[ti_anomali] Rebrand Integration Name and Normalize Event Severity

[mohitjha-elastic]

Proposed commit message

ti_anomali: Rebrand to Anomali ThreatStream and normalize event.severity ECS.

Rebranded the integration to Anomali ThreatStream as a superficial update with no 
impact on existing functionality or data flow. Additionally, normalized the event.severity 
values to align with the latest guidelines and updated the documentation to 
incorporate best practices.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

• Clone integrations repo.
• Install the elastic package locally.
• Start the elastic stack using the elastic package.
• Move to integrations/packages/ti_anomali directory.
• Run the following command to run tests.

elastic-package test -v

Related Issues

• Closes ti_anomali: Update documentation per new template #17070
• Closes ti_anomali: Rebrand and other UI improvements #17072
• Closes ti_anomali: Normalise event.severity handling #17119

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[github-actions]

Vale Linting Results

Summary: 8 warnings, 4 suggestions found

⚠️ Warnings (8)

File	Line	Rule	Message
packages/ti_anomali/_dev/build/docs/README.md	42	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'using' instead of 'via'.
packages/ti_anomali/_dev/build/docs/README.md	45	Elastic.DontUse	Don't use 'Please'.
packages/ti_anomali/_dev/build/docs/README.md	118	Elastic.DontUse	Don't use 'Very'.
packages/ti_anomali/docs/README.md	42	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'using' instead of 'via'.
packages/ti_anomali/docs/README.md	45	Elastic.DontUse	Don't use 'Please'.
packages/ti_anomali/docs/README.md	118	Elastic.DontUse	Don't use 'Very'.
packages/ti_anomali/docs/README.md	168	Elastic.DontUse	Don't use 'very'.
packages/ti_anomali/docs/README.md	217	Elastic.DontUse	Don't use 'very'.

💡 Suggestions (4)

File	Line	Rule	Message
packages/ti_anomali/_dev/build/docs/README.md	95	Elastic.WordChoice	Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/ti_anomali/_dev/build/docs/README.md	95	Elastic.WordChoice	Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/ti_anomali/docs/README.md	95	Elastic.WordChoice	Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/ti_anomali/docs/README.md	95	Elastic.WordChoice	Consider using 'can, might' instead of 'may', unless the term is in the UI.

---

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

[mohitjha-elastic]

The dashboard screenshots will be updated in a subsequent PR under the separate dashboard improvement ticket that is currently in progress.

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

Package ti_anomali 👍(1) 💚(0) 💔(1)

Expand to view

Data stream	Previous EPS	New EPS	Diff (%)	Result
intelligence	6944.44	5524.86	-1419.58 (-20.44%)	💔

To see the full report comment with /test benchmark fullreport

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 14a14f3

cc @mohitjha-elastic

[efd6]

I think it's worth referencing #12662 somewhere (maybe just in the PR description) since that's the source of the decision to use the severity scale that's used here.

[efd6]

Suggested change

	- [http_endpoint](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-http_endpoint)
	- [cel](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-cel)
	- [HTTP Endpoint](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-http_endpoint)
	- [CEL](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-cel)

[efd6]

@alaudazzi Can you offer suggestions for this heading and the one below?

[kcreddy]

Suggested change

	The Anomali ThreatStream integration is compatible with Anomali ThreatStream REST API V2.This integration also supports Anomali ThreatStream Elastic Extension. But it is **DEPRECATED** and not recommended to use.
	The Anomali ThreatStream integration is compatible with Anomali ThreatStream REST API V2. This integration also supports Anomali ThreatStream Elastic Extension. But it is **DEPRECATED** and not recommended to use.

[kcreddy]

Please include suggestions from Vale Linting Results comment

[kcreddy]

Although this note is useful, it doesn't fit under Setup section. Can you move into How it works

[kcreddy]

Another column with event.severity here is applicable because we derived Severity Name and can add event.severity?

[kcreddy]

Lets add that it is deprecated here as well. So users don't overlook.

[kcreddy]

Regarding this comment and the current updates here: what are the changes to dashboards here?

[kcreddy]

Suggested change

	title: Collect Anomali events via the Anomali ThreatStream API
	title: Collect Anomali threat indicators using the Anomali ThreatStream API

Use using instead of via. See Vale linting comment

[kcreddy]

Suggested change

	title: DEPRECATED - Collect Anomali events from ThreatStream via the Elastic Extension software
	title: DEPRECATED - Collect Anomali threat indicators from ThreatStream via the Elastic Extension software