diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 999646eac74..ccbb59ed666 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -474,6 +474,7 @@
/packages/ti_domaintools @elastic/security-service-integrations
/packages/ti_eclecticiq @elastic/security-service-integrations
/packages/ti_eset @elastic/security-service-integrations
+/packages/ti_flashpoint @elastic/security-service-integrations
/packages/ti_google_threat_intelligence @elastic/security-service-integrations
/packages/ti_greynoise @elastic/security-service-integrations
/packages/ti_maltiverse @elastic/security-service-integrations
diff --git a/packages/ti_flashpoint/_dev/build/build.yml b/packages/ti_flashpoint/_dev/build/build.yml
new file mode 100644
index 00000000000..b2596b96490
--- /dev/null
+++ b/packages/ti_flashpoint/_dev/build/build.yml
@@ -0,0 +1,3 @@
+dependencies:
+ ecs:
+ reference: git@v9.2.0
diff --git a/packages/ti_flashpoint/_dev/build/docs/README.md b/packages/ti_flashpoint/_dev/build/docs/README.md
new file mode 100644
index 00000000000..1533d96a4eb
--- /dev/null
+++ b/packages/ti_flashpoint/_dev/build/docs/README.md
@@ -0,0 +1,121 @@
+# Flashpoint Integration for Elastic
+
+## Overview
+
+[Flashpoint](https://flashpoint.io/) is a comprehensive threat intelligence platform that delivers actionable insights from dark web, deep web, and technical sources. It combines human-curated intelligence with automated collection to help organizations identify emerging threats, monitor adversary activity, and assess cyber risk with enriched context.
+
+The Flashpoint integration for Elastic collects security indicators from the **Flashpoint Ignite API** and visualizes them in Kibana.
+
+### Compatibility
+
+The Flashpoint integration is compatible with Ignite API version **1.2**.
+
+### How it works
+
+This integration periodically queries the Flashpoint Ignite API to retrieve logs.
+
+## What data does this integration collect?
+
+This integration collects log messages of the following type:
+
+- `Indicator`: Collects `indicator` logs from the Flashpoint Ignite API (endpoint: `/technical-intelligence/v2/indicators`),
+
+### Supported use cases
+
+Integrating Flashpoint Indicators with Elastic SIEM provides centralized visibility into threat intelligence indicators and their associated sightings. Kibana dashboards highlight key metrics such as `Total Indicators` and `Total Indicator Sightings`, enabling quick assessment of indicator volume and activity.
+
+Visualizations present indicators categorized by `Type` and `Score Tier` through pie charts. Tables surface `Top MITRE Tactics`, `Top Sighting Sources`, and `Top Platform URLs`, supporting deeper investigation and context. A control panel allows interactive filtering to efficiently analyze indicators across multiple dimensions.
+
+## What do I need to use this integration?
+
+### From Elastic
+
+This integration installs [Elastic latest transforms](https://www.elastic.co/docs/explore-analyze/transforms/transform-overview#latest-transform-overview). For more details, check the [Transform](https://www.elastic.co/docs/explore-analyze/transforms/transform-setup) setup and requirements.
+
+### From Flashpoint
+
+To collect data through the Flashpoint Ignite API, you need to provide an **API Token**. Authentication is handled using the **API Token**, which serves as the required credential.
+
+#### Retrieve an API Token:
+
+1. Log in to the **Flashpoint** Instance.
+2. Click on your profile icon in the top-right corner and select **Manage API Tokens**.
+3. Click **Generate Token**.
+4. Enter a name for the API token and click **Generate Token**.
+5. Copy and securely store the generated API token for use in the integration configuration.
+
+## How do I deploy this integration?
+
+This integration supports both Elastic Agentless-based and Agent-based installations.
+
+### Agentless-based installation
+
+Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html).
+
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.
+
+### Agent-based installation
+
+Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host.
+
+
+### configure
+
+1. In the top search bar in Kibana, search for **Integrations**.
+2. In the search bar, type **Flashpoint**.
+3. Select the **Flashpoint** integration from the search results.
+4. Select **Add Flashpoint** to add the integration.
+5. Enable and configure only the collection methods which you will use.
+
+ * To **Collect logs from Flashpoint API**, you'll need to:
+
+ - Configure **API Token**.
+ - Adjust the integration configuration parameters if required, including the **Initial Interval**, **Interval**, **Page Size** etc. to enable data collection.
+
+6. Select **Save and continue** to save the integration.
+
+### Validation
+
+#### Dashboard populated
+
+1. In the top search bar in Kibana, search for **Dashboards**.
+2. In the search bar, type **Flashpoint**, and verify the dashboard information is populated.
+
+#### Transforms healthy
+
+1. In the top search bar in Kibana, search for **Transforms**.
+2. Select the **Data / Transforms** from the search results.
+3. In the search bar, type **ti_flashpoint**.
+4. All transforms from the search results should indicate **Healthy** under the **Health** column.
+
+## Performance and scaling
+
+For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation.
+
+## Reference
+
+### ECS field reference
+
+#### Indicator
+
+{{fields "indicator"}}
+
+### Example event
+
+#### Indicator
+
+{{event "indicator"}}
+
+
+### Inputs used
+
+These input is used in the integration:
+
+- [cel](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-cel)
+
+
+### API usage
+
+This integration dataset uses the following API:
+
+* List Indicators (endpoint: `/technical-intelligence/v2/indicators`)
diff --git a/packages/ti_flashpoint/_dev/deploy/docker/docker-compose.yml b/packages/ti_flashpoint/_dev/deploy/docker/docker-compose.yml
new file mode 100644
index 00000000000..13f0d327c6a
--- /dev/null
+++ b/packages/ti_flashpoint/_dev/deploy/docker/docker-compose.yml
@@ -0,0 +1,15 @@
+version: '3.8'
+services:
+ ti_flashpoint:
+ image: docker.elastic.co/observability/stream:v0.20.0
+ hostname: ti_flashpoint
+ ports:
+ - 8090
+ volumes:
+ - ./files:/files:ro
+ environment:
+ PORT: '8090'
+ command:
+ - http-server
+ - --addr=:8090
+ - --config=/files/config.yml
diff --git a/packages/ti_flashpoint/_dev/deploy/docker/files/config.yml b/packages/ti_flashpoint/_dev/deploy/docker/files/config.yml
new file mode 100644
index 00000000000..913b00e473c
--- /dev/null
+++ b/packages/ti_flashpoint/_dev/deploy/docker/files/config.yml
@@ -0,0 +1,384 @@
+rules:
+ - path: /technical-intelligence/v2/indicators
+ methods: ['GET']
+ query_params:
+ size: "2"
+ modified_after: "{modified_after:.*}"
+ from: "2"
+ request_headers:
+ Authorization: "Bearer xxxx"
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {
+ "items": [
+ {
+ "id": "5YFE1T4tW--r8H4ARmgDfQ",
+ "type": "domain",
+ "value": "ns8.softline.top",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/indicators/5YFE1T4tW--r8H4ARmgDfQ",
+ "entity_type": "indicator",
+ "score": {
+ "value": "malicious",
+ "last_scored_at": "2025-07-30T07:26:25.981000Z"
+ },
+ "modified_at": "2025-12-23T11:18:12.238000Z",
+ "created_at": "2024-01-01T00:00:00Z",
+ "last_seen_at": "2025-12-23T11:12:06.372000Z",
+ "sort_date": "2025-12-23T11:12:06.372000Z",
+ "platform_urls": {
+ "ignite": "https://app.flashpoint.io/cti/malware/iocs/5YFE1T4tW--r8H4ARmgDfQ"
+ },
+ "sightings": [
+ {
+ "id": "BqIOrT8HWaib7Cc-hOcoAA",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/sightings/BqIOrT8HWaib7Cc-hOcoAA",
+ "source": "flashpoint_extraction",
+ "sighted_at": "2025-12-23T10:41:44.231000Z",
+ "tags": [
+ "beacontype:hybrid http dns",
+ "extracted_config:true",
+ "httpposturi:/n4215/adj/amzn.us.sr.aps",
+ "malware:cobaltstrike",
+ "source:flashpoint_extraction",
+ "type:backdoor"
+ ],
+ "description": "Observation: cobaltstrike [2025-12-23T10:41:44.231Z]"
+ }
+ ],
+ "latest_sighting": {
+ "id": "BqIOrT8HWaib7Cc-hOcoAA",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/sightings/BqIOrT8HWaib7Cc-hOcoAA",
+ "source": "flashpoint_extraction",
+ "sighted_at": "2025-12-23T10:41:44.231000Z",
+ "tags": [
+ "beacontype:hybrid http dns",
+ "extracted_config:true",
+ "httpposturi:/n4215/adj/amzn.us.sr.aps",
+ "malware:cobaltstrike",
+ "source:flashpoint_extraction",
+ "type:backdoor"
+ ],
+ "description": "Observation: cobaltstrike [2025-12-23T10:41:44.231Z]"
+ },
+ "total_sightings": 229903
+ },
+ {
+ "id": "pa1nUaXoVtuzyGb3HWKaBQ",
+ "type": "domain",
+ "value": "ns9.softline.top",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/indicators/pa1nUaXoVtuzyGb3HWKaBQ",
+ "entity_type": "indicator",
+ "score": {
+ "value": "malicious",
+ "last_scored_at": "2025-07-30T07:26:35.100000Z"
+ },
+ "modified_at": "2025-12-23T11:18:16.650000Z",
+ "created_at": "2024-01-01T00:00:00Z",
+ "last_seen_at": "2025-12-23T11:12:06.372000Z",
+ "sort_date": "2025-12-23T11:12:06.372000Z",
+ "platform_urls": {
+ "ignite": "https://app.flashpoint.io/cti/malware/iocs/pa1nUaXoVtuzyGb3HWKaBQ"
+ },
+ "sightings": [
+ {
+ "id": "BqIOrT8HWaib7Cc-hOcoAA",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/sightings/BqIOrT8HWaib7Cc-hOcoAA",
+ "source": "flashpoint_extraction",
+ "sighted_at": "2025-12-23T10:41:44.231000Z",
+ "tags": [
+ "beacontype:hybrid http dns",
+ "extracted_config:true",
+ "httpposturi:/n4215/adj/amzn.us.sr.aps",
+ "malware:cobaltstrike",
+ "source:flashpoint_extraction",
+ "type:backdoor"
+ ],
+ "description": "Observation: cobaltstrike [2025-12-23T10:41:44.231Z]"
+ }
+ ],
+ "latest_sighting": {
+ "id": "BqIOrT8HWaib7Cc-hOcoAA",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/sightings/BqIOrT8HWaib7Cc-hOcoAA",
+ "source": "flashpoint_extraction",
+ "sighted_at": "2025-12-23T10:41:44.231000Z",
+ "tags": [
+ "beacontype:hybrid http dns",
+ "extracted_config:true",
+ "httpposturi:/n4215/adj/amzn.us.sr.aps",
+ "malware:cobaltstrike",
+ "source:flashpoint_extraction",
+ "type:backdoor"
+ ],
+ "description": "Observation: cobaltstrike [2025-12-23T10:41:44.231Z]"
+ },
+ "total_sightings": 229927
+ }
+ ],
+ "total": null,
+ "pagination": {
+ "next": "http://{{ hostname }}:{{ env "PORT" }}/technical-intelligence/v2/indicators?modified_after=2025-12-18T10:00:00&from=4&size=2",
+ "prev": "http://{{ hostname }}:{{ env "PORT" }}/technical-intelligence/v2/indicators?modified_after=2025-12-18T10:00:00&from=0&size=2"
+ }
+ }
+ - path: /technical-intelligence/v2/indicators
+ methods: ['GET']
+ query_params:
+ size: "2"
+ from: "4"
+ modified_after: "{modified_after:.*}"
+ request_headers:
+ Authorization: "Bearer xxxx"
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {
+ "items": [
+ {
+ "id": "EtniFes7WyWvawEXcL2fmQ",
+ "type": "domain",
+ "value": "featured.xyz",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/indicators/EtniFes7WyWvawEXcL2fmQ",
+ "entity_type": "indicator",
+ "score": {
+ "value": "informational",
+ "last_scored_at": "2025-11-03T08:46:17.620389Z"
+ },
+ "modified_at": "2025-12-23T10:58:20.798000Z",
+ "created_at": "2025-11-03T08:35:08.714000Z",
+ "last_seen_at": "2025-12-23T10:47:29.731000Z",
+ "sort_date": "2025-12-23T10:47:29.731000Z",
+ "platform_urls": {
+ "ignite": "https://app.flashpoint.io/cti/malware/iocs/EtniFes7WyWvawEXcL2fmQ"
+ },
+ "sightings": [
+ {
+ "id": "-mQDA1JEVYiXKTSenQuSbg",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/sightings/-mQDA1JEVYiXKTSenQuSbg",
+ "source": "flashpoint_extraction",
+ "sighted_at": "2025-12-23T10:47:29.731000Z",
+ "tags": [
+ "aes_key:be7b7befe99d381fbe34ef443b3179be7b7befe99d381fbe34ef443b31790e00",
+ "extracted_config:true",
+ "group:feturednew",
+ "malware:xworm",
+ "mutex:hr5unzmp8fhkimje",
+ "source:flashpoint_extraction",
+ "type:trojan"
+ ],
+ "description": "Observation: xworm [2025-12-23T10:47:29.731Z]"
+ }
+ ],
+ "latest_sighting": {
+ "id": "-mQDA1JEVYiXKTSenQuSbg",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/sightings/-mQDA1JEVYiXKTSenQuSbg",
+ "source": "flashpoint_extraction",
+ "sighted_at": "2025-12-23T10:47:29.731000Z",
+ "tags": [
+ "aes_key:be7b7befe99d381fbe34ef443b3179be7b7befe99d381fbe34ef443b31790e00",
+ "extracted_config:true",
+ "group:feturednew",
+ "malware:xworm",
+ "mutex:hr5unzmp8fhkimje",
+ "source:flashpoint_extraction",
+ "type:trojan"
+ ],
+ "description": "Observation: xworm [2025-12-23T10:47:29.731Z]"
+ },
+ "total_sightings": 11
+ },
+ {
+ "id": "dH2jOrbPXm226gzXBq1EUg",
+ "type": "file",
+ "value": "10136d02ddb5e041c22a1a7214208509cf4c6606a3fd8ea0a03da0215228c54d",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/indicators/dH2jOrbPXm226gzXBq1EUg",
+ "entity_type": "indicator",
+ "score": {
+ "value": "malicious",
+ "last_scored_at": "2025-12-23T10:58:23.852917Z"
+ },
+ "modified_at": "2025-12-23T10:58:24.706000Z",
+ "created_at": "2025-12-23T10:47:29.731000Z",
+ "last_seen_at": "2025-12-23T10:47:29.731000Z",
+ "sort_date": "2025-12-23T10:47:29.731000Z",
+ "platform_urls": {
+ "ignite": "https://app.flashpoint.io/cti/malware/iocs/dH2jOrbPXm226gzXBq1EUg"
+ },
+ "hashes": {
+ "md5": null,
+ "sha1": "14a85091e4d91fe58a81475498a5d037328c2431",
+ "sha256": "10136d02ddb5e041c22a1a7214208509cf4c6606a3fd8ea0a03da0215228c54d"
+ },
+ "sightings": [
+ {
+ "id": "-mQDA1JEVYiXKTSenQuSbg",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/sightings/-mQDA1JEVYiXKTSenQuSbg",
