Z", "fingerprint": "1c07df86dc03e81ded56f2b0e1bf8ae98bc5bece52e0abb7f85ed20618934d26"}}, "tags": ["type:Curated"]}
8+
{"threat": {"indicator": {"id": "aaaa0008-0008-0008-0008-000000000008", "confidence": "High", "description": "APT test indicator with MITRE group.", "first_seen": "2026-05-06T10:00:00Z", "last_seen": "2026-05-28T10:00:00Z", "ip": "192.0.2.20", "marking": {"tlp": "CLEAR", "tlp_version": "2.0"}, "modified_at": "2026-05-28T12:00:00Z", "name": "192.0.2.20", "provider": "Ticura", "type": ["ipv4-addr"]}, "feed": [{"name": "Ticura Curated", "reference": "https://www.ticura.io", "description": "License: n/a"}]}, "event": {"kind": "enrichment", "category": "threat", "type": "indicator", "risk_score": 88}, "ticura": {"indicator": {"uuid": "aaaa0008-0008-0008-0008-000000000008", "main_type": "IPV4", "sub_type": "IPV4", "is_inbound": true, "confidence": 85, "risk": 88, "risk_category": "high", "confidence_category": "high", "ages_out": "2026-06-28T12:00:00Z", "actors": ["TestAPTGroup"], "group": {"id": ["G0001"], "name": ["Test Threat Group"], "reference": ["https://attack.mitre.org/groups/G0001"]}, "additional_info": {"valid_from": "2026-05-06T10:00:00Z", "actors": ["TestAPTGroup"], "threat_types": ["Command and Control Server"]}, "fingerprint": "ab9130f26a4ea6cd89b5ffc93ac6088a1cddaeec4bac773e214fbb2ece4e836d"}}, "tags": ["APT", "type:Curated"]}
9+
{"threat": {"indicator": {"id": "aaaa0009-0009-0009-0009-000000000009", "confidence": "High", "description": "Sinkholed malicious domain.", "first_seen": "2026-04-15T10:00:00Z", "last_seen": "2026-05-28T10:00:00Z", "url": {"domain": "sinkholed-test.example.com"}, "marking": {"tlp": "CLEAR", "tlp_version": "2.0"}, "modified_at": "2026-05-28T12:00:00Z", "name": "sinkholed-test.example.com", "provider": "Ticura", "type": ["domain-name"]}, "feed": [{"name": "CIRCL OSINT Feed", "reference": "https://www.circl.lu/doc/misp/feed-osint/", "description": "License: n/a"}]}, "event": {"kind": "enrichment", "category": "threat", "type": "indicator", "risk_score": 50}, "ticura": {"indicator": {"uuid": "aaaa0009-0009-0009-0009-000000000009", "main_type": "DOMAIN", "sub_type": "DOMAIN", "is_inbound": false, "confidence": 50, "risk": 50, "risk_category": "medium", "confidence_category": "medium", "ages_out": "2026-06-28T12:00:00Z", "additional_info": {"valid_from": "2026-04-15T10:00:00Z", "sinkhole": {"owner": "TestSinkhole"}}, "fingerprint": "d7faaf800cf15e38e21b637447ca7a0964a5b06a212a0d41580fbe5b853bbeb9"}}, "tags": ["type:OSINT"]}
10+
{"threat": {"indicator": {"id": "aaaa000a-000a-000a-000a-00000000000a", "confidence": "High", "description": "Critical-risk C2 test indicator.", "first_seen": "2026-05-10T10:00:00Z", "last_seen": "2026-05-28T10:00:00Z", "ip": "203.0.113.10", "marking": {"tlp": "RED", "tlp_version": "2.0"}, "modified_at": "2026-05-28T12:00:00Z", "name": "203.0.113.10", "provider": "Ticura", "type": ["ipv4-addr"]}, "feed": [{"name": "ThreatFox Curated", "reference": "https://threatfox.abuse.ch", "description": "License: n/a"}], "technique": {"id": ["T1071"], "name": ["Application Layer Protocol"], "reference": ["https://attack.mitre.org/techniques/T1071"]}}, "event": {"kind": "enrichment", "category": "threat", "type": "indicator", "risk_score": 100}, "ticura": {"indicator": {"uuid": "aaaa000a-000a-000a-000a-00000000000a", "main_type": "IPV4", "sub_type": "IPV4", "is_inbound": false, "confidence": 95, "risk": 100, "risk_category": "critical", "confidence_category": "high", "ages_out": "2026-06-28T12:00:00Z", "technique": {"id": ["T1071"], "name": ["Application Layer Protocol"], "reference": ["https://attack.mitre.org/techniques/T1071"]}, "industries": ["Finance", "Government"], "countries": ["RU", "CN"], "additional_info": {"valid_from": "2026-05-10T10:00:00Z", "threat_types": ["Command and Control Server"], "countries": ["RU"], "industries": ["Finance"]}, "fingerprint": "506563e3688a83070c7daa448ee6f41b4a6f470279adfe2777fa62765cfb69a6"}}, "tags": ["C2", "type:Curated"]}
11+
{"threat": {"indicator": {"id": "aaaa000e-000e-000e-000e-00000000000e", "confidence": "Low", "description": "Already-expired test indicator.", "first_seen": "2025-01-01T00:00:00Z", "last_seen": "2026-01-15T00:00:00Z", "ip": "192.0.2.99", "marking": {"tlp": "CLEAR", "tlp_version": "2.0"}, "modified_at": "2026-01-15T00:00:00Z", "name": "192.0.2.99", "provider": "Ticura", "type": ["ipv4-addr"]}, "feed": [{"name": "Ticura Curated", "reference": "https://www.ticura.io", "description": "License: n/a"}]}, "event": {"kind": "enrichment", "category": "threat", "type": "indicator", "risk_score": 20}, "ticura": {"indicator": {"uuid": "aaaa000e-000e-000e-000e-00000000000e", "main_type": "IPV4", "sub_type": "IPV4", "is_inbound": false, "confidence": 20, "risk": 20, "risk_category": "low", "confidence_category": "low", "ages_out": "2026-01-16T00:00:00Z", "fingerprint": "d569fbaaf82d7c34a0ae8f2a6b9dc14c4c254184345dc7f21ee4ba79036dff96"}}, "tags": ["type:Curated"]}

0 commit comments

Comments
 (0)