[ti_flashpoint][alert] Add Flashpoint Alert data stream

.github/CODEOWNERS

@@ -474,6 +474,7 @@
 /packages/ti_domaintools @elastic/security-service-integrations
 /packages/ti_eclecticiq @elastic/security-service-integrations
 /packages/ti_eset @elastic/security-service-integrations
+/packages/ti_flashpoint @elastic/security-service-integrations
 /packages/ti_google_threat_intelligence @elastic/security-service-integrations
 /packages/ti_greynoise @elastic/security-service-integrations
 /packages/ti_maltiverse @elastic/security-service-integrations

packages/ti_flashpoint/_dev/build/build.yml

@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: [email protected]

packages/ti_flashpoint/_dev/build/docs/README.md

@@ -0,0 +1,109 @@
+# Flashpoint Integration for Elastic
+
+## Overview
+
+[Flashpoint](https://flashpoint.io/) is a comprehensive threat intelligence platform that delivers actionable insights from dark web, deep web, and technical sources. It combines human-curated intelligence with automated collection to help organizations identify emerging threats, monitor adversary activity, and assess cyber risk with enriched context.
+
+The Flashpoint integration for Elastic collects alerts from the **Flashpoint Ignite API** and visualizes them in Kibana.
+
+### Compatibility
+
+The Flashpoint integration is compatible with Ignite API version **1.2**.
+
+### How it works
+
+This integration periodically queries the Flashpoint Ignite API to retrieve logs.
+
+## What data does this integration collect?
+
+This integration collects log messages of the following type:
+
+- `Alert`: Collects `alert` logs from the Flashpoint Ignite API (endpoint: `/alert-management/v1/notifications`),
+
+### Supported use cases
+
+Integrating Flashpoint with Elastic SIEM provides centralized visibility into threat intelligence alerts. Kibana dashboards present key metrics such as `Total Alerts`, along with visualizations showing `Alerts by Data Type`, `Source`, and `Origin`.
+
+`Alert Trends over Time`, `Top Authors`, `MIME Types`, `Alert Sources`, and `Geographic Distribution` of related resources help analysts quickly monitor activity and investigate alerts. These insights support efficient threat monitoring and analysis workflows.
+
+## What do I need to use this integration?
+
+### From Flashpoint
+
+To collect data through the Flashpoint Ignite API, you need to provide an **API Token**. Authentication is handled using the **API Token**, which serves as the required credential.
+
+#### Retrieve an API Token:
+
+1. Log in to the **Flashpoint** Instance.
+2. Click on your profile icon in the top-right corner and select **Manage API Tokens**.
+3. Click **Generate Token**.
+4. Enter a name for the API token and click **Generate Token**.
+5. Copy and securely store the generated API token for use in the integration configuration.
+
+## How do I deploy this integration?
+
+This integration supports both Elastic Agentless-based and Agent-based installations.
+
+### Agentless-based installation
+
+Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html).
+
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.
+
+### Agent-based installation
+
+Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host.
+
+
+### configure
+
+1. In the top search bar in Kibana, search for **Integrations**.
+2. In the search bar, type **Flashpoint**.
+3. Select the **Flashpoint** integration from the search results.
+4. Select **Add Flashpoint** to add the integration.
+5. Enable and configure only the collection methods which you will use.
+
+    * To **Collect logs from Flashpoint API**, you'll need to:
+
+        - Configure **API Token**.
+        - Adjust the integration configuration parameters if required, including the **Initial Interval**, **Interval**, **Page Size** etc. to enable data collection.
+
+6. Select **Save and continue** to save the integration.
+
+### Validation
+
+#### Dashboard populated
+
+1. In the top search bar in Kibana, search for **Dashboards**.
+2. In the search bar, type **Flashpoint**, and verify the dashboard information is populated.
+
+## Performance and scaling
+
+For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation.
+
+## Reference
+
+### ECS field reference
+
+#### Alert
+
+{{fields "alert"}}
+
+### Example event
+
+#### Alert
+
+{{event "alert"}}
+
+
+### Inputs used
+
+These input is used in the integration:
+
+- [cel](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-cel)
+
+### API usage
+
+This integration dataset uses the following API:
+
+* List Alerts (endpoint: `/alert-management/v1/notifications`)|

packages/ti_flashpoint/_dev/deploy/docker/docker-compose.yml

@@ -0,0 +1,15 @@
+version: '3.8'
+services:
+  ti_flashpoint:
+    image: docker.elastic.co/observability/stream:v0.20.0
+    hostname: ti_flashpoint
+    ports:
+      - 8090
+    volumes:
+      - ./files:/files:ro
+    environment:
+      PORT: '8090'
+    command:
+      - http-server
+      - --addr=:8090
+      - --config=/files/config.yml