+ "source": "flashpoint_extraction",
+ "sighted_at": "2025-12-23T10:47:29.731000Z",
+ "tags": [
+ "aes_key:be7b7befe99d381fbe34ef443b3179be7b7befe99d381fbe34ef443b31790e00",
+ "extracted_config:true",
+ "group:feturednew",
+ "malware:xworm",
+ "mutex:hr5unzmp8fhkimje",
+ "source:flashpoint_extraction",
+ "type:trojan"
+ ],
+ "description": "Observation: xworm [2025-12-23T10:47:29.731Z]"
+ }
+ ],
+ "latest_sighting": {
+ "id": "-mQDA1JEVYiXKTSenQuSbg",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/sightings/-mQDA1JEVYiXKTSenQuSbg",
+ "source": "flashpoint_extraction",
+ "sighted_at": "2025-12-23T10:47:29.731000Z",
+ "tags": [
+ "aes_key:be7b7befe99d381fbe34ef443b3179be7b7befe99d381fbe34ef443b31790e00",
+ "extracted_config:true",
+ "group:feturednew",
+ "malware:xworm",
+ "mutex:hr5unzmp8fhkimje",
+ "source:flashpoint_extraction",
+ "type:trojan"
+ ],
+ "description": "Observation: xworm [2025-12-23T10:47:29.731Z]"
+ },
+ "total_sightings": 1
+ }
+ ],
+ "total": null,
+ "pagination": {
+ "next": null,
+ "prev": "http://{{ hostname }}:{{ env "PORT" }}/technical-intelligence/v2/indicators?modified_after=2025-12-18T10:00:00&from=2&size=2"
+ }
+ }
+ - path: /technical-intelligence/v2/indicators
+ methods: ['GET']
+ query_params:
+ size: "2"
+ modified_after: "{modified_after:.*}"
+ request_headers:
+ Authorization: "Bearer xxxx"
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {
+ "items": [
+ {
+ "id": "bO3Y4XA7WWqaHbHy-H11YA",
+ "type": "domain",
+ "value": "ns7.softline.top",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/indicators/bO3Y4XA7WWqaHbHy-H11YA",
+ "entity_type": "indicator",
+ "score": {
+ "value": "malicious",
+ "last_scored_at": "2025-07-30T07:26:22.823000Z"
+ },
+ "modified_at": "2025-12-23T11:18:09.404000Z",
+ "created_at": "2024-01-01T00:00:00Z",
+ "last_seen_at": "2025-12-23T11:12:06.372000Z",
+ "sort_date": "2025-12-23T11:12:06.372000Z",
+ "platform_urls": {
+ "ignite": "https://app.flashpoint.io/cti/malware/iocs/bO3Y4XA7WWqaHbHy-H11YA"
+ },
+ "sightings": [
+ {
+ "id": "BqIOrT8HWaib7Cc-hOcoAA",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/sightings/BqIOrT8HWaib7Cc-hOcoAA",
+ "source": "flashpoint_extraction",
+ "sighted_at": "2025-12-23T10:41:44.231000Z",
+ "tags": [
+ "beacontype:hybrid http dns",
+ "extracted_config:true",
+ "httpposturi:/n4215/adj/amzn.us.sr.aps",
+ "malware:cobaltstrike",
+ "source:flashpoint_extraction",
+ "type:backdoor"
+ ],
+ "description": "Observation: cobaltstrike [2025-12-23T10:41:44.231Z]"
+ }
+ ],
+ "latest_sighting": {
+ "id": "BqIOrT8HWaib7Cc-hOcoAA",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/sightings/BqIOrT8HWaib7Cc-hOcoAA",
+ "source": "flashpoint_extraction",
+ "sighted_at": "2025-12-23T10:41:44.231000Z",
+ "tags": [
+ "beacontype:hybrid http dns",
+ "extracted_config:true",
+ "httpposturi:/n4215/adj/amzn.us.sr.aps",
+ "malware:cobaltstrike",
+ "source:flashpoint_extraction",
+ "type:backdoor"
+ ],
+ "description": "Observation: cobaltstrike [2025-12-23T10:41:44.231Z]"
+ },
+ "total_sightings": 230089
+ },
+ {
+ "id": "jGJDObZBWEK6upz3HX4NDA",
+ "type": "extracted_config",
+ "value": "{\"BeaconType\": \"Hybrid HTTP DNS\", \"HttpPostUri\": \"/N4215/adj/amzn.us.sr.aps\", \"type\": \"backdoor\", \"C2Server\": \"ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books\"}",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/indicators/jGJDObZBWEK6upz3HX4NDA",
+ "entity_type": "indicator",
+ "score": {
+ "value": "no_score",
+ "last_scored_at": null
+ },
+ "modified_at": "2025-12-23T11:18:08.970000Z",
+ "created_at": "2025-08-14T14:56:41.421000Z",
+ "last_seen_at": "2025-12-23T11:12:06.372000Z",
+ "sort_date": "2025-12-23T11:12:06.372000Z",
+ "platform_urls": {
+ "ignite": "https://app.flashpoint.io/cti/malware/iocs/jGJDObZBWEK6upz3HX4NDA"
+ },
+ "sightings": [
+ {
+ "id": "BqIOrT8HWaib7Cc-hOcoAA",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/sightings/BqIOrT8HWaib7Cc-hOcoAA",
+ "source": "flashpoint_extraction",
+ "sighted_at": "2025-12-23T10:41:44.231000Z",
+ "tags": [
+ "beacontype:hybrid http dns",
+ "extracted_config:true",
+ "httpposturi:/n4215/adj/amzn.us.sr.aps",
+ "malware:cobaltstrike",
+ "source:flashpoint_extraction",
+ "type:backdoor"
+ ],
+ "description": "Observation: cobaltstrike [2025-12-23T10:41:44.231Z]"
+ }
+ ],
+ "latest_sighting": {
+ "id": "BqIOrT8HWaib7Cc-hOcoAA",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/sightings/BqIOrT8HWaib7Cc-hOcoAA",
+ "source": "flashpoint_extraction",
+ "sighted_at": "2025-12-23T10:41:44.231000Z",
+ "tags": [
+ "beacontype:hybrid http dns",
+ "extracted_config:true",
+ "httpposturi:/n4215/adj/amzn.us.sr.aps",
+ "malware:cobaltstrike",
+ "source:flashpoint_extraction",
+ "type:backdoor"
+ ],
+ "description": "Observation: cobaltstrike [2025-12-23T10:41:44.231Z]"
+ },
+ "total_sightings": 165488
+ }
+ ],
+ "total": null,
+ "pagination": {
+ "next": "http://{{ hostname }}:{{ env "PORT" }}/technical-intelligence/v2/indicators?modified_after=2025-12-18T10:00:00&from=2&size=2",
+ "prev": null
+ }
+ }
diff --git a/packages/ti_flashpoint/changelog.yml b/packages/ti_flashpoint/changelog.yml
new file mode 100644
index 00000000000..35fb1d2c290
--- /dev/null
+++ b/packages/ti_flashpoint/changelog.yml
@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: 0.1.0
+ changes:
+ - description: Initial release.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1
diff --git a/packages/ti_flashpoint/data_stream/indicator/_dev/test/pipeline/test-common-config.yml b/packages/ti_flashpoint/data_stream/indicator/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 00000000000..37e8fa225fd
--- /dev/null
+++ b/packages/ti_flashpoint/data_stream/indicator/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,3 @@
+fields:
+ tags:
+ - preserve_duplicate_custom_fields
diff --git a/packages/ti_flashpoint/data_stream/indicator/_dev/test/pipeline/test-indicator.log b/packages/ti_flashpoint/data_stream/indicator/_dev/test/pipeline/test-indicator.log
new file mode 100644
index 00000000000..02aa4f47b48
--- /dev/null
+++ b/packages/ti_flashpoint/data_stream/indicator/_dev/test/pipeline/test-indicator.log
@@ -0,0 +1,3 @@
+{"id":"cgERwXABVRCXoIKgACptBw","type":"file","value":"36fd4cb5aa5536193940d11148b0d407df7232ed470dfd05520679a4fc0d812d","href":"https://api.flashpoint.io/technical-intelligence/v2/indicators/cgERwXABVRCXoIKgACptBw","entity_type":"indicator","score":{"value":"suspicious","last_scored_at":"2025-12-18T10:02:13.186433Z"},"modified_at":"2025-12-18T10:02:13.691000Z","created_at":"2025-12-18T10:00:09.192000Z","last_seen_at":"2025-12-18T10:00:09.192000Z","sort_date":"2025-12-18T10:00:09.192000Z","platform_urls":{"ignite":"https://app.flashpoint.io/cti/malware/iocs/cgERwXABVRCXoIKgACptBw"},"hashes":{"md5":null,"sha1":null,"sha256":"36fd4cb5aa5536193940d11148b0d407df7232ed470dfd05520679a4fc0d812d"},"sightings":[{"id":"QmUmHvujWwComcKxFNgbuA","href":"https://api.flashpoint.io/technical-intelligence/v2/sightings/QmUmHvujWwComcKxFNgbuA","source":"flashpoint_detection","sighted_at":"2025-12-18T10:00:09.192000Z","tags":["malware:winwordworm","source:flashpoint_detection"],"description":"Observation: winwordworm [2025-12-18T10:00:09.192Z]"}],"latest_sighting":{"id":"QmUmHvujWwComcKxFNgbuA","href":"https://api.flashpoint.io/technical-intelligence/v2/sightings/QmUmHvujWwComcKxFNgbuA","source":"flashpoint_detection","sighted_at":"2025-12-18T10:00:09.192000Z","tags":["malware:winwordworm","source:flashpoint_detection"],"description":"Observation: winwordworm [2025-12-18T10:00:09.192Z]"},"total_sightings":1}
+{"id":"fEJWv_62WqawCkaA-ShOUQ","type":"file","value":"25eb816e83a1a6ca4a1324ebdc582e5441489d04a7eea17f09f8c0a9f86ad4bc","href":"https://api.flashpoint.io/technical-intelligence/v2/indicators/fEJWv_62WqawCkaA-ShOUQ","entity_type":"indicator","score":{"value":"suspicious","last_scored_at":"2025-12-18T10:02:10.049365Z"},"modified_at":"2025-12-18T10:02:10.581000Z","created_at":"2025-12-18T10:00:09.073000Z","last_seen_at":"2025-12-18T10:00:09.073000Z","sort_date":"2025-12-18T10:00:09.073000Z","platform_urls":{"ignite":"https://app.flashpoint.io/cti/malware/iocs/fEJWv_62WqawCkaA-ShOUQ"},"hashes":{"md5":null,"sha1":null,"sha256":"25eb816e83a1a6ca4a1324ebdc582e5441489d04a7eea17f09f8c0a9f86ad4bc"},"sightings":[{"id":"Atpau6fHVmqmEprrgCEEng","href":"https://api.flashpoint.io/technical-intelligence/v2/sightings/Atpau6fHVmqmEprrgCEEng","source":"flashpoint_detection","sighted_at":"2025-12-18T10:00:09.073000Z","tags":["malware:socelars","source:flashpoint_detection"],"description":"Observation: socelars [2025-12-18T10:00:09.073Z]"}],"latest_sighting":{"id":"Atpau6fHVmqmEprrgCEEng","href":"https://api.flashpoint.io/technical-intelligence/v2/sightings/Atpau6fHVmqmEprrgCEEng","source":"flashpoint_detection","sighted_at":"2025-12-18T10:00:09.073000Z","tags":["malware:socelars","source:flashpoint_detection"],"description":"Observation: socelars [2025-12-18T10:00:09.073Z]"},"total_sightings":1}
+{"id":"uRYgC1qqWbqR_HL482Xo9g","type":"file","value":"ddfbe910258f9ab040076f17e6b9846bad10d99505b7fc00fd979d21a770658e","href":"https://api.flashpoint.io/technical-intelligence/v2/indicators/uRYgC1qqWbqR_HL482Xo9g","entity_type":"indicator","score":{"value":"malicious","last_scored_at":"2025-12-18T10:02:06.882280Z"},"modified_at":"2025-12-18T10:02:07.400000Z","created_at":"2025-12-18T10:00:09.051000Z","last_seen_at":"2025-12-18T10:00:09.051000Z","sort_date":"2025-12-18T10:00:09.051000Z","platform_urls":{"ignite":"https://app.flashpoint.io/cti/malware/iocs/uRYgC1qqWbqR_HL482Xo9g"},"hashes":{"md5":null,"sha1":null,"sha256":"ddfbe910258f9ab040076f17e6b9846bad10d99505b7fc00fd979d21a770658e"},"sightings":[{"id":"Q18EsUK3VIOWWxOL-3juzg","href":"https://api.flashpoint.io/technical-intelligence/v2/sightings/Q18EsUK3VIOWWxOL-3juzg","source":"flashpoint_detection","sighted_at":"2025-12-18T10:00:09.051000Z","tags":["malware:avzhan","source:flashpoint_detection"],"description":"Observation: avzhan [2025-12-18T10:00:09.051Z]"}],"latest_sighting":{"id":"Q18EsUK3VIOWWxOL-3juzg","href":"https://api.flashpoint.io/technical-intelligence/v2/sightings/Q18EsUK3VIOWWxOL-3juzg","source":"flashpoint_detection","sighted_at":"2025-12-18T10:00:09.051000Z","tags":["malware:avzhan","source:flashpoint_detection"],"description":"Observation: avzhan [2025-12-18T10:00:09.051Z]"},"total_sightings":1}
diff --git a/packages/ti_flashpoint/data_stream/indicator/_dev/test/pipeline/test-indicator.log-expected.json b/packages/ti_flashpoint/data_stream/indicator/_dev/test/pipeline/test-indicator.log-expected.json
new file mode 100644
index 00000000000..a90bf1bdde3
--- /dev/null
+++ b/packages/ti_flashpoint/data_stream/indicator/_dev/test/pipeline/test-indicator.log-expected.json
@@ -0,0 +1,283 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2025-12-18T10:02:13.691Z",
+ "ecs": {
+ "version": "9.2.0"
+ },
+ "event": {
+ "category": [
+ "threat"
+ ],
+ "created": "2025-12-18T10:00:09.192Z",
+ "id": "cgERwXABVRCXoIKgACptBw",
+ "kind": "enrichment",
+ "original": "{\"id\":\"cgERwXABVRCXoIKgACptBw\",\"type\":\"file\",\"value\":\"36fd4cb5aa5536193940d11148b0d407df7232ed470dfd05520679a4fc0d812d\",\"href\":\"https://api.flashpoint.io/technical-intelligence/v2/indicators/cgERwXABVRCXoIKgACptBw\",\"entity_type\":\"indicator\",\"score\":{\"value\":\"suspicious\",\"last_scored_at\":\"2025-12-18T10:02:13.186433Z\"},\"modified_at\":\"2025-12-18T10:02:13.691000Z\",\"created_at\":\"2025-12-18T10:00:09.192000Z\",\"last_seen_at\":\"2025-12-18T10:00:09.192000Z\",\"sort_date\":\"2025-12-18T10:00:09.192000Z\",\"platform_urls\":{\"ignite\":\"https://app.flashpoint.io/cti/malware/iocs/cgERwXABVRCXoIKgACptBw\"},\"hashes\":{\"md5\":null,\"sha1\":null,\"sha256\":\"36fd4cb5aa5536193940d11148b0d407df7232ed470dfd05520679a4fc0d812d\"},\"sightings\":[{\"id\":\"QmUmHvujWwComcKxFNgbuA\",\"href\":\"https://api.flashpoint.io/technical-intelligence/v2/sightings/QmUmHvujWwComcKxFNgbuA\",\"source\":\"flashpoint_detection\",\"sighted_at\":\"2025-12-18T10:00:09.192000Z\",\"tags\":[\"malware:winwordworm\",\"source:flashpoint_detection\"],\"description\":\"Observation: winwordworm [2025-12-18T10:00:09.192Z]\"}],\"latest_sighting\":{\"id\":\"QmUmHvujWwComcKxFNgbuA\",\"href\":\"https://api.flashpoint.io/technical-intelligence/v2/sightings/QmUmHvujWwComcKxFNgbuA\",\"source\":\"flashpoint_detection\",\"sighted_at\":\"2025-12-18T10:00:09.192000Z\",\"tags\":[\"malware:winwordworm\",\"source:flashpoint_detection\"],\"description\":\"Observation: winwordworm [2025-12-18T10:00:09.192Z]\"},\"total_sightings\":1}",
+ "type": [
+ "indicator"
+ ]
+ },
+ "related": {
+ "hash": [
+ "36fd4cb5aa5536193940d11148b0d407df7232ed470dfd05520679a4fc0d812d"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "threat": {
+ "indicator": {
+ "file": {
+ "hash": {
+ "sha256": "36fd4cb5aa5536193940d11148b0d407df7232ed470dfd05520679a4fc0d812d"
+ }
+ },
+ "id": [
+ "cgERwXABVRCXoIKgACptBw"
+ ],
+ "last_seen": "2025-12-18T10:00:09.192Z",
+ "modified_at": "2025-12-18T10:02:13.691Z",
+ "reference": [
+ "https://app.flashpoint.io/cti/malware/iocs/cgERwXABVRCXoIKgACptBw",
+ "https://api.flashpoint.io/technical-intelligence/v2/indicators/cgERwXABVRCXoIKgACptBw"
+ ],
+ "type": "file"
+ }
+ },
+ "ti_flashpoint": {
+ "indicator": {
+ "created_at": "2025-12-18T10:00:09.192Z",
+ "entity_type": "indicator",
