Skip to content

Add Speculus Threat Intelligence integration#19892

Closed
speculusmarc wants to merge 1 commit into
elastic:mainfrom
SpeculusDevelopers:add-speculus-taxii-integration
Closed

Add Speculus Threat Intelligence integration#19892
speculusmarc wants to merge 1 commit into
elastic:mainfrom
SpeculusDevelopers:add-speculus-taxii-integration

Conversation

@speculusmarc

Copy link
Copy Markdown

Summary

Adds ti_speculus_taxii, a CEL-input integration that collects STIX 2.1 threat intelligence indicators from the Speculus TAXII 2.1 server and maps them to ECS threat.indicator.* fields.

  • Single-collection CEL poller with Bearer-token auth and added_after/next-cursor incremental sync
  • Ingest pipeline maps STIX fields to ECS, with the remaining STIX and x_speculus_* extension properties (geo, ASN/ISP, risk score, activity, attribution, proxy/Tor/datacenter/blacklist classification) namespaced under ti_speculus_taxii.stix.*
  • Kibana dashboard: indicator KPIs, risk/activity/country breakdowns, an indicators-over-time chart, and top-organizations/classifications tables
  • Speculus is an Elastic Technology Partner; owner.type: partner

Test plan

  • elastic-package check (lint + build) passes
  • elastic-package test pipeline passes against representative Speculus indicator fixtures
  • elastic-package test static / test asset pass
  • elastic-package test system passes against a self-contained mocked TAXII server fixture (_dev/deploy/docker/) — no live-server dependency, so CI doesn't depend on Speculus's production infrastructure
  • Manually validated end-to-end against the real production feed (370K+ real indicators ingested via a live Fleet policy during development)

Adds ti_speculus_taxii, a CEL-input TAXII 2.1 integration that collects
STIX 2.1 threat intelligence indicators from the Speculus feed, maps
them to ECS threat.indicator.* fields, and namespaces the remaining
STIX and Speculus extension properties under ti_speculus_taxii.stix.*.

Validated end-to-end: pipeline, static, asset, and system tests pass
against a self-contained mocked TAXII fixture (no live-server
dependency in CI), plus manual confirmation against the real production
feed. Includes a Kibana dashboard with indicator KPIs, risk/activity
breakdowns, a geo/country view, and an indicators-over-time chart.
@speculusmarc speculusmarc requested a review from a team as a code owner June 30, 2026 18:32
@cla-checker-service

Copy link
Copy Markdown

❌ Author of the following commits did not sign a Contributor Agreement:
26a865e

Please, read and sign the above mentioned agreement if you want to contribute to this project

@elastic-vault-github-plugin-prod

Copy link
Copy Markdown

Reviewers

Buildkite won't run for external contributors automatically; you need to add a comment:

  • /test : will kick off a build in Buildkite.

NOTE: https://github.com/elastic/integrations/blob/main/.buildkite/pull-requests.json contains all those details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant