diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 999646eac74..ccbb59ed666 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -474,6 +474,7 @@
/packages/ti_domaintools @elastic/security-service-integrations
/packages/ti_eclecticiq @elastic/security-service-integrations
/packages/ti_eset @elastic/security-service-integrations
+/packages/ti_flashpoint @elastic/security-service-integrations
/packages/ti_google_threat_intelligence @elastic/security-service-integrations
/packages/ti_greynoise @elastic/security-service-integrations
/packages/ti_maltiverse