+ "hashes": {
+ "sha256": "36fd4cb5aa5536193940d11148b0d407df7232ed470dfd05520679a4fc0d812d"
+ },
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/indicators/cgERwXABVRCXoIKgACptBw",
+ "id": "cgERwXABVRCXoIKgACptBw",
+ "last_seen_at": "2025-12-18T10:00:09.192Z",
+ "latest_sighting": {
+ "description": "Observation: winwordworm [2025-12-18T10:00:09.192Z]",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/sightings/QmUmHvujWwComcKxFNgbuA",
+ "id": "QmUmHvujWwComcKxFNgbuA",
+ "sighted_at": "2025-12-18T10:00:09.192000Z",
+ "source": "flashpoint_detection",
+ "tags": [
+ "malware:winwordworm",
+ "source:flashpoint_detection"
+ ]
+ },
+ "modified_at": "2025-12-18T10:02:13.691Z",
+ "platform_urls": {
+ "ignite": "https://app.flashpoint.io/cti/malware/iocs/cgERwXABVRCXoIKgACptBw"
+ },
+ "score": {
+ "last_scored_at": "2025-12-18T10:02:13.186Z",
+ "value": "suspicious"
+ },
+ "sightings": [
+ {
+ "description": "Observation: winwordworm [2025-12-18T10:00:09.192Z]",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/sightings/QmUmHvujWwComcKxFNgbuA",
+ "id": "QmUmHvujWwComcKxFNgbuA",
+ "sighted_at": "2025-12-18T10:00:09.192Z",
+ "source": "flashpoint_detection",
+ "tags": [
+ "malware:winwordworm",
+ "source:flashpoint_detection"
+ ]
+ }
+ ],
+ "sort_date": "2025-12-18T10:00:09.192Z",
+ "total_sightings": 1,
+ "type": "file",
+ "value": "36fd4cb5aa5536193940d11148b0d407df7232ed470dfd05520679a4fc0d812d"
+ }
+ }
+ },
+ {
+ "@timestamp": "2025-12-18T10:02:10.581Z",
+ "ecs": {
+ "version": "9.2.0"
+ },
+ "event": {
+ "category": [
+ "threat"
+ ],
+ "created": "2025-12-18T10:00:09.073Z",
+ "id": "fEJWv_62WqawCkaA-ShOUQ",
+ "kind": "enrichment",
+ "original": "{\"id\":\"fEJWv_62WqawCkaA-ShOUQ\",\"type\":\"file\",\"value\":\"25eb816e83a1a6ca4a1324ebdc582e5441489d04a7eea17f09f8c0a9f86ad4bc\",\"href\":\"https://api.flashpoint.io/technical-intelligence/v2/indicators/fEJWv_62WqawCkaA-ShOUQ\",\"entity_type\":\"indicator\",\"score\":{\"value\":\"suspicious\",\"last_scored_at\":\"2025-12-18T10:02:10.049365Z\"},\"modified_at\":\"2025-12-18T10:02:10.581000Z\",\"created_at\":\"2025-12-18T10:00:09.073000Z\",\"last_seen_at\":\"2025-12-18T10:00:09.073000Z\",\"sort_date\":\"2025-12-18T10:00:09.073000Z\",\"platform_urls\":{\"ignite\":\"https://app.flashpoint.io/cti/malware/iocs/fEJWv_62WqawCkaA-ShOUQ\"},\"hashes\":{\"md5\":null,\"sha1\":null,\"sha256\":\"25eb816e83a1a6ca4a1324ebdc582e5441489d04a7eea17f09f8c0a9f86ad4bc\"},\"sightings\":[{\"id\":\"Atpau6fHVmqmEprrgCEEng\",\"href\":\"https://api.flashpoint.io/technical-intelligence/v2/sightings/Atpau6fHVmqmEprrgCEEng\",\"source\":\"flashpoint_detection\",\"sighted_at\":\"2025-12-18T10:00:09.073000Z\",\"tags\":[\"malware:socelars\",\"source:flashpoint_detection\"],\"description\":\"Observation: socelars [2025-12-18T10:00:09.073Z]\"}],\"latest_sighting\":{\"id\":\"Atpau6fHVmqmEprrgCEEng\",\"href\":\"https://api.flashpoint.io/technical-intelligence/v2/sightings/Atpau6fHVmqmEprrgCEEng\",\"source\":\"flashpoint_detection\",\"sighted_at\":\"2025-12-18T10:00:09.073000Z\",\"tags\":[\"malware:socelars\",\"source:flashpoint_detection\"],\"description\":\"Observation: socelars [2025-12-18T10:00:09.073Z]\"},\"total_sightings\":1}",
+ "type": [
+ "indicator"
+ ]
+ },
+ "related": {
+ "hash": [
+ "25eb816e83a1a6ca4a1324ebdc582e5441489d04a7eea17f09f8c0a9f86ad4bc"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "threat": {
+ "indicator": {
+ "file": {
+ "hash": {
+ "sha256": "25eb816e83a1a6ca4a1324ebdc582e5441489d04a7eea17f09f8c0a9f86ad4bc"
+ }
+ },
+ "id": [
+ "fEJWv_62WqawCkaA-ShOUQ"
+ ],
+ "last_seen": "2025-12-18T10:00:09.073Z",
+ "modified_at": "2025-12-18T10:02:10.581Z",
+ "reference": [
+ "https://app.flashpoint.io/cti/malware/iocs/fEJWv_62WqawCkaA-ShOUQ",
+ "https://api.flashpoint.io/technical-intelligence/v2/indicators/fEJWv_62WqawCkaA-ShOUQ"
+ ],
+ "type": "file"
+ }
+ },
+ "ti_flashpoint": {
+ "indicator": {
+ "created_at": "2025-12-18T10:00:09.073Z",
+ "entity_type": "indicator",
+ "hashes": {
+ "sha256": "25eb816e83a1a6ca4a1324ebdc582e5441489d04a7eea17f09f8c0a9f86ad4bc"
+ },
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/indicators/fEJWv_62WqawCkaA-ShOUQ",
+ "id": "fEJWv_62WqawCkaA-ShOUQ",
+ "last_seen_at": "2025-12-18T10:00:09.073Z",
+ "latest_sighting": {
+ "description": "Observation: socelars [2025-12-18T10:00:09.073Z]",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/sightings/Atpau6fHVmqmEprrgCEEng",
+ "id": "Atpau6fHVmqmEprrgCEEng",
+ "sighted_at": "2025-12-18T10:00:09.073000Z",
+ "source": "flashpoint_detection",
+ "tags": [
+ "malware:socelars",
+ "source:flashpoint_detection"
+ ]
+ },
+ "modified_at": "2025-12-18T10:02:10.581Z",
+ "platform_urls": {
+ "ignite": "https://app.flashpoint.io/cti/malware/iocs/fEJWv_62WqawCkaA-ShOUQ"
+ },
+ "score": {
+ "last_scored_at": "2025-12-18T10:02:10.049Z",
+ "value": "suspicious"
+ },
+ "sightings": [
+ {
+ "description": "Observation: socelars [2025-12-18T10:00:09.073Z]",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/sightings/Atpau6fHVmqmEprrgCEEng",
+ "id": "Atpau6fHVmqmEprrgCEEng",
+ "sighted_at": "2025-12-18T10:00:09.073Z",
+ "source": "flashpoint_detection",
+ "tags": [
+ "malware:socelars",
+ "source:flashpoint_detection"
+ ]
+ }
+ ],
+ "sort_date": "2025-12-18T10:00:09.073Z",
+ "total_sightings": 1,
+ "type": "file",
+ "value": "25eb816e83a1a6ca4a1324ebdc582e5441489d04a7eea17f09f8c0a9f86ad4bc"
+ }
+ }
+ },
+ {
+ "@timestamp": "2025-12-18T10:02:07.400Z",
+ "ecs": {
+ "version": "9.2.0"
+ },
+ "event": {
+ "category": [
+ "threat"
+ ],
+ "created": "2025-12-18T10:00:09.051Z",
+ "id": "uRYgC1qqWbqR_HL482Xo9g",
+ "kind": "enrichment",
+ "original": "{\"id\":\"uRYgC1qqWbqR_HL482Xo9g\",\"type\":\"file\",\"value\":\"ddfbe910258f9ab040076f17e6b9846bad10d99505b7fc00fd979d21a770658e\",\"href\":\"https://api.flashpoint.io/technical-intelligence/v2/indicators/uRYgC1qqWbqR_HL482Xo9g\",\"entity_type\":\"indicator\",\"score\":{\"value\":\"malicious\",\"last_scored_at\":\"2025-12-18T10:02:06.882280Z\"},\"modified_at\":\"2025-12-18T10:02:07.400000Z\",\"created_at\":\"2025-12-18T10:00:09.051000Z\",\"last_seen_at\":\"2025-12-18T10:00:09.051000Z\",\"sort_date\":\"2025-12-18T10:00:09.051000Z\",\"platform_urls\":{\"ignite\":\"https://app.flashpoint.io/cti/malware/iocs/uRYgC1qqWbqR_HL482Xo9g\"},\"hashes\":{\"md5\":null,\"sha1\":null,\"sha256\":\"ddfbe910258f9ab040076f17e6b9846bad10d99505b7fc00fd979d21a770658e\"},\"sightings\":[{\"id\":\"Q18EsUK3VIOWWxOL-3juzg\",\"href\":\"https://api.flashpoint.io/technical-intelligence/v2/sightings/Q18EsUK3VIOWWxOL-3juzg\",\"source\":\"flashpoint_detection\",\"sighted_at\":\"2025-12-18T10:00:09.051000Z\",\"tags\":[\"malware:avzhan\",\"source:flashpoint_detection\"],\"description\":\"Observation: avzhan [2025-12-18T10:00:09.051Z]\"}],\"latest_sighting\":{\"id\":\"Q18EsUK3VIOWWxOL-3juzg\",\"href\":\"https://api.flashpoint.io/technical-intelligence/v2/sightings/Q18EsUK3VIOWWxOL-3juzg\",\"source\":\"flashpoint_detection\",\"sighted_at\":\"2025-12-18T10:00:09.051000Z\",\"tags\":[\"malware:avzhan\",\"source:flashpoint_detection\"],\"description\":\"Observation: avzhan [2025-12-18T10:00:09.051Z]\"},\"total_sightings\":1}",
+ "type": [
+ "indicator"
+ ]
+ },
+ "related": {
+ "hash": [
+ "ddfbe910258f9ab040076f17e6b9846bad10d99505b7fc00fd979d21a770658e"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "threat": {
+ "indicator": {
+ "file": {
+ "hash": {
+ "sha256": "ddfbe910258f9ab040076f17e6b9846bad10d99505b7fc00fd979d21a770658e"
+ }
+ },
+ "id": [
+ "uRYgC1qqWbqR_HL482Xo9g"
+ ],
+ "last_seen": "2025-12-18T10:00:09.051Z",
+ "modified_at": "2025-12-18T10:02:07.400Z",
+ "reference": [
+ "https://app.flashpoint.io/cti/malware/iocs/uRYgC1qqWbqR_HL482Xo9g",
+ "https://api.flashpoint.io/technical-intelligence/v2/indicators/uRYgC1qqWbqR_HL482Xo9g"
+ ],
+ "type": "file"
+ }
+ },
+ "ti_flashpoint": {
+ "indicator": {
+ "created_at": "2025-12-18T10:00:09.051Z",
+ "entity_type": "indicator",
+ "hashes": {
+ "sha256": "ddfbe910258f9ab040076f17e6b9846bad10d99505b7fc00fd979d21a770658e"
+ },
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/indicators/uRYgC1qqWbqR_HL482Xo9g",
+ "id": "uRYgC1qqWbqR_HL482Xo9g",
+ "last_seen_at": "2025-12-18T10:00:09.051Z",
+ "latest_sighting": {
+ "description": "Observation: avzhan [2025-12-18T10:00:09.051Z]",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/sightings/Q18EsUK3VIOWWxOL-3juzg",
+ "id": "Q18EsUK3VIOWWxOL-3juzg",
+ "sighted_at": "2025-12-18T10:00:09.051000Z",
+ "source": "flashpoint_detection",
+ "tags": [
+ "malware:avzhan",
+ "source:flashpoint_detection"
+ ]
+ },
+ "modified_at": "2025-12-18T10:02:07.400Z",
+ "platform_urls": {
+ "ignite": "https://app.flashpoint.io/cti/malware/iocs/uRYgC1qqWbqR_HL482Xo9g"
+ },
+ "score": {
+ "last_scored_at": "2025-12-18T10:02:06.882Z",
+ "value": "malicious"
+ },
+ "sightings": [
+ {
+ "description": "Observation: avzhan [2025-12-18T10:00:09.051Z]",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/sightings/Q18EsUK3VIOWWxOL-3juzg",
+ "id": "Q18EsUK3VIOWWxOL-3juzg",
+ "sighted_at": "2025-12-18T10:00:09.051Z",
+ "source": "flashpoint_detection",
+ "tags": [
+ "malware:avzhan",
+ "source:flashpoint_detection"
+ ]
+ }
+ ],
+ "sort_date": "2025-12-18T10:00:09.051Z",
+ "total_sightings": 1,
+ "type": "file",
+ "value": "ddfbe910258f9ab040076f17e6b9846bad10d99505b7fc00fd979d21a770658e"
+ }
+ }
+ }
+ ]
+}
diff --git a/packages/ti_flashpoint/data_stream/indicator/_dev/test/system/test-default-config.yml b/packages/ti_flashpoint/data_stream/indicator/_dev/test/system/test-default-config.yml
new file mode 100644
index 00000000000..6b62313e822
--- /dev/null
+++ b/packages/ti_flashpoint/data_stream/indicator/_dev/test/system/test-default-config.yml
@@ -0,0 +1,12 @@
+input: cel
+service: ti_flashpoint
+vars:
+ url: http://{{Hostname}}:{{Port}}
+ api_token: xxxx
+data_stream:
+ vars:
+ preserve_original_event: true
+ preserve_duplicate_custom_fields: true
+ page_size: 2
+assert:
+ hit_count: 6
diff --git a/packages/ti_flashpoint/data_stream/indicator/agent/stream/cel.yml.hbs b/packages/ti_flashpoint/data_stream/indicator/agent/stream/cel.yml.hbs
new file mode 100644
index 00000000000..5f2de049606
--- /dev/null
+++ b/packages/ti_flashpoint/data_stream/indicator/agent/stream/cel.yml.hbs
@@ -0,0 +1,133 @@
+config_version: 2
+interval: {{interval}}
+resource.tracer:
+ enabled: {{enable_request_tracer}}
+ filename: "../../logs/cel/http-request-trace-*.ndjson"
+ maxbackups: 5
+{{#if proxy_url}}
+resource.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+resource.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+resource.timeout: {{http_client_timeout}}
+{{/if}}
+{{#if max_executions}}
+max_executions: {{max_executions}}
+{{/if}}
+resource.url: {{url}}
+
+state:
+ initial_interval: {{initial_interval}}
+ page_size: {{page_size}}
+ api_token: {{api_token}}
+redact:
+ fields:
+ - api_token
+program: |
+ state.with(
+ request(
+ "GET",
+ state.?next.url.orValue(
+ state.url.trim_right("/") + "/technical-intelligence/v2/indicators?" + {
+ "size": [string(state.page_size)],
+ "modified_after": [state.?cursor.last_timestamp.orValue((now - duration(state.initial_interval)).format("2006-01-02T15:04:05")) + "Z"],
+ }.format_query()
+ )
+ ).with({
+ "Header": {
+ "Accept": ["application/json"],
+ "Authorization": ["Bearer " + state.api_token],
+ }
+ }).do_request().as(resp, resp.StatusCode == 200 ?
+ resp.Body.decode_json().as(body,
+ {
+ // Publish events
+ "events": ((has(body.items) && size(body.items) > 0) ?
+ body.items.map(e, {
+ "message": e.encode_json()
+ })
+ :
+ // Added placeholder to ensure cursor gets stored
+ // This will be dropped later in the pipeline
+ [{"message": "empty_events_placeholder"}]
+ ),
+ "cursor": {
+ // 'max_modified_at' tracks the maximum 'modified_at' timestamp
+ // encountered across all pages within the current polling cycle.
+ ?"max_modified_at": (has(body.items) && size(body.items) > 0) ?
+ (has(state.?cursor.max_modified_at) ?
+ optional.of(
+ max([
+ state.cursor.max_modified_at.parse_time("2006-01-02T15:04:05"),
+ body.items.map(e, timestamp(e.modified_at)).max()
+ ]).format("2006-01-02T15:04:05")
+ )
+ :
+ optional.of(body.items.map(e, timestamp(e.modified_at)).max().format("2006-01-02T15:04:05"))
+ )
+ :
+ state.?cursor.max_modified_at,
+
+ // 'last_timestamp' is finalized only on the last page of pagination
+ // and is used as the starting point for the next scheduled run.
+ ?"last_timestamp": (has(body.?pagination.next) && body.pagination.next == null) ?
+ ((has(body.items) && size(body.items) > 0) ?
+ (has(state.?cursor.max_modified_at) ?
+ optional.of(
+ max([
+ state.cursor.max_modified_at.parse_time("2006-01-02T15:04:05"),
+ body.items.map(e, timestamp(e.modified_at)).max(),
+ ]).format("2006-01-02T15:04:05")
+ )
+ :
+ optional.of(body.items.map(e, timestamp(e.modified_at)).max().format("2006-01-02T15:04:05"))
+ )
+ :
+ state.?cursor.max_modified_at)
+ :
+ state.?cursor.last_timestamp
+ },
+ "next": {
+ ?"url": has(body.?pagination.next) && body.pagination.next != null ? body.?pagination.next : optional.none()
+ },
+ "want_more": has(body.?pagination.next) && body.pagination.next != null
+ }
+ )
+ :
+ {
+ "events": {
+ "error": {
+ "code": string(resp.StatusCode),
+ "id": string(resp.Status),
+ "message": "GET " + state.url.trim_right("/") + "/technical-intelligence/v2/indicators: " + (
+ size(resp.Body) != 0 ?
