Skip to content

Comments

[ti_anomali] Rebrand Integration Name and Normalize Event Severity#17442

Open
mohitjha-elastic wants to merge 2 commits intoelastic:mainfrom
mohitjha-elastic:ti_anomali-2.4.0
Open

[ti_anomali] Rebrand Integration Name and Normalize Event Severity#17442
mohitjha-elastic wants to merge 2 commits intoelastic:mainfrom
mohitjha-elastic:ti_anomali-2.4.0

Conversation

@mohitjha-elastic
Copy link
Collaborator

Proposed commit message

ti_anomali: Rebrand to Anomali ThreatStream and normalize event.severity ECS.

Rebranded the integration to Anomali ThreatStream as a superficial update with no 
impact on existing functionality or data flow. Additionally, normalized the event.severity 
values to align with the latest guidelines and updated the documentation to 
incorporate best practices.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Clone integrations repo.
  • Install the elastic package locally.
  • Start the elastic stack using the elastic package.
  • Move to integrations/packages/ti_anomali directory.
  • Run the following command to run tests.

elastic-package test -v

Related Issues

@mohitjha-elastic mohitjha-elastic self-assigned this Feb 17, 2026
@mohitjha-elastic mohitjha-elastic requested a review from a team as a code owner February 17, 2026 18:32
@mohitjha-elastic mohitjha-elastic added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:ti_anomali Anomali Category: Integration quality Category: Quality used for SI planning Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Feb 17, 2026
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@github-actions
Copy link
Contributor

Vale Linting Results

Summary: 8 warnings, 4 suggestions found

⚠️ Warnings (8)
File Line Rule Message
packages/ti_anomali/_dev/build/docs/README.md 42 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'using' instead of 'via'.
packages/ti_anomali/_dev/build/docs/README.md 45 Elastic.DontUse Don't use 'Please'.
packages/ti_anomali/_dev/build/docs/README.md 118 Elastic.DontUse Don't use 'Very'.
packages/ti_anomali/docs/README.md 42 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'using' instead of 'via'.
packages/ti_anomali/docs/README.md 45 Elastic.DontUse Don't use 'Please'.
packages/ti_anomali/docs/README.md 118 Elastic.DontUse Don't use 'Very'.
packages/ti_anomali/docs/README.md 168 Elastic.DontUse Don't use 'very'.
packages/ti_anomali/docs/README.md 217 Elastic.DontUse Don't use 'very'.
💡 Suggestions (4)
File Line Rule Message
packages/ti_anomali/_dev/build/docs/README.md 95 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/ti_anomali/_dev/build/docs/README.md 95 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/ti_anomali/docs/README.md 95 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/ti_anomali/docs/README.md 95 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

@mohitjha-elastic
Copy link
Collaborator Author

The dashboard screenshots will be updated in a subsequent PR under the separate dashboard improvement ticket that is currently in progress.

@elastic-vault-github-plugin-prod

🚀 Benchmarks report

Package ti_anomali 👍(1) 💚(0) 💔(1)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
intelligence 6944.44 5524.86 -1419.58 (-20.44%) 💔

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link

💚 Build Succeeded

cc @mohitjha-elastic

@andrewkroh andrewkroh added the dashboard Relates to a Kibana dashboard bug, enhancement, or modification. label Feb 17, 2026
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's worth referencing #12662 somewhere (maybe just in the PR description) since that's the source of the decision to use the severity scale that's used here.

Comment on lines +164 to +165
- [http_endpoint](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-http_endpoint)
- [cel](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-cel)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- [http_endpoint](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-http_endpoint)
- [cel](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-cel)
- [HTTP Endpoint](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-http_endpoint)
- [CEL](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-cel)


### Validation

#### Dashboards populated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alaudazzi Can you offer suggestions for this heading and the one below?


## Requirements
The Anomali ThreatStream integration is compatible with Anomali ThreatStream REST API V2.This integration also supports Anomali ThreatStream Elastic Extension. But it is **DEPRECATED** and not recommended to use.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The Anomali ThreatStream integration is compatible with Anomali ThreatStream REST API V2.This integration also supports Anomali ThreatStream Elastic Extension. But it is **DEPRECATED** and not recommended to use.
The Anomali ThreatStream integration is compatible with Anomali ThreatStream REST API V2. This integration also supports Anomali ThreatStream Elastic Extension. But it is **DEPRECATED** and not recommended to use.

- Anomali ThreatStream username
- Anomali ThreatStream API key

#### DEPRECATED: Collect data from Anomali ThreatStream via the Elastic Extension
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please include suggestions from Vale Linting Results comment

Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host.

## Setup
**NOTE:** The Anomali ThreatStream API's intelligence endpoint is the preferred source of indicators. This data will be accessible using the alias `logs-ti_anomali_latest.intelligence`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Although this note is useful, it doesn't fit under Setup section. Can you move into How it works

Comment on lines +122 to +128
| Anomali `severity` | Severity Name |
| -------------------|---------------|
| 0 - 19 | info |
| 20 - 39 | low |
| 40 - 59 | medium |
| 60 - 79 | high |
| 80 - 100 | critical |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another column with event.severity here is applicable because we derived Severity Name and can add event.severity?


This source of indicators is deprecated. New users should instead use the API source above. This source requires additional software, the _Elastic_ _Extension,_ to connect Anomali ThreatStream to this integration. It's available on the [ThreatStream download page](https://ui.threatstream.com/downloads).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lets add that it is deprecated here as well. So users don't overlook.

@@ -1,5 +1,17 @@
{
"attributes": {
"controlGroupInput": {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regarding this comment and the current updates here: what are the changes to dashboards here?

@@ -50,11 +50,11 @@ policy_templates:
team: security-service-integrations
inputs:
- type: cel
title: "Anomali ThreatStream API"
description: Retrieves indicators from the intelligence endpoint of the Anomali ThreatStream API
title: Collect Anomali events via the Anomali ThreatStream API
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
title: Collect Anomali events via the Anomali ThreatStream API
title: Collect Anomali threat indicators using the Anomali ThreatStream API

Use using instead of via. See Vale linting comment

- type: http_endpoint
title: "DEPRECATED: Anomali ThreatStream via the Elastic Extension software"
description: Receives Anomali ThreatStream indicators from the Elastic Extension, which is additional software
title: DEPRECATED - Collect Anomali events from ThreatStream via the Elastic Extension software
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
title: DEPRECATED - Collect Anomali events from ThreatStream via the Elastic Extension software
title: DEPRECATED - Collect Anomali threat indicators from ThreatStream via the Elastic Extension software

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Category: Integration quality Category: Quality used for SI planning dashboard Relates to a Kibana dashboard bug, enhancement, or modification. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:ti_anomali Anomali Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors]

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ti_anomali: Normalise event.severity handling ti_anomali: Rebrand and other UI improvements ti_anomali: Update documentation per new template

5 participants