+ string(resp.Body)
+ :
+ string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
+ ),
+ },
+ },
+ "next": {},
+ "want_more": false
+ }
+ )
+ )
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#if preserve_duplicate_custom_fields}}
+ - preserve_duplicate_custom_fields
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/ti_flashpoint/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml b/packages/ti_flashpoint/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..caf3a569e50
--- /dev/null
+++ b/packages/ti_flashpoint/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,496 @@
+---
+description: Pipeline for processing indicator logs.
+processors:
+ - drop:
+ tag: drop_empty_events_placeholder_1f3e6c12
+ if: ctx.message == 'empty_events_placeholder'
+ - set:
+ tag: set_ecs_version_to_9_2_0_3273339c
+ field: ecs.version
+ value: 9.2.0
+ - terminate:
+ description: error message set and no data to process.
+ tag: terminate_data_collection_error_4c75f12b
+ if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null
+
+ # remove agentless metadata
+ - remove:
+ description: Removes the fields added by Agentless as metadata, as they can collide with ECS fields.
+ tag: remove_agentless_tags_44eed408
+ if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String
+ field:
+ - organization
+ - division
+ - team
+ ignore_missing: true
+
+ # parse the event JSON
+ - rename:
+ description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document.
+ tag: rename_message_to_event_original_c74b1d7e
+ if: ctx.event?.original == null
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - remove:
+ description: The `message` field is no longer required if the document has an `event.original` field.
+ tag: remove_message_84808ee4
+ if: ctx.event?.original != null
+ field: message
+ ignore_missing: true
+ - json:
+ tag: json_event_original_into_json_5e54dc16
+ field: event.original
+ target_field: json
+
+ # Add fingerprint
+ - fingerprint:
+ tag: fingerprint_into__id_b67cc53d
+ fields:
+ - json.id
+ - json.modified_at
+ target_field: _id
+ ignore_missing: true
+
+ # Set event.* fields
+ - set:
+ tag: set_event_kind_to_enrichment_a131107f
+ field: event.kind
+ value: enrichment
+ - append:
+ tag: Append_event_type_to_indicator_7779ef85
+ field: event.type
+ value: indicator
+ - append:
+ tag: Append_event_category_to_threat_4cc22c32
+ field: event.category
+ value: threat
+
+ # rename fields to snake_case (hyphen to underscore)
+ - script:
+ description: Convert field names from hyphen to underscore.
+ tag: script_normalize_field_names_53b23f1f
+ lang: painless
+ source: |-
+ // Replace '-' with '_' in field names
+ String normalize(String str) {
+ return str.replace('-', '_');
+ }
+
+ // Recursive function to process objects
+ def normalizeFields(def obj) {
+ if (obj instanceof Map) {
+ def newObj = new HashMap();
+ for (entry in obj.entrySet()) {
+ String newKey = normalize(entry.getKey());
+ newObj.put(newKey, normalizeFields(entry.getValue()));
+ }
+ return newObj;
+ } else if (obj instanceof List) {
+ def newList = new ArrayList();
+ for (item in obj) {
+ newList.add(normalizeFields(item));
+ }
+ return newList;
+ }
+ return obj;
+ }
+
+ // Apply transformation
+ if (ctx.json != null) {
+ ctx.ti_flashpoint = ctx.ti_flashpoint ?: [:];
+ ctx.ti_flashpoint.indicator = normalizeFields(ctx.json);
+ ctx.remove('json');
+ }
+
+ # Date processors
+ - date:
+ tag: date_ti_flashpoint_indicator_created_at_into_ti_flashpoint_indicator_created_at_425aeb53
+ if: ctx.ti_flashpoint?.indicator?.created_at != null && ctx.ti_flashpoint.indicator.created_at != ''
+ field: ti_flashpoint.indicator.created_at
+ target_field: ti_flashpoint.indicator.created_at
+ formats:
+ - ISO8601
+ on_failure:
+ - remove:
+ tag: remove_ti_flashpoint_indicator_created_at_95cd5660
+ field:
+ - ti_flashpoint.indicator.created_at
+ - append:
+ tag: append_error_message_baa27281
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ tag: date_ti_flashpoint_indicator_last_seen_at_into_ti_flashpoint_indicator_last_seen_at_89fe6397
+ if: ctx.ti_flashpoint?.indicator?.last_seen_at != null && ctx.ti_flashpoint.indicator.last_seen_at != ''
+ field: ti_flashpoint.indicator.last_seen_at
+ target_field: ti_flashpoint.indicator.last_seen_at
+ formats:
+ - ISO8601
+ on_failure:
+ - remove:
+ tag: remove_ti_flashpoint_indicator_last_seen_at_5940c3d6
+ field:
+ - ti_flashpoint.indicator.last_seen_at
+ - append:
+ tag: append_error_message_47620885
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ tag: date_ti_flashpoint_indicator_modified_at_into_ti_flashpoint_indicator_modified_at_ab37f0f7
+ if: ctx.ti_flashpoint?.indicator?.modified_at != null && ctx.ti_flashpoint.indicator.modified_at != ''
+ field: ti_flashpoint.indicator.modified_at
+ target_field: ti_flashpoint.indicator.modified_at
+ formats:
+ - ISO8601
+ on_failure:
+ - remove:
+ tag: remove_ti_flashpoint_indicator_modified_at_8c5e049f
+ field:
+ - ti_flashpoint.indicator.modified_at
+ - append:
+ tag: append_error_message_740fcf65
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ tag: date_ti_flashpoint_indicator_score_last_scored_at_into_ti_flashpoint_indicator_score_last_scored_at_3a1841be
+ if: ctx.ti_flashpoint?.indicator?.score?.last_scored_at != null && ctx.ti_flashpoint.indicator.score.last_scored_at != ''
+ field: ti_flashpoint.indicator.score.last_scored_at
+ target_field: ti_flashpoint.indicator.score.last_scored_at
+ formats:
+ - ISO8601
+ on_failure:
+ - remove:
+ tag: remove_ti_flashpoint_indicator_score_last_scored_at_1a0438a4
+ field:
+ - ti_flashpoint.indicator.score.last_scored_at
+ - append:
+ tag: append_error_message_71aa282e
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ tag: date_ti_flashpoint_indicator_sort_date_into_ti_flashpoint_indicator_sort_date_5dd8c107
+ if: ctx.ti_flashpoint?.indicator?.sort_date != null && ctx.ti_flashpoint.indicator.sort_date != ''
+ field: ti_flashpoint.indicator.sort_date
+ target_field: ti_flashpoint.indicator.sort_date
+ formats:
+ - ISO8601
+ on_failure:
+ - remove:
+ tag: remove_ti_flashpoint_indicator_sort_date_414e9947
+ field:
+ - ti_flashpoint.indicator.sort_date
+ - append:
+ tag: append_error_message_98946ff5
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ tag: foreach_of_ti_flashpoint_indicator_sightings_13d2b5ab
+ if: ctx.ti_flashpoint?.indicator?.sightings instanceof List
+ field: ti_flashpoint.indicator.sightings
+ processor:
+ date:
+ tag: date__ingest__value_sighted_at_into__ingest__value_sighted_at_2c9dd7b3
+ field: _ingest._value.sighted_at
+ target_field: _ingest._value.sighted_at
+ formats:
+ - ISO8601
+ on_failure:
+ - remove:
+ tag: remove__ingest__value_sighted_at_85e819ec
+ field:
+ - _ingest._value.sighted_at
+ - foreach:
+ tag: foreach_of_ti_flashpoint_indicator_latest_sighting_3d61fe51
+ if: ctx.ti_flashpoint?.indicator?.latest_sighting instanceof List
+ field: ti_flashpoint.indicator.latest_sighting
+ processor:
+ date:
+ tag: date__ingest__value_sighted_at_into__ingest__value_sighted_at_8774a83d
+ field: _ingest._value.sighted_at
+ target_field: _ingest._value.sighted_at
+ formats:
+ - ISO8601
+ on_failure:
+ - remove:
+ tag: remove__ingest__value_sighted_at_950bd05e
+ field:
+ - _ingest._value.sighted_at
+ - foreach:
+ tag: foreach_of_ti_flashpoint_indicator_latest_sighting_related_iocs_a72ddbb6
+ if: ctx.ti_flashpoint?.indicator?.latest_sighting?.related_iocs instanceof List
+ field: ti_flashpoint.indicator.latest_sighting.related_iocs
+ processor:
+ date:
+ tag: date__ingest__value_score_last_scored_at_into__ingest__value_score_last_scored_at_5db754c4
+ field: _ingest._value.score.last_scored_at
+ target_field: _ingest._value.score.last_scored_at
+ formats:
+ - ISO8601
+ on_failure:
+ - remove:
+ tag: remove__ingest__value_score_last_scored_at_93d3417c
+ field:
+ - _ingest._value.score.last_scored_at
+
+ # Convert to Long
+ - convert:
+ tag: convert_ti_flashpoint_indicator_total_sightings_to_long_398da6b1
+ field: ti_flashpoint.indicator.total_sightings
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ tag: remove_ti_flashpoint_indicator_total_sightings_55a7fc15
+ field:
+ - ti_flashpoint.indicator.total_sightings
+ - append:
+ tag: append_error_message_ce86c4b7
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ tag: foreach_of_ti_flashpoint_indicator_latest_sighting_related_iocs_ee788865
+ if: ctx.ti_flashpoint?.indicator?.latest_sighting?.related_iocs instanceof List
+ field: ti_flashpoint.indicator.latest_sighting.related_iocs
+ processor:
+ convert:
+ tag: convert__ingest__value_score_raw_score_to_long_bbda34b7
+ field: _ingest._value.score.raw_score
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ tag: remove__ingest__value_score_raw_score_58094a09
+ field:
+ - _ingest._value.score.raw_score
+ - append:
+ tag: append_error_message_ddbc8225
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ tag: foreach_of_ti_flashpoint_indicator_sightings_bf81c939
+ if: ctx.ti_flashpoint?.indicator?.sightings instanceof List
+ field: ti_flashpoint.indicator.sightings
+ processor:
+ foreach:
+ tag: foreach_of__ingest__value_related_iocs_ba1974d0
+ field: _ingest._value.related_iocs
+ processor:
+ convert:
+ tag: convert__ingest__value_score_raw_score_to_long_56228ea4
+ field: _ingest._value.score.raw_score
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ tag: remove__ingest__value_score_raw_score_5220b972
+ field:
+ - _ingest._value.score.raw_score
+ - append:
+ tag: append_error_message_9040f274
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ ignore_failure: true
+
+ # Map custom fields to corresponding ECS and related fields.
+ - set:
+ tag: set_event_created_from_ti_flashpoint_indicator_created_at_62fd2dee
+ field: event.created
+ copy_from: ti_flashpoint.indicator.created_at
+ ignore_empty_value: true
+ - set:
+ tag: set_threat_indicator_file_hash_md5_from_ti_flashpoint_indicator_hashes_md5_2230d5b7
+ field: threat.indicator.file.hash.md5
+ copy_from: ti_flashpoint.indicator.hashes.md5
+ ignore_empty_value: true
+ - set:
+ tag: set_threat_indicator_file_hash_sha1_from_ti_flashpoint_indicator_hashes_sha1_f4ef28dd
+ field: threat.indicator.file.hash.sha1
+ copy_from: ti_flashpoint.indicator.hashes.sha1
+ ignore_empty_value: true
+ - set:
+ tag: set_threat_indicator_file_hash_sha256_from_ti_flashpoint_indicator_hashes_sha256_53b07ad1
+ field: threat.indicator.file.hash.sha256
+ copy_from: ti_flashpoint.indicator.hashes.sha256
+ ignore_empty_value: true
+ - set:
+ tag: set_event_id_from_ti_flashpoint_indicator_id_88145a00
+ field: event.id
+ copy_from: ti_flashpoint.indicator.id
+ ignore_empty_value: true
+ - set:
+ tag: set_threat_indicator_last_seen_from_ti_flashpoint_indicator_last_seen_at_63a6f25f
+ field: threat.indicator.last_seen
+ copy_from: ti_flashpoint.indicator.last_seen_at
+ ignore_empty_value: true
+ - set:
+ tag: set_message_from_ti_flashpoint_indicator_malware_description_16878ebf
+ field: message
+ copy_from: ti_flashpoint.indicator.malware_description
+ ignore_empty_value: true
+ - set:
+ tag: set_threat_indicator_description_from_ti_flashpoint_indicator_malware_description_fecf7f9f
+ field: threat.indicator.description
+ copy_from: ti_flashpoint.indicator.malware_description
+ ignore_empty_value: true
+ - set:
+ tag: set_@timestamp_from_ti_flashpoint_indicator_modified_at_e54167e1
+ field: '@timestamp'
+ copy_from: ti_flashpoint.indicator.modified_at
+ ignore_empty_value: true
+ - set:
+ tag: set_threat_indicator_modified_at_from_ti_flashpoint_indicator_modified_at_f4859e7d
+ field: threat.indicator.modified_at
+ copy_from: ti_flashpoint.indicator.modified_at
+ ignore_empty_value: true
+ - append:
+ tag: append_threat_indicator_id_from_ti_flashpoint_indicator_id_211ee5c8
+ if: ctx.ti_flashpoint?.indicator?.id != null
+ field: threat.indicator.id
+ value: '{{{ti_flashpoint.indicator.id}}}'
+ allow_duplicates: false
+ - append:
+ tag: append_threat_indicator_reference_from_ti_flashpoint_indicator_platform_urls_ignite_dc588b53
+ if: ctx.ti_flashpoint?.indicator?.platform_urls?.ignite != null
+ field: threat.indicator.reference
+ value: '{{{ti_flashpoint.indicator.platform_urls.ignite}}}'
+ allow_duplicates: false
+ - append:
+ tag: append_threat_indicator_reference_from_ti_flashpoint_indicator_href_4429b4b6
+ if: ctx.ti_flashpoint?.indicator?.href != null
+ field: threat.indicator.reference
+ value: '{{{ti_flashpoint.indicator.href}}}'
+ allow_duplicates: false
+ - foreach:
+ tag: foreach_of_ti_flashpoint_indicator_mitre_attack_ids_9fa64b00
+ if: ctx.ti_flashpoint?.indicator?.mitre_attack_ids instanceof List
+ field: ti_flashpoint.indicator.mitre_attack_ids
+ processor:
+ append:
+ tag: append_threat_tactic_id_9f70a472
+ field: threat.tactic.id
+ value: '{{{_ingest._value.id}}}'
+ allow_duplicates: false
+ - foreach:
+ tag: foreach_of_ti_flashpoint_indicator_mitre_attack_ids_a2a64fb9
+ if: ctx.ti_flashpoint?.indicator?.mitre_attack_ids instanceof List
+ field: ti_flashpoint.indicator.mitre_attack_ids
+ processor:
+ append:
+ tag: append_threat_tactic_name_1d8be2da
+ field: threat.tactic.name
+ value: '{{{_ingest._value.name}}}'
+ allow_duplicates: false
+ - script:
+ description: set threat.indicator.type from ti_flashpoint.indicator.type.
+ tag: set_threat_indicator_type_from_ti_flashpoint_indicator_type_a104217c
+ if: ctx.ti_flashpoint?.indicator?.type != null
+ lang: painless
+ params:
+ domain: domain-name
+ file: file
+ ipv4: ipv4-addr
+ url: url
+ source: |-
+ ctx.threat = ctx.threat ?: [:];
+ ctx.threat.indicator = ctx.threat.indicator ?: [:];
+ ctx.threat.indicator.type = params[ctx.ti_flashpoint.indicator.type];
+ - append:
+ tag: append_related_hash_from_ti_flashpoint_indicator_hashes_md5_1124ea58
+ if: ctx.ti_flashpoint?.indicator?.hashes?.md5 != null
+ field: related.hash
+ value: '{{{ti_flashpoint.indicator.hashes.md5}}}'
+ allow_duplicates: false
+ - append:
+ tag: append_related_hash_from_ti_flashpoint_indicator_hashes_sha1_1de15f42
+ if: ctx.ti_flashpoint?.indicator?.hashes?.sha1 != null
+ field: related.hash
+ value: '{{{ti_flashpoint.indicator.hashes.sha1}}}'
+ allow_duplicates: false
+ - append:
+ tag: append_related_hash_from_ti_flashpoint_indicator_hashes_sha256_9c2edb02
+ if: ctx.ti_flashpoint?.indicator?.hashes?.sha256 != null
+ field: related.hash
+ value: '{{{ti_flashpoint.indicator.hashes.sha256}}}'
+ allow_duplicates: false
+
+ # Remove duplicate custom fields if preserve_duplicate_custom_fields are not enabled
+ - foreach:
+ tag: foreach_of_ti_flashpoint_indicator_mitre_attack_ids_7ebdc010
+ if: ctx.ti_flashpoint?.indicator?.mitre_attack_ids instanceof List && (ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields'))
+ field: ti_flashpoint.indicator.mitre_attack_ids
+ processor:
+ remove:
+ tag: remove_custom_duplicate_fields_for_mitre_attack_ids_5c8b8597
+ field:
+ - _ingest._value.id
+ - _ingest._value.name
+ ignore_missing: true
+ - remove:
+ tag: remove_custom_duplicate_fields_e33cc5ba
+ if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields')
+ field:
+ - ti_flashpoint.indicator.created_at
+ - ti_flashpoint.indicator.hashes.md5
+ - ti_flashpoint.indicator.hashes.sha1
+ - ti_flashpoint.indicator.hashes.sha256
+ - ti_flashpoint.indicator.href
+ - ti_flashpoint.indicator.id
+ - ti_flashpoint.indicator.last_seen_at
+ - ti_flashpoint.indicator.malware_description
+ - ti_flashpoint.indicator.modified_at
+ - ti_flashpoint.indicator.platform_urls.ignite
+ ignore_missing: true
+
+ # Cleanup
+ - script:
+ description: This script processor iterates over the whole document to remove fields with null values.
+ tag: script_to_drop_null_values_8360f3de
+ lang: painless
+ source: |-
+ void handleMap(Map map) {
+ map.values().removeIf(v -> {
+ if (v instanceof Map) {
+ handleMap(v);
+ } else if (v instanceof List) {
+ handleList(v);
+ }
+ return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)
+ });
+ }
+ void handleList(List list) {
+ list.removeIf(v -> {
+ if (v instanceof Map) {
+ handleMap(v);
+ } else if (v instanceof List) {
+ handleList(v);
+ }
+ return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)
+ });
+ }
+ handleMap(ctx);
+ - set:
+ tag: set_event_kind_to_pipeline_error_92954dfa
+ if: ctx.error?.message != null
+ field: event.kind
+ value: pipeline_error
+ - append:
+ tag: append_tags_9fe66b2c
+ if: ctx.error?.message != null
+ field: tags
+ value: preserve_original_event
+ allow_duplicates: false
+on_failure:
+ - append:
+ tag: append_error_message_e0c9bd63
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ tag: set_event_kind_to_pipeline_error_f51b77ad
+ field: event.kind
+ value: pipeline_error
+ - append:
+ tag: append_tags_d762b9c5
+ field: tags
+ value: preserve_original_event
+ allow_duplicates: false
diff --git a/packages/ti_flashpoint/data_stream/indicator/fields/base-fields.yml b/packages/ti_flashpoint/data_stream/indicator/fields/base-fields.yml
new file mode 100644
index 00000000000..c9c4c981de7
--- /dev/null
+++ b/packages/ti_flashpoint/data_stream/indicator/fields/base-fields.yml
@@ -0,0 +1,16 @@
+- name: data_stream.dataset
+ external: ecs
+- name: data_stream.namespace
+ external: ecs
+- name: data_stream.type
+ external: ecs
+- name: event.dataset
+ type: constant_keyword
+ external: ecs
+ value: ti_flashpoint.indicator
+- name: event.module
+ type: constant_keyword
+ external: ecs
+ value: ti_flashpoint
+- name: '@timestamp'
+ external: ecs
diff --git a/packages/ti_flashpoint/data_stream/indicator/fields/beats.yml b/packages/ti_flashpoint/data_stream/indicator/fields/beats.yml
new file mode 100644
index 00000000000..4084f1dc7f5
--- /dev/null
+++ b/packages/ti_flashpoint/data_stream/indicator/fields/beats.yml
@@ -0,0 +1,6 @@
+- name: input.type
+ type: keyword
+ description: Type of filebeat input.
+- name: log.offset
+ type: long
+ description: Log offset.
diff --git a/packages/ti_flashpoint/data_stream/indicator/fields/ecs.yml b/packages/ti_flashpoint/data_stream/indicator/fields/ecs.yml
new file mode 100644
index 00000000000..605bae51ce8
--- /dev/null
+++ b/packages/ti_flashpoint/data_stream/indicator/fields/ecs.yml
@@ -0,0 +1,9 @@
+# Define ECS constant fields as constant_keyword
+- name: observer.product
+ external: ecs
+ type: constant_keyword
+ value: Ignite
+- name: observer.vendor
+ external: ecs
+ type: constant_keyword
+ value: Flashpoint
diff --git a/packages/ti_flashpoint/data_stream/indicator/fields/fields.yml b/packages/ti_flashpoint/data_stream/indicator/fields/fields.yml
new file mode 100644
index 00000000000..77cb8ffac2f
--- /dev/null
+++ b/packages/ti_flashpoint/data_stream/indicator/fields/fields.yml
@@ -0,0 +1,231 @@
+- name: ti_flashpoint
+ type: group
+ fields:
+ - name: indicator
+ type: group
+ fields:
+ - name: apt_description
+ type: keyword
+ description: A description of the related threat actor.
+ - name: created_at
+ type: date
+ description: The date and time the indicator was created within Flashpoint's dataset.
+ - name: entity_type
+ type: keyword
+ description: The entity type of the object.
+ - name: external_references
+ type: group
+ fields:
+ - name: source_name
+ type: keyword
+ description: The name of the reference's source.
+ - name: url
+ type: keyword
+ description: The URL of the reference.
+ - name: hashes
+ type: group
+ fields:
+ - name: md5
+ type: keyword
+ - name: sha1
+ type: keyword
+ - name: sha256
+ type: keyword
+ - name: href
+ type: keyword
+ description: The URL to the indicator's full context data.
+ - name: id
+ type: keyword
+ description: The unique identifier for this indicator within Flashpoint's dataset.
+ - name: last_seen_at
+ type: date
+ description: The date and time the indicator was last seen by related sources.
+ - name: latest_sighting
+ type: group
+ fields:
+ - name: apt_description
+ type: keyword
+ description: A description of the APT associated with the sighting.
+ - name: description
+ type: keyword
+ - name: href
+ type: keyword
+ description: The href of the sighting.
+ - name: id
+ type: keyword
+ description: Unique identifier of the sighting.
+ - name: malware_description
+ type: keyword
+ description: A description of the malware associated with the sighting.
+ - name: mitre_attack_ids
+ type: group
+ fields:
+ - name: id
+ type: keyword
+ - name: name
+ type: keyword
+ - name: tactics
+ type: keyword
+ description: A list of tactics associated with the MITRE ATT&CK technique.
+ - name: related_iocs
+ type: group
+ fields:
+ - name: href
+ type: keyword
+ description: The URL to the indicator's full context data.
+ - name: id
+ type: keyword
+ description: The unique identifier for this indicator within Flashpoint's dataset.
+ - name: score
+ type: group
+ fields:
+ - name: last_scored_at
+ type: date
+ description: The date and time the indicator was last scored.
+ - name: raw_score
+ type: long
+ description: The raw score of the indicator.
+ - name: value
+ type: keyword
+ description: The score tier of the indicator.
+ - name: type
+ type: keyword
+ description: Defines what type of indicator this is.
+ - name: value
+ type: keyword
+ description: The value of the indicator.
+ - name: sighted_at
+ type: date
+ description: The date and time the indicator was seen by the source.
+ - name: source
+ type: keyword
+ description: The source of the sighting.
+ - name: tags
+ type: keyword
+ description: A list of tags associated with the Sighting.
+ - name: malware_description
+ type: keyword
+ - name: mitre_attack_ids
+ type: group
+ fields:
+ - name: id
+ type: keyword
+ - name: name
+ type: keyword
+ - name: tactics
+ type: keyword
+ description: A list of tactics associated with the MITRE ATT&CK technique.
+ - name: modified_at
+ type: date
+ description: The date and time the indicator was last modified within Flashpoint's dataset.
+ - name: platform_urls
+ type: group
+ fields:
+ - name: ignite
+ type: keyword
+ description: Links to the indicator in various Flashpoint platforms.
+ - name: relationships
+ type: group
+ fields:
+ - name: iocs
+ type: group
+ fields:
+ - name: href
+ type: keyword
+ description: The URL to the indicator's full context data.
+ - name: id
+ type: keyword
+ description: The unique identifier for this indicator within Flashpoint's dataset.
+ - name: type
+ type: keyword
+ description: Defines what type of indicator this is.
+ - name: value
+ type: keyword
+ description: The value of the indicator.
+ - name: score
+ type: group
+ fields:
+ - name: last_scored_at
+ type: date
+ description: The date and time the indicator was last scored.
+ - name: raw_score
+ type: keyword
+ description: The raw score of the indicator.
+ - name: value
+ type: keyword
+ description: The score tier of the indicator.
+ - name: sightings
+ type: group
+ fields:
+ - name: apt_description
+ type: keyword
+ description: A description of the APT associated with the sighting.
+ - name: description
+ type: keyword
+ - name: href
+ type: keyword
+ description: The href of the sighting.
+ - name: id
+ type: keyword
+ description: Unique identifier of the sighting.
+ - name: malware_description
+ type: keyword
+ description: A description of the malware associated with the sighting.
+ - name: mitre_attack_ids
+ type: group
+ fields:
+ - name: id
+ type: keyword
+ - name: name
+ type: keyword
+ - name: tactics
+ type: keyword
+ description: A list of tactics associated with the MITRE ATT&CK technique.
+ - name: related_iocs
+ type: group
+ fields:
+ - name: href
+ type: keyword
+ description: The URL to the indicator's full context data.
+ - name: id
+ type: keyword
+ description: The unique identifier for this indicator within Flashpoint's dataset.
+ - name: score
+ type: group
+ fields:
+ - name: last_scored_at
+ type: keyword
+ description: The date and time the indicator was last scored.
+ - name: raw_score
+ type: long
+ description: The raw score of the indicator.
+ - name: value
+ type: keyword
+ description: The score tier of the indicator.
+ - name: type
+ type: keyword
+ description: Defines what type of indicator this is.
+ - name: value
+ type: keyword
+ description: The value of the indicator.
+ - name: sighted_at
+ type: date
+ description: The date and time the indicator was seen by the source.
+ - name: source
+ type: keyword
+ description: The source of the sighting.
+ - name: tags
+ type: keyword
+ description: A list of tags associated with the Sighting.
+ - name: sort_date
+ type: date
+ description: The date and time defaulted for sorting indicators. This is the same value as last_seen_at.
+ - name: total_sightings
+ type: long
+ description: The total number of sightings for the indicator.
+ - name: type
+ type: keyword
+ description: Defines what type of indicator.
+ - name: value
+ type: keyword
+ description: The value of the indicator.
diff --git a/packages/ti_flashpoint/data_stream/indicator/fields/is-transform-source-true.yml b/packages/ti_flashpoint/data_stream/indicator/fields/is-transform-source-true.yml
new file mode 100644
index 00000000000..fd4766eacd5
--- /dev/null
+++ b/packages/ti_flashpoint/data_stream/indicator/fields/is-transform-source-true.yml
@@ -0,0 +1,4 @@
+- name: labels.is_transform_source
+ type: constant_keyword
+ description: Distinguishes between documents that are a source for a transform and documents that are an output of a transform, to facilitate easier filtering.
+ value: "true"
diff --git a/packages/ti_flashpoint/data_stream/indicator/manifest.yml b/packages/ti_flashpoint/data_stream/indicator/manifest.yml
new file mode 100644
index 00000000000..1ffbdc07826
--- /dev/null
+++ b/packages/ti_flashpoint/data_stream/indicator/manifest.yml
@@ -0,0 +1,95 @@
+title: Indicator
+type: logs
+streams:
+ - input: cel
+ title: Indicator
+ description: Collect Indicator logs from Flashpoint.
+ template_path: cel.yml.hbs
+ vars:
+ - name: initial_interval
+ type: text
+ title: Initial Interval
+ multi: false
+ required: true
+ show_user: true
+ default: 24h
+ description: How far back to pull the logs from Flashpoint API. Supported units for this parameter are h/m/s.
+ - name: interval
+ type: text
+ title: Interval
+ description: Duration between requests to the Flashpoint API. Supported units for this parameter are h/m/s.
+ multi: false
+ required: true
+ show_user: true
+ default: 5m
+ - name: page_size
+ type: integer
+ title: Page Size
+ description: Page size for the response of the Flashpoint API.
+ multi: false
+ required: true
+ show_user: false
+ default: 1000
+ - name: max_executions
+ type: integer
+ title: Maximum Pages Per Interval
+ description: Maximum Pages Per Interval is the maximum number of pages that can be collected at each interval.
+ multi: false
+ required: false
+ show_user: false
+ default: 1000
+ - name: enable_request_tracer
+ type: bool
+ title: Enable request tracing
+ multi: false
+ default: false
+ required: false
+ show_user: false
+ description: >-
+ The request tracer logs requests and responses to the agent's local file-system for debugging configurations.
+ Enabling this request tracing compromises security and should only be used for debugging. Disabling the request
+ tracer will delete any stored traces.
+ See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable)
+ for details.
+ - name: preserve_original_event
+ type: bool
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field event.original.
+ multi: false
+ required: false
+ show_user: true
+ default: false
+ - name: tags
+ type: text
+ title: Tags
+ description: Tags for the data-stream.
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - ti_flashpoint-indicator
+ - name: http_client_timeout
+ type: text
+ title: HTTP Client Timeout
+ description: Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.
+ multi: false
+ required: true
+ show_user: false
+ default: 30s
+ - name: preserve_duplicate_custom_fields
+ required: false
+ title: Preserve duplicate custom fields
+ description: Preserve ti_flashpoint.indicator fields that were copied to Elastic Common Schema (ECS) fields.
+ type: bool
+ multi: false
+ show_user: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.
diff --git a/packages/ti_flashpoint/data_stream/indicator/sample_event.json b/packages/ti_flashpoint/data_stream/indicator/sample_event.json
new file mode 100644
index 00000000000..ea4309bcafb
--- /dev/null
+++ b/packages/ti_flashpoint/data_stream/indicator/sample_event.json
@@ -0,0 +1,116 @@
+{
+ "@timestamp": "2025-12-23T10:58:20.798Z",
+ "agent": {
+ "ephemeral_id": "b5fb84e6-f093-4c7b-93d8-83a7a7f972e4",
+ "id": "7141cbb4-52bf-429c-89b6-2de166e645e4",
+ "name": "elastic-agent-11590",
+ "type": "filebeat",
+ "version": "8.18.0"
+ },
+ "data_stream": {
+ "dataset": "ti_flashpoint.indicator",
+ "namespace": "75315",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "9.2.0"
+ },
+ "elastic_agent": {
+ "id": "7141cbb4-52bf-429c-89b6-2de166e645e4",
+ "snapshot": false,
+ "version": "8.18.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": [
+ "threat"
+ ],
+ "created": "2025-11-03T08:35:08.714Z",
+ "dataset": "ti_flashpoint.indicator",
+ "id": "EtniFes7WyWvawEXcL2fmQ",
+ "ingested": "2025-12-23T12:55:39Z",
+ "kind": "enrichment",
+ "original": "{\"created_at\":\"2025-11-03T08:35:08.714000Z\",\"entity_type\":\"indicator\",\"href\":\"https://api.flashpoint.io/technical-intelligence/v2/indicators/EtniFes7WyWvawEXcL2fmQ\",\"id\":\"EtniFes7WyWvawEXcL2fmQ\",\"last_seen_at\":\"2025-12-23T10:47:29.731000Z\",\"latest_sighting\":{\"description\":\"Observation: xworm [2025-12-23T10:47:29.731Z]\",\"href\":\"https://api.flashpoint.io/technical-intelligence/v2/sightings/-mQDA1JEVYiXKTSenQuSbg\",\"id\":\"-mQDA1JEVYiXKTSenQuSbg\",\"sighted_at\":\"2025-12-23T10:47:29.731000Z\",\"source\":\"flashpoint_extraction\",\"tags\":[\"aes_key:be7b7befe99d381fbe34ef443b3179be7b7befe99d381fbe34ef443b31790e00\",\"extracted_config:true\",\"group:feturednew\",\"malware:xworm\",\"mutex:hr5unzmp8fhkimje\",\"source:flashpoint_extraction\",\"type:trojan\"]},\"modified_at\":\"2025-12-23T10:58:20.798000Z\",\"platform_urls\":{\"ignite\":\"https://app.flashpoint.io/cti/malware/iocs/EtniFes7WyWvawEXcL2fmQ\"},\"score\":{\"last_scored_at\":\"2025-11-03T08:46:17.620389Z\",\"value\":\"informational\"},\"sightings\":[{\"description\":\"Observation: xworm [2025-12-23T10:47:29.731Z]\",\"href\":\"https://api.flashpoint.io/technical-intelligence/v2/sightings/-mQDA1JEVYiXKTSenQuSbg\",\"id\":\"-mQDA1JEVYiXKTSenQuSbg\",\"sighted_at\":\"2025-12-23T10:47:29.731000Z\",\"source\":\"flashpoint_extraction\",\"tags\":[\"aes_key:be7b7befe99d381fbe34ef443b3179be7b7befe99d381fbe34ef443b31790e00\",\"extracted_config:true\",\"group:feturednew\",\"malware:xworm\",\"mutex:hr5unzmp8fhkimje\",\"source:flashpoint_extraction\",\"type:trojan\"]}],\"sort_date\":\"2025-12-23T10:47:29.731000Z\",\"total_sightings\":11,\"type\":\"domain\",\"value\":\"featured.xyz\"}",
+ "type": [
+ "indicator"
+ ]
+ },
+ "input": {
+ "type": "cel"
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields",
+ "forwarded",
+ "ti_flashpoint-indicator"
+ ],
+ "threat": {
+ "indicator": {
+ "id": [
+ "EtniFes7WyWvawEXcL2fmQ"
+ ],
+ "last_seen": "2025-12-23T10:47:29.731Z",
+ "modified_at": "2025-12-23T10:58:20.798Z",
+ "reference": [
+ "https://app.flashpoint.io/cti/malware/iocs/EtniFes7WyWvawEXcL2fmQ",
+ "https://api.flashpoint.io/technical-intelligence/v2/indicators/EtniFes7WyWvawEXcL2fmQ"
+ ],
+ "type": "domain-name"
+ }
+ },
+ "ti_flashpoint": {
+ "indicator": {
+ "created_at": "2025-11-03T08:35:08.714Z",
+ "entity_type": "indicator",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/indicators/EtniFes7WyWvawEXcL2fmQ",
+ "id": "EtniFes7WyWvawEXcL2fmQ",
+ "last_seen_at": "2025-12-23T10:47:29.731Z",
+ "latest_sighting": {
+ "description": "Observation: xworm [2025-12-23T10:47:29.731Z]",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/sightings/-mQDA1JEVYiXKTSenQuSbg",
+ "id": "-mQDA1JEVYiXKTSenQuSbg",
+ "sighted_at": "2025-12-23T10:47:29.731000Z",
+ "source": "flashpoint_extraction",
+ "tags": [
+ "aes_key:be7b7befe99d381fbe34ef443b3179be7b7befe99d381fbe34ef443b31790e00",
+ "extracted_config:true",
+ "group:feturednew",
+ "malware:xworm",
+ "mutex:hr5unzmp8fhkimje",
+ "source:flashpoint_extraction",
+ "type:trojan"
+ ]
+ },
+ "modified_at": "2025-12-23T10:58:20.798Z",
+ "platform_urls": {
+ "ignite": "https://app.flashpoint.io/cti/malware/iocs/EtniFes7WyWvawEXcL2fmQ"
+ },
+ "score": {
+ "last_scored_at": "2025-11-03T08:46:17.620Z",
+ "value": "informational"
+ },
+ "sightings": [
+ {
+ "description": "Observation: xworm [2025-12-23T10:47:29.731Z]",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/sightings/-mQDA1JEVYiXKTSenQuSbg",
+ "id": "-mQDA1JEVYiXKTSenQuSbg",
+ "sighted_at": "2025-12-23T10:47:29.731Z",
+ "source": "flashpoint_extraction",
+ "tags": [
+ "aes_key:be7b7befe99d381fbe34ef443b3179be7b7befe99d381fbe34ef443b31790e00",
+ "extracted_config:true",
+ "group:feturednew",
+ "malware:xworm",
+ "mutex:hr5unzmp8fhkimje",
+ "source:flashpoint_extraction",
+ "type:trojan"
+ ]
+ }
+ ],
+ "sort_date": "2025-12-23T10:47:29.731Z",
+ "total_sightings": 11,
+ "type": "domain",
+ "value": "featured.xyz"
+ }
+ }
+}
diff --git a/packages/ti_flashpoint/docs/README.md b/packages/ti_flashpoint/docs/README.md
new file mode 100644
index 00000000000..d316dd160aa
--- /dev/null
+++ b/packages/ti_flashpoint/docs/README.md
@@ -0,0 +1,319 @@
+# Flashpoint Integration for Elastic
+
+## Overview
+
+[Flashpoint](https://flashpoint.io/) is a comprehensive threat intelligence platform that delivers actionable insights from dark web, deep web, and technical sources. It combines human-curated intelligence with automated collection to help organizations identify emerging threats, monitor adversary activity, and assess cyber risk with enriched context.
+
+The Flashpoint integration for Elastic collects security indicators from the **Flashpoint Ignite API** and visualizes them in Kibana.
+
+### Compatibility
+
+The Flashpoint integration is compatible with Ignite API version **1.2**.
+
+### How it works
+
+This integration periodically queries the Flashpoint Ignite API to retrieve logs.
+
+## What data does this integration collect?
+
+This integration collects log messages of the following type:
+
+- `Indicator`: Collects `indicator` logs from the Flashpoint Ignite API (endpoint: `/technical-intelligence/v2/indicators`),
+
+### Supported use cases
+
+Integrating Flashpoint Indicators with Elastic SIEM provides centralized visibility into threat intelligence indicators and their associated sightings. Kibana dashboards highlight key metrics such as `Total Indicators` and `Total Indicator Sightings`, enabling quick assessment of indicator volume and activity.
+
+Visualizations present indicators categorized by `Type` and `Score Tier` through pie charts. Tables surface `Top MITRE Tactics`, `Top Sighting Sources`, and `Top Platform URLs`, supporting deeper investigation and context. A control panel allows interactive filtering to efficiently analyze indicators across multiple dimensions.
+
+## What do I need to use this integration?
+
+### From Elastic
+
+This integration installs [Elastic latest transforms](https://www.elastic.co/docs/explore-analyze/transforms/transform-overview#latest-transform-overview). For more details, check the [Transform](https://www.elastic.co/docs/explore-analyze/transforms/transform-setup) setup and requirements.
+
+### From Flashpoint
+
+To collect data through the Flashpoint Ignite API, you need to provide an **API Token**. Authentication is handled using the **API Token**, which serves as the required credential.
+
+#### Retrieve an API Token:
+
+1. Log in to the **Flashpoint** Instance.
+2. Click on your profile icon in the top-right corner and select **Manage API Tokens**.
+3. Click **Generate Token**.
+4. Enter a name for the API token and click **Generate Token**.
+5. Copy and securely store the generated API token for use in the integration configuration.
+
+## How do I deploy this integration?
+
+This integration supports both Elastic Agentless-based and Agent-based installations.
+
+### Agentless-based installation
+
+Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html).
+
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.
+
+### Agent-based installation
+
+Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host.
+
+
+### configure
+
+1. In the top search bar in Kibana, search for **Integrations**.
+2. In the search bar, type **Flashpoint**.
+3. Select the **Flashpoint** integration from the search results.
+4. Select **Add Flashpoint** to add the integration.
+5. Enable and configure only the collection methods which you will use.
+
+ * To **Collect logs from Flashpoint API**, you'll need to:
+
+ - Configure **API Token**.
+ - Adjust the integration configuration parameters if required, including the **Initial Interval**, **Interval**, **Page Size** etc. to enable data collection.
+
+6. Select **Save and continue** to save the integration.
+
+### Validation
+
+#### Dashboard populated
+
+1. In the top search bar in Kibana, search for **Dashboards**.
+2. In the search bar, type **Flashpoint**, and verify the dashboard information is populated.
+
+#### Transforms healthy
+
+1. In the top search bar in Kibana, search for **Transforms**.
+2. Select the **Data / Transforms** from the search results.
+3. In the search bar, type **ti_flashpoint**.
+4. All transforms from the search results should indicate **Healthy** under the **Health** column.
+
+## Performance and scaling
+
+For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation.
+
+## Reference
+
+### ECS field reference
+
+#### Indicator
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword |
+| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword |
+| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword |
+| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword |
+| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword |
+| input.type | Type of filebeat input. | keyword |
+| labels.is_transform_source | Distinguishes between documents that are a source for a transform and documents that are an output of a transform, to facilitate easier filtering. | constant_keyword |
+| log.offset | Log offset. | long |
+| observer.product | The product name of the observer. | constant_keyword |
+| observer.vendor | Vendor name of the observer. | constant_keyword |
+| ti_flashpoint.indicator.apt_description | A description of the related threat actor. | keyword |
+| ti_flashpoint.indicator.created_at | The date and time the indicator was created within Flashpoint's dataset. | date |
+| ti_flashpoint.indicator.entity_type | The entity type of the object. | keyword |
+| ti_flashpoint.indicator.external_references.source_name | The name of the reference's source. | keyword |
+| ti_flashpoint.indicator.external_references.url | The URL of the reference. | keyword |
+| ti_flashpoint.indicator.hashes.md5 | | keyword |
+| ti_flashpoint.indicator.hashes.sha1 | | keyword |
+| ti_flashpoint.indicator.hashes.sha256 | | keyword |
+| ti_flashpoint.indicator.href | The URL to the indicator's full context data. | keyword |
+| ti_flashpoint.indicator.id | The unique identifier for this indicator within Flashpoint's dataset. | keyword |
+| ti_flashpoint.indicator.last_seen_at | The date and time the indicator was last seen by related sources. | date |
+| ti_flashpoint.indicator.latest_sighting.apt_description | A description of the APT associated with the sighting. | keyword |
+| ti_flashpoint.indicator.latest_sighting.description | | keyword |
+| ti_flashpoint.indicator.latest_sighting.href | The href of the sighting. | keyword |
+| ti_flashpoint.indicator.latest_sighting.id | Unique identifier of the sighting. | keyword |
+| ti_flashpoint.indicator.latest_sighting.malware_description | A description of the malware associated with the sighting. | keyword |
+| ti_flashpoint.indicator.latest_sighting.mitre_attack_ids.id | | keyword |
+| ti_flashpoint.indicator.latest_sighting.mitre_attack_ids.name | | keyword |
+| ti_flashpoint.indicator.latest_sighting.mitre_attack_ids.tactics | A list of tactics associated with the MITRE ATT&CK technique. | keyword |
+| ti_flashpoint.indicator.latest_sighting.related_iocs.href | The URL to the indicator's full context data. | keyword |
+| ti_flashpoint.indicator.latest_sighting.related_iocs.id | The unique identifier for this indicator within Flashpoint's dataset. | keyword |
+| ti_flashpoint.indicator.latest_sighting.related_iocs.score.last_scored_at | The date and time the indicator was last scored. | date |
+| ti_flashpoint.indicator.latest_sighting.related_iocs.score.raw_score | The raw score of the indicator. | long |
+| ti_flashpoint.indicator.latest_sighting.related_iocs.score.value | The score tier of the indicator. | keyword |
+| ti_flashpoint.indicator.latest_sighting.related_iocs.type | Defines what type of indicator this is. | keyword |
+| ti_flashpoint.indicator.latest_sighting.related_iocs.value | The value of the indicator. | keyword |
+| ti_flashpoint.indicator.latest_sighting.sighted_at | The date and time the indicator was seen by the source. | date |
+| ti_flashpoint.indicator.latest_sighting.source | The source of the sighting. | keyword |
+| ti_flashpoint.indicator.latest_sighting.tags | A list of tags associated with the Sighting. | keyword |
+| ti_flashpoint.indicator.malware_description | | keyword |
+| ti_flashpoint.indicator.mitre_attack_ids.id | | keyword |
+| ti_flashpoint.indicator.mitre_attack_ids.name | | keyword |
+| ti_flashpoint.indicator.mitre_attack_ids.tactics | A list of tactics associated with the MITRE ATT&CK technique. | keyword |
+| ti_flashpoint.indicator.modified_at | The date and time the indicator was last modified within Flashpoint's dataset. | date |
+| ti_flashpoint.indicator.platform_urls.ignite | Links to the indicator in various Flashpoint platforms. | keyword |
+| ti_flashpoint.indicator.relationships.iocs.href | The URL to the indicator's full context data. | keyword |
+| ti_flashpoint.indicator.relationships.iocs.id | The unique identifier for this indicator within Flashpoint's dataset. | keyword |
+| ti_flashpoint.indicator.relationships.iocs.type | Defines what type of indicator this is. | keyword |
+| ti_flashpoint.indicator.relationships.iocs.value | The value of the indicator. | keyword |
+| ti_flashpoint.indicator.score.last_scored_at | The date and time the indicator was last scored. | date |
+| ti_flashpoint.indicator.score.raw_score | The raw score of the indicator. | keyword |
+| ti_flashpoint.indicator.score.value | The score tier of the indicator. | keyword |
+| ti_flashpoint.indicator.sightings.apt_description | A description of the APT associated with the sighting. | keyword |
+| ti_flashpoint.indicator.sightings.description | | keyword |
+| ti_flashpoint.indicator.sightings.href | The href of the sighting. | keyword |
+| ti_flashpoint.indicator.sightings.id | Unique identifier of the sighting. | keyword |
+| ti_flashpoint.indicator.sightings.malware_description | A description of the malware associated with the sighting. | keyword |
+| ti_flashpoint.indicator.sightings.mitre_attack_ids.id | | keyword |
+| ti_flashpoint.indicator.sightings.mitre_attack_ids.name | | keyword |
+| ti_flashpoint.indicator.sightings.mitre_attack_ids.tactics | A list of tactics associated with the MITRE ATT&CK technique. | keyword |
+| ti_flashpoint.indicator.sightings.related_iocs.href | The URL to the indicator's full context data. | keyword |
+| ti_flashpoint.indicator.sightings.related_iocs.id | The unique identifier for this indicator within Flashpoint's dataset. | keyword |
+| ti_flashpoint.indicator.sightings.related_iocs.score.last_scored_at | The date and time the indicator was last scored. | keyword |
+| ti_flashpoint.indicator.sightings.related_iocs.score.raw_score | The raw score of the indicator. | long |
+| ti_flashpoint.indicator.sightings.related_iocs.score.value | The score tier of the indicator. | keyword |
+| ti_flashpoint.indicator.sightings.related_iocs.type | Defines what type of indicator this is. | keyword |
+| ti_flashpoint.indicator.sightings.related_iocs.value | The value of the indicator. | keyword |
+| ti_flashpoint.indicator.sightings.sighted_at | The date and time the indicator was seen by the source. | date |
+| ti_flashpoint.indicator.sightings.source | The source of the sighting. | keyword |
+| ti_flashpoint.indicator.sightings.tags | A list of tags associated with the Sighting. | keyword |
+| ti_flashpoint.indicator.sort_date | The date and time defaulted for sorting indicators. This is the same value as last_seen_at. | date |
+| ti_flashpoint.indicator.total_sightings | The total number of sightings for the indicator. | long |
+| ti_flashpoint.indicator.type | Defines what type of indicator. | keyword |
+| ti_flashpoint.indicator.value | The value of the indicator. | keyword |
+
+
+### Example event
+
+#### Indicator
+
+An example event for `indicator` looks as following:
+
+```json
+{
+ "@timestamp": "2025-12-23T10:58:20.798Z",
+ "agent": {
+ "ephemeral_id": "b5fb84e6-f093-4c7b-93d8-83a7a7f972e4",
+ "id": "7141cbb4-52bf-429c-89b6-2de166e645e4",
+ "name": "elastic-agent-11590",
+ "type": "filebeat",
+ "version": "8.18.0"
+ },
+ "data_stream": {
+ "dataset": "ti_flashpoint.indicator",
+ "namespace": "75315",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "9.2.0"
+ },
+ "elastic_agent": {
+ "id": "7141cbb4-52bf-429c-89b6-2de166e645e4",
+ "snapshot": false,
+ "version": "8.18.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": [
+ "threat"
+ ],
+ "created": "2025-11-03T08:35:08.714Z",
+ "dataset": "ti_flashpoint.indicator",
+ "id": "EtniFes7WyWvawEXcL2fmQ",
+ "ingested": "2025-12-23T12:55:39Z",
+ "kind": "enrichment",
+ "original": "{\"created_at\":\"2025-11-03T08:35:08.714000Z\",\"entity_type\":\"indicator\",\"href\":\"https://api.flashpoint.io/technical-intelligence/v2/indicators/EtniFes7WyWvawEXcL2fmQ\",\"id\":\"EtniFes7WyWvawEXcL2fmQ\",\"last_seen_at\":\"2025-12-23T10:47:29.731000Z\",\"latest_sighting\":{\"description\":\"Observation: xworm [2025-12-23T10:47:29.731Z]\",\"href\":\"https://api.flashpoint.io/technical-intelligence/v2/sightings/-mQDA1JEVYiXKTSenQuSbg\",\"id\":\"-mQDA1JEVYiXKTSenQuSbg\",\"sighted_at\":\"2025-12-23T10:47:29.731000Z\",\"source\":\"flashpoint_extraction\",\"tags\":[\"aes_key:be7b7befe99d381fbe34ef443b3179be7b7befe99d381fbe34ef443b31790e00\",\"extracted_config:true\",\"group:feturednew\",\"malware:xworm\",\"mutex:hr5unzmp8fhkimje\",\"source:flashpoint_extraction\",\"type:trojan\"]},\"modified_at\":\"2025-12-23T10:58:20.798000Z\",\"platform_urls\":{\"ignite\":\"https://app.flashpoint.io/cti/malware/iocs/EtniFes7WyWvawEXcL2fmQ\"},\"score\":{\"last_scored_at\":\"2025-11-03T08:46:17.620389Z\",\"value\":\"informational\"},\"sightings\":[{\"description\":\"Observation: xworm [2025-12-23T10:47:29.731Z]\",\"href\":\"https://api.flashpoint.io/technical-intelligence/v2/sightings/-mQDA1JEVYiXKTSenQuSbg\",\"id\":\"-mQDA1JEVYiXKTSenQuSbg\",\"sighted_at\":\"2025-12-23T10:47:29.731000Z\",\"source\":\"flashpoint_extraction\",\"tags\":[\"aes_key:be7b7befe99d381fbe34ef443b3179be7b7befe99d381fbe34ef443b31790e00\",\"extracted_config:true\",\"group:feturednew\",\"malware:xworm\",\"mutex:hr5unzmp8fhkimje\",\"source:flashpoint_extraction\",\"type:trojan\"]}],\"sort_date\":\"2025-12-23T10:47:29.731000Z\",\"total_sightings\":11,\"type\":\"domain\",\"value\":\"featured.xyz\"}",
+ "type": [
+ "indicator"
+ ]
+ },
+ "input": {
+ "type": "cel"
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields",
+ "forwarded",
+ "ti_flashpoint-indicator"
+ ],
+ "threat": {
+ "indicator": {
+ "id": [
+ "EtniFes7WyWvawEXcL2fmQ"
+ ],
+ "last_seen": "2025-12-23T10:47:29.731Z",
+ "modified_at": "2025-12-23T10:58:20.798Z",
+ "reference": [
+ "https://app.flashpoint.io/cti/malware/iocs/EtniFes7WyWvawEXcL2fmQ",
+ "https://api.flashpoint.io/technical-intelligence/v2/indicators/EtniFes7WyWvawEXcL2fmQ"
+ ],
+ "type": "domain-name"
+ }
+ },
+ "ti_flashpoint": {
+ "indicator": {
+ "created_at": "2025-11-03T08:35:08.714Z",
+ "entity_type": "indicator",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/indicators/EtniFes7WyWvawEXcL2fmQ",
+ "id": "EtniFes7WyWvawEXcL2fmQ",
+ "last_seen_at": "2025-12-23T10:47:29.731Z",
+ "latest_sighting": {
+ "description": "Observation: xworm [2025-12-23T10:47:29.731Z]",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/sightings/-mQDA1JEVYiXKTSenQuSbg",
+ "id": "-mQDA1JEVYiXKTSenQuSbg",
+ "sighted_at": "2025-12-23T10:47:29.731000Z",
+ "source": "flashpoint_extraction",
+ "tags": [
+ "aes_key:be7b7befe99d381fbe34ef443b3179be7b7befe99d381fbe34ef443b31790e00",
+ "extracted_config:true",
+ "group:feturednew",
+ "malware:xworm",
+ "mutex:hr5unzmp8fhkimje",
+ "source:flashpoint_extraction",
+ "type:trojan"
+ ]
+ },
+ "modified_at": "2025-12-23T10:58:20.798Z",
+ "platform_urls": {
+ "ignite": "https://app.flashpoint.io/cti/malware/iocs/EtniFes7WyWvawEXcL2fmQ"
+ },
+ "score": {
+ "last_scored_at": "2025-11-03T08:46:17.620Z",
+ "value": "informational"
+ },
+ "sightings": [
+ {
+ "description": "Observation: xworm [2025-12-23T10:47:29.731Z]",
+ "href": "https://api.flashpoint.io/technical-intelligence/v2/sightings/-mQDA1JEVYiXKTSenQuSbg",
+ "id": "-mQDA1JEVYiXKTSenQuSbg",
+ "sighted_at": "2025-12-23T10:47:29.731Z",
+ "source": "flashpoint_extraction",
+ "tags": [
+ "aes_key:be7b7befe99d381fbe34ef443b3179be7b7befe99d381fbe34ef443b31790e00",
+ "extracted_config:true",
+ "group:feturednew",
+ "malware:xworm",
+ "mutex:hr5unzmp8fhkimje",
+ "source:flashpoint_extraction",
+ "type:trojan"
+ ]
+ }
+ ],
+ "sort_date": "2025-12-23T10:47:29.731Z",
+ "total_sightings": 11,
+ "type": "domain",
+ "value": "featured.xyz"
+ }
+ }
+}
+```
+
+
+### Inputs used
+
+These input is used in the integration:
+
+- [cel](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-cel)
+
+
+### API usage
+
+This integration dataset uses the following API:
+
+* List Indicators (endpoint: `/technical-intelligence/v2/indicators`)
diff --git a/packages/ti_flashpoint/elasticsearch/transform/latest_indicator/fields/base-fields.yml b/packages/ti_flashpoint/elasticsearch/transform/latest_indicator/fields/base-fields.yml
new file mode 100644
index 00000000000..c9c4c981de7
--- /dev/null
+++ b/packages/ti_flashpoint/elasticsearch/transform/latest_indicator/fields/base-fields.yml
@@ -0,0 +1,16 @@
+- name: data_stream.dataset
+ external: ecs
+- name: data_stream.namespace
+ external: ecs
+- name: data_stream.type
+ external: ecs
+- name: event.dataset
+ type: constant_keyword
+ external: ecs
+ value: ti_flashpoint.indicator
+- name: event.module
+ type: constant_keyword
+ external: ecs
+ value: ti_flashpoint
+- name: '@timestamp'
+ external: ecs
diff --git a/packages/ti_flashpoint/elasticsearch/transform/latest_indicator/fields/beats.yml b/packages/ti_flashpoint/elasticsearch/transform/latest_indicator/fields/beats.yml
new file mode 100644
index 00000000000..4084f1dc7f5
--- /dev/null
+++ b/packages/ti_flashpoint/elasticsearch/transform/latest_indicator/fields/beats.yml
@@ -0,0 +1,6 @@
+- name: input.type
+ type: keyword
+ description: Type of filebeat input.
+- name: log.offset
+ type: long
+ description: Log offset.
diff --git a/packages/ti_flashpoint/elasticsearch/transform/latest_indicator/fields/ecs.yml b/packages/ti_flashpoint/elasticsearch/transform/latest_indicator/fields/ecs.yml
new file mode 100644
index 00000000000..9b0dc1b9787
--- /dev/null
+++ b/packages/ti_flashpoint/elasticsearch/transform/latest_indicator/fields/ecs.yml
@@ -0,0 +1,60 @@
+- external: ecs
+ name: agent.ephemeral_id
+- external: ecs
+ name: agent.id
+- external: ecs
+ name: agent.name
+- external: ecs
+ name: agent.type
+- external: ecs
+ name: agent.version
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error.message
+- external: ecs
+ name: event.created
+- external: ecs
+ name: event.id
+- external: ecs
+ name: event.ingested
+- external: ecs
+ name: event.kind
+- external: ecs
+ name: event.type
+- external: ecs
+ name: message
+- external: ecs
+ name: observer.product
+ type: constant_keyword
+ value: Ignite
+- external: ecs
+ name: observer.vendor
+ type: constant_keyword
+ value: Flashpoint
+- external: ecs
+ name: related.hash
+- external: ecs
+ name: related.hosts
+- external: ecs
+ name: threat.indicator.description
+- external: ecs
+ name: threat.indicator.file.hash.md5
+- external: ecs
+ name: threat.indicator.file.hash.sha1
+- external: ecs
+ name: threat.indicator.file.hash.sha256
+- external: ecs
+ name: threat.indicator.id
+- external: ecs
+ name: threat.indicator.last_seen
+- external: ecs
+ name: threat.indicator.modified_at
+- external: ecs
+ name: threat.indicator.reference
+- external: ecs
+ name: threat.indicator.type
+- external: ecs
+ name: threat.tactic.id
+- external: ecs
+ name: threat.tactic.name
diff --git a/packages/ti_flashpoint/elasticsearch/transform/latest_indicator/fields/fields.yml b/packages/ti_flashpoint/elasticsearch/transform/latest_indicator/fields/fields.yml
new file mode 100644
index 00000000000..77cb8ffac2f
--- /dev/null
+++ b/packages/ti_flashpoint/elasticsearch/transform/latest_indicator/fields/fields.yml
@@ -0,0 +1,231 @@
+- name: ti_flashpoint
+ type: group
+ fields:
+ - name: indicator
+ type: group
+ fields:
+ - name: apt_description
+ type: keyword
+ description: A description of the related threat actor.
+ - name: created_at
+ type: date
+ description: The date and time the indicator was created within Flashpoint's dataset.
+ - name: entity_type
+ type: keyword
+ description: The entity type of the object.
+ - name: external_references
+ type: group
+ fields:
+ - name: source_name
+ type: keyword
+ description: The name of the reference's source.
+ - name: url
+ type: keyword
+ description: The URL of the reference.
+ - name: hashes
+ type: group
+ fields:
+ - name: md5
+ type: keyword
+ - name: sha1
+ type: keyword
+ - name: sha256
+ type: keyword
+ - name: href
+ type: keyword
+ description: The URL to the indicator's full context data.
+ - name: id
+ type: keyword
+ description: The unique identifier for this indicator within Flashpoint's dataset.
+ - name: last_seen_at
+ type: date
+ description: The date and time the indicator was last seen by related sources.
+ - name: latest_sighting
+ type: group
+ fields:
+ - name: apt_description
+ type: keyword
+ description: A description of the APT associated with the sighting.
+ - name: description
+ type: keyword
+ - name: href
+ type: keyword
+ description: The href of the sighting.
+ - name: id
+ type: keyword
+ description: Unique identifier of the sighting.
+ - name: malware_description
+ type: keyword
+ description: A description of the malware associated with the sighting.
+ - name: mitre_attack_ids
+ type: group
+ fields:
+ - name: id
+ type: keyword
+ - name: name
+ type: keyword
+ - name: tactics
+ type: keyword
+ description: A list of tactics associated with the MITRE ATT&CK technique.
+ - name: related_iocs
+ type: group
+ fields:
+ - name: href
+ type: keyword
+ description: The URL to the indicator's full context data.
+ - name: id
+ type: keyword
+ description: The unique identifier for this indicator within Flashpoint's dataset.
+ - name: score
+ type: group
+ fields:
+ - name: last_scored_at
+ type: date
+ description: The date and time the indicator was last scored.
+ - name: raw_score
+ type: long
+ description: The raw score of the indicator.
+ - name: value
+ type: keyword
+ description: The score tier of the indicator.
+ - name: type
+ type: keyword
+ description: Defines what type of indicator this is.
+ - name: value
+ type: keyword
+ description: The value of the indicator.
+ - name: sighted_at
+ type: date
+ description: The date and time the indicator was seen by the source.
+ - name: source
+ type: keyword
+ description: The source of the sighting.
+ - name: tags
+ type: keyword
+ description: A list of tags associated with the Sighting.
+ - name: malware_description
+ type: keyword
+ - name: mitre_attack_ids
+ type: group
+ fields:
+ - name: id
+ type: keyword
+ - name: name
+ type: keyword
+ - name: tactics
+ type: keyword
+ description: A list of tactics associated with the MITRE ATT&CK technique.
+ - name: modified_at
+ type: date
+ description: The date and time the indicator was last modified within Flashpoint's dataset.
+ - name: platform_urls
+ type: group
+ fields:
+ - name: ignite
+ type: keyword
+ description: Links to the indicator in various Flashpoint platforms.
+ - name: relationships
+ type: group
+ fields:
+ - name: iocs
+ type: group
+ fields:
+ - name: href
+ type: keyword
+ description: The URL to the indicator's full context data.
+ - name: id
+ type: keyword
+ description: The unique identifier for this indicator within Flashpoint's dataset.
+ - name: type
+ type: keyword
+ description: Defines what type of indicator this is.
+ - name: value
+ type: keyword
+ description: The value of the indicator.
+ - name: score
+ type: group
+ fields:
+ - name: last_scored_at
+ type: date
+ description: The date and time the indicator was last scored.
+ - name: raw_score
+ type: keyword
+ description: The raw score of the indicator.
+ - name: value
+ type: keyword
+ description: The score tier of the indicator.
+ - name: sightings
+ type: group
+ fields:
+ - name: apt_description
+ type: keyword
+ description: A description of the APT associated with the sighting.
+ - name: description
+ type: keyword
+ - name: href
+ type: keyword
+ description: The href of the sighting.
+ - name: id
+ type: keyword
+ description: Unique identifier of the sighting.
+ - name: malware_description
+ type: keyword
+ description: A description of the malware associated with the sighting.
+ - name: mitre_attack_ids
+ type: group
+ fields:
+ - name: id
+ type: keyword
+ - name: name
+ type: keyword
+ - name: tactics
+ type: keyword
+ description: A list of tactics associated with the MITRE ATT&CK technique.
+ - name: related_iocs
+ type: group
+ fields:
+ - name: href
+ type: keyword
+ description: The URL to the indicator's full context data.
+ - name: id
+ type: keyword
+ description: The unique identifier for this indicator within Flashpoint's dataset.
+ - name: score
+ type: group
+ fields:
+ - name: last_scored_at
+ type: keyword
+ description: The date and time the indicator was last scored.
+ - name: raw_score
+ type: long
+ description: The raw score of the indicator.
+ - name: value
+ type: keyword
+ description: The score tier of the indicator.
+ - name: type
+ type: keyword
+ description: Defines what type of indicator this is.
+ - name: value
+ type: keyword
+ description: The value of the indicator.
+ - name: sighted_at
+ type: date
+ description: The date and time the indicator was seen by the source.
+ - name: source
+ type: keyword
+ description: The source of the sighting.
+ - name: tags
+ type: keyword
+ description: A list of tags associated with the Sighting.
+ - name: sort_date
+ type: date
+ description: The date and time defaulted for sorting indicators. This is the same value as last_seen_at.
+ - name: total_sightings
+ type: long
+ description: The total number of sightings for the indicator.
+ - name: type
+ type: keyword
+ description: Defines what type of indicator.
+ - name: value
+ type: keyword
+ description: The value of the indicator.
diff --git a/packages/ti_flashpoint/elasticsearch/transform/latest_indicator/fields/is-transform-source-false.yml b/packages/ti_flashpoint/elasticsearch/transform/latest_indicator/fields/is-transform-source-false.yml
new file mode 100644
index 00000000000..490a079e7a7
--- /dev/null
+++ b/packages/ti_flashpoint/elasticsearch/transform/latest_indicator/fields/is-transform-source-false.yml
@@ -0,0 +1,4 @@
+- name: labels.is_transform_source
+ type: constant_keyword
+ description: Distinguishes between documents that are a source for a transform and documents that are an output of a transform, to facilitate easier filtering.
+ value: "false"
diff --git a/packages/ti_flashpoint/elasticsearch/transform/latest_indicator/manifest.yml b/packages/ti_flashpoint/elasticsearch/transform/latest_indicator/manifest.yml
new file mode 100644
index 00000000000..24e9e926793
--- /dev/null
+++ b/packages/ti_flashpoint/elasticsearch/transform/latest_indicator/manifest.yml
@@ -0,0 +1,11 @@
+start: true
+destination_index_template:
+ mappings:
+ dynamic: true
+ dynamic_templates:
+ - strings_as_keyword:
+ match_mapping_type: string
+ mapping:
+ ignore_above: 1024
+ type: keyword
+ date_detection: true
diff --git a/packages/ti_flashpoint/elasticsearch/transform/latest_indicator/transform.yml b/packages/ti_flashpoint/elasticsearch/transform/latest_indicator/transform.yml
new file mode 100644
index 00000000000..d5c112bcc49
--- /dev/null
+++ b/packages/ti_flashpoint/elasticsearch/transform/latest_indicator/transform.yml
@@ -0,0 +1,37 @@
+# Use of "*" to use all namespaces defined.
+source:
+ index:
+ - "logs-ti_flashpoint.indicator-*"
+ query:
+ bool:
+ must_not:
+ - exists:
+ field: error.message
+dest:
+ index: "logs-ti_flashpoint_latest.dest_indicator-1"
+ aliases:
+ - alias: "logs-ti_flashpoint_latest.indicator"
+ move_on_creation: true
+latest:
+ unique_key:
+ - event.dataset
+ - event.id
+ sort: "@timestamp"
+description: >-
+ Latest indicators from Flashpoint. As indicators get updated, this transform stores only the latest state of each indicator inside the destination index. Thus the transform's destination index contains only the latest state of the indicator.
+frequency: 30s
+sync:
+ time:
+ field: event.ingested
+ # Updated to 120s because of refresh delay in Serverless. With default 60s,
+ # sometimes transform wouldn't process all documents.
+ delay: 120s
+retention_policy:
+ time:
+ field: event.ingested
+ max_age: 30d
+_meta:
+ managed: true
+ # Bump this version to delete, reinstall, and restart the transform during
+ # package installation.
+ fleet_transform_version: 0.1.0
diff --git a/packages/ti_flashpoint/img/ti_flashpoint-indicators_dashboard.png b/packages/ti_flashpoint/img/ti_flashpoint-indicators_dashboard.png
new file mode 100644
index 00000000000..6f06d4dc7fc
Binary files /dev/null and b/packages/ti_flashpoint/img/ti_flashpoint-indicators_dashboard.png differ
diff --git a/packages/ti_flashpoint/img/ti_flashpoint-logo.svg b/packages/ti_flashpoint/img/ti_flashpoint-logo.svg
new file mode 100644
index 00000000000..982608a02f6
--- /dev/null
+++ b/packages/ti_flashpoint/img/ti_flashpoint-logo.svg
@@ -0,0 +1,5 @@
+
diff --git a/packages/ti_flashpoint/kibana/dashboard/ti_flashpoint-f080464d-6a61-42dc-bd9f-45665d5cda75.json b/packages/ti_flashpoint/kibana/dashboard/ti_flashpoint-f080464d-6a61-42dc-bd9f-45665d5cda75.json
new file mode 100644
index 00000000000..dd954e5e502
--- /dev/null
+++ b/packages/ti_flashpoint/kibana/dashboard/ti_flashpoint-f080464d-6a61-42dc-bd9f-45665d5cda75.json
@@ -0,0 +1,1133 @@
+{
+ "attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": {
+ "ignoreFilters": false,
+ "ignoreQuery": false,
+ "ignoreTimerange": false,
+ "ignoreValidations": false
+ },
+ "panelsJSON": {
+ "1dce8c28-d1e4-4e73-845c-b6ef8a08cb44": {
+ "explicitInput": {
+ "dataViewId": "logs-*",
+ "exclude": null,
+ "existsSelected": null,
+ "fieldName": "ti_flashpoint.indicator.type",
+ "hideActionBar": null,
+ "hideExclude": null,
+ "hideExists": null,
+ "hideSort": null,
+ "placeholder": null,
+ "runPastTimeout": null,
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "singleSelect": null,
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ },
+ "title": "Type"
+ },
+ "grow": true,
+ "order": 0,
+ "type": "optionsListControl",
+ "width": "medium"
+ },
+ "577afef3-40ed-4a5b-be17-a1271727c039": {
+ "explicitInput": {
+ "dataViewId": "logs-*",
+ "exclude": null,
+ "existsSelected": null,
+ "fieldName": "ti_flashpoint.indicator.score.value",
+ "hideActionBar": null,
+ "hideExclude": null,
+ "hideExists": null,
+ "hideSort": null,
+ "placeholder": null,
+ "runPastTimeout": null,
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "singleSelect": null,
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ },
+ "title": "Score Tier"
+ },
+ "grow": true,
+ "order": 1,
+ "type": "optionsListControl",
+ "width": "medium"
+ }
+ },
+ "showApplySelections": false
+ },
+ "description": "This dashboard shows Indicator collected by the Flashpoint Integration.",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "ti_flashpoint.indicator"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "ti_flashpoint.indicator"
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "labels.is_transform_source",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "key": "labels.is_transform_source",
+ "negate": false,
+ "params": {
+ "query": "false"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "labels.is_transform_source": "false"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "id": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "This dashboard provides centralized visibility into indicators from Flashpoint.\n\nIt includes a table of Top MITRE Tactics, a table showing Top Platform URLs and Top Sighting Sources. Key metrics highlight Total Indicators and Total Indicator Sightings. Indicator distribution is visualized through a pie chart of Indicators by Types and Score Tier, with a Type and Score Tier control panel to filter and refine analysis.\n\nTogether, these panels help teams quickly assess indicator volume, sources, and threat patterns.\n\n**[Integration Page](/app/integrations/detail/ti_flashpoint)**",
+ "openLinksInNewTab": false
+ },
+ "title": "",
+ "type": "markdown",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 18,
+ "i": "b90f7a8e-f126-44d1-a7b1-a2df5f8e4157",
+ "w": 15,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "b90f7a8e-f126-44d1-a7b1-a2df5f8e4157",
+ "title": "Overview",
+ "type": "visualization"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-645194d4-4827-4c6e-901e-8d95eb4d6b6b",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "645194d4-4827-4c6e-901e-8d95eb4d6b6b": {
+ "columnOrder": [
+ "c81acf35-92ee-49a3-9474-2c8cf32eb17e"
+ ],
+ "columns": {
+ "c81acf35-92ee-49a3-9474-2c8cf32eb17e": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Total Indicators",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "event.id"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#6092C0",
+ "layerId": "645194d4-4827-4c6e-901e-8d95eb4d6b6b",
+ "layerType": "data",
+ "metricAccessor": "c81acf35-92ee-49a3-9474-2c8cf32eb17e"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 9,
+ "i": "52931a3d-50ae-4c0a-8c8d-bc0250185b9d",
+ "w": 14,
+ "x": 15,
+ "y": 0
+ },
+ "panelIndex": "52931a3d-50ae-4c0a-8c8d-bc0250185b9d",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-9a70c6e2-e6b3-4afa-aab3-a00d5089436a",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "9a70c6e2-e6b3-4afa-aab3-a00d5089436a": {
+ "columnOrder": [
+ "5d100873-0ade-4e56-b2b9-6880ecdc34df",
+ "882f9b78-dc48-4085-acf6-a1652fa7d591"
+ ],
+ "columns": {
+ "5d100873-0ade-4e56-b2b9-6880ecdc34df": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Type",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "882f9b78-dc48-4085-acf6-a1652fa7d591",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "ti_flashpoint.indicator.type"
+ },
+ "882f9b78-dc48-4085-acf6-a1652fa7d591": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "emptySizeRatio": 0,
+ "layerId": "9a70c6e2-e6b3-4afa-aab3-a00d5089436a",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "882f9b78-dc48-4085-acf6-a1652fa7d591"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "5d100873-0ade-4e56-b2b9-6880ecdc34df"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "donut"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 18,
+ "i": "5b17d560-6e40-41d6-8b8e-3490fa538b64",
+ "w": 19,
+ "x": 29,
+ "y": 0
+ },
+ "panelIndex": "5b17d560-6e40-41d6-8b8e-3490fa538b64",
+ "title": "Indicators by Types",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-ae937f65-c66b-439b-b5ec-2133444c5c6e",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "ae937f65-c66b-439b-b5ec-2133444c5c6e": {
+ "columnOrder": [
+ "145eaeb8-cd98-4eb9-beb3-c11e4c694a7a"
+ ],
+ "columns": {
+ "145eaeb8-cd98-4eb9-beb3-c11e4c694a7a": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Total Indicator Sightings",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "ti_flashpoint.indicator.total_sightings"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#6092C0",
+ "layerId": "ae937f65-c66b-439b-b5ec-2133444c5c6e",
+ "layerType": "data",
+ "metricAccessor": "145eaeb8-cd98-4eb9-beb3-c11e4c694a7a"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 9,
+ "i": "bb3b17ad-af45-4ac1-9fca-a62eb53f2eb5",
+ "w": 14,
+ "x": 15,
+ "y": 9
+ },
+ "panelIndex": "bb3b17ad-af45-4ac1-9fca-a62eb53f2eb5",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-74ac4c2a-9af9-4e91-bcc1-a3ca2a5614c1",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "74ac4c2a-9af9-4e91-bcc1-a3ca2a5614c1": {
+ "columnOrder": [
+ "63f1fa57-d488-4080-8af5-dfce4427c88b",
+ "e1be213f-1a5e-4d9c-b3c0-5fc525de6825"
+ ],
+ "columns": {
+ "63f1fa57-d488-4080-8af5-dfce4427c88b": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Sighting Source",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "e1be213f-1a5e-4d9c-b3c0-5fc525de6825",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "ti_flashpoint.indicator.sightings.source"
+ },
+ "e1be213f-1a5e-4d9c-b3c0-5fc525de6825": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "63f1fa57-d488-4080-8af5-dfce4427c88b"
+ },
+ {
+ "columnId": "e1be213f-1a5e-4d9c-b3c0-5fc525de6825"
+ }
+ ],
+ "layerId": "74ac4c2a-9af9-4e91-bcc1-a3ca2a5614c1",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "98644345-15a4-476c-9bc6-51a580eb6ec7",
+ "w": 24,
+ "x": 0,
+ "y": 18
+ },
+ "panelIndex": "98644345-15a4-476c-9bc6-51a580eb6ec7",
+ "title": "Top Sighting Sources",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-9a70c6e2-e6b3-4afa-aab3-a00d5089436a",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "9a70c6e2-e6b3-4afa-aab3-a00d5089436a": {
+ "columnOrder": [
+ "5d100873-0ade-4e56-b2b9-6880ecdc34df",
+ "882f9b78-dc48-4085-acf6-a1652fa7d591"
+ ],
+ "columns": {
+ "5d100873-0ade-4e56-b2b9-6880ecdc34df": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Score Tier",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "882f9b78-dc48-4085-acf6-a1652fa7d591",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "ti_flashpoint.indicator.score.value"
+ },
+ "882f9b78-dc48-4085-acf6-a1652fa7d591": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "emptySizeRatio": 0,
+ "layerId": "9a70c6e2-e6b3-4afa-aab3-a00d5089436a",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "882f9b78-dc48-4085-acf6-a1652fa7d591"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "5d100873-0ade-4e56-b2b9-6880ecdc34df"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "donut"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "12f9c7ee-e3b8-458d-bdc9-d2a10ef41b86",
+ "w": 24,
+ "x": 24,
+ "y": 18
+ },
+ "panelIndex": "12f9c7ee-e3b8-458d-bdc9-d2a10ef41b86",
+ "title": "Indicators by Score Tier",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-c510f41d-db18-4fe2-a62e-900c78cdfa06",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "c510f41d-db18-4fe2-a62e-900c78cdfa06": {
+ "columnOrder": [
+ "c4e7bc6e-ff14-4dd5-8647-7bc7c4cff26c",
+ "2d970d10-6f76-419c-8f3c-ecd55f6ff6c6"
+ ],
+ "columns": {
+ "2d970d10-6f76-419c-8f3c-ecd55f6ff6c6": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "c4e7bc6e-ff14-4dd5-8647-7bc7c4cff26c": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Mitre Tactic",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "2d970d10-6f76-419c-8f3c-ecd55f6ff6c6",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "threat.tactic.name"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "c4e7bc6e-ff14-4dd5-8647-7bc7c4cff26c"
+ },
+ {
+ "columnId": "2d970d10-6f76-419c-8f3c-ecd55f6ff6c6"
+ }
+ ],
+ "layerId": "c510f41d-db18-4fe2-a62e-900c78cdfa06",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "e8e72e03-ac70-4e57-b34e-207658f5ae58",
+ "w": 24,
+ "x": 0,
+ "y": 34
+ },
+ "panelIndex": "e8e72e03-ac70-4e57-b34e-207658f5ae58",
+ "title": "Top Mitre Tactics",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-ccb89256-b27c-4e04-b5fb-56777a6ca3b4",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "ccb89256-b27c-4e04-b5fb-56777a6ca3b4": {
+ "columnOrder": [
+ "5cbd6217-4632-4a28-918a-d01d2f3d5678",
+ "97bf8652-b329-4ff3-b5c9-59572e44b877"
+ ],
+ "columns": {
+ "5cbd6217-4632-4a28-918a-d01d2f3d5678": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Platform URL",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "97bf8652-b329-4ff3-b5c9-59572e44b877",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "threat.indicator.reference"
+ },
+ "97bf8652-b329-4ff3-b5c9-59572e44b877": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "5cbd6217-4632-4a28-918a-d01d2f3d5678",
+ "isTransposed": false,
+ "width": 351
+ },
+ {
+ "columnId": "97bf8652-b329-4ff3-b5c9-59572e44b877",
+ "isTransposed": false
+ }
+ ],
+ "layerId": "ccb89256-b27c-4e04-b5fb-56777a6ca3b4",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "0accf413-8136-435d-af46-0d04987741ce",
+ "w": 24,
+ "x": 24,
+ "y": 34
+ },
+ "panelIndex": "0accf413-8136-435d-af46-0d04987741ce",
+ "title": "Top Platform URLs",
+ "type": "lens"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Logs Flashpoint] Indicators",
+ "version": 3
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-12-23T11:11:03.757Z",
+ "id": "ti_flashpoint-f080464d-6a61-42dc-bd9f-45665d5cda75",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "52931a3d-50ae-4c0a-8c8d-bc0250185b9d:indexpattern-datasource-layer-645194d4-4827-4c6e-901e-8d95eb4d6b6b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "5b17d560-6e40-41d6-8b8e-3490fa538b64:indexpattern-datasource-layer-9a70c6e2-e6b3-4afa-aab3-a00d5089436a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "bb3b17ad-af45-4ac1-9fca-a62eb53f2eb5:indexpattern-datasource-layer-ae937f65-c66b-439b-b5ec-2133444c5c6e",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "98644345-15a4-476c-9bc6-51a580eb6ec7:indexpattern-datasource-layer-74ac4c2a-9af9-4e91-bcc1-a3ca2a5614c1",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "12f9c7ee-e3b8-458d-bdc9-d2a10ef41b86:indexpattern-datasource-layer-9a70c6e2-e6b3-4afa-aab3-a00d5089436a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e8e72e03-ac70-4e57-b34e-207658f5ae58:indexpattern-datasource-layer-c510f41d-db18-4fe2-a62e-900c78cdfa06",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "0accf413-8136-435d-af46-0d04987741ce:indexpattern-datasource-layer-ccb89256-b27c-4e04-b5fb-56777a6ca3b4",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_1dce8c28-d1e4-4e73-845c-b6ef8a08cb44:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_577afef3-40ed-4a5b-be17-a1271727c039:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard",
+ "typeMigrationVersion": "10.2.0",
+ "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
+}
\ No newline at end of file
diff --git a/packages/ti_flashpoint/manifest.yml b/packages/ti_flashpoint/manifest.yml
new file mode 100644
index 00000000000..e042f6b16fa
--- /dev/null
+++ b/packages/ti_flashpoint/manifest.yml
@@ -0,0 +1,95 @@
+format_version: 3.3.2
+name: ti_flashpoint
+title: Flashpoint
+version: 0.1.0
+description: Collect logs from Flashpoint with Elastic Agent.
+type: integration
+categories:
+ - security
+conditions:
+ kibana:
+ version: ^8.18.0 || ^9.0.0
+ elastic:
+ subscription: basic
+screenshots:
+ - src: /img/ti_flashpoint-indicators_dashboard.png
+ title: Indicators Dashboard
+ size: 600x600
+ type: image/png
+icons:
+ - src: /img/ti_flashpoint-logo.svg
+ title: Flashpoint logo
+ size: 32x32
+ type: image/svg+xml
+policy_templates:
+ - name: ti_flashpoint
+ title: Flashpoint
+ description: Collect logs from Flashpoint.
+ deployment_modes:
+ default:
+ enabled: true
+ agentless:
+ enabled: true
+ organization: security
+ division: engineering
+ team: security-service-integrations
+ inputs:
+ - type: cel
+ title: Collect logs from Flashpoint API
+ description: Collecting logs via Flashpoint API.
+ vars:
+ - name: url
+ type: url
+ title: URL
+ description: Base URL of the Flashpoint Instance.
+ multi: false
+ required: true
+ show_user: false
+ default: https://api.flashpoint.io
+ - name: api_token
+ type: password
+ title: API Token
+ secret: true
+ description: API Token to authenticate with Flashpoint API.
+ multi: false
+ required: true
+ show_user: true
+ - name: proxy_url
+ type: text
+ title: Proxy URL
+ description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.
+ multi: false
+ required: false
+ show_user: false
+ - name: ssl
+ type: yaml
+ title: SSL Configuration
+ description: SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.
+ multi: false
+ required: false
+ show_user: false
+ default: |
+ #certificate_authorities:
+ # - |
+ # -----BEGIN CERTIFICATE-----
+ # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+ # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+ # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+ # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+ # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+ # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+ # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+ # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+ # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+ # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+ # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+ # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+ # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+ # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+ # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+ # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+ # sxSmbIUfc2SGJGCJD4I=
+ # -----END CERTIFICATE-----
+owner:
+ github: elastic/security-service-integrations
+ type: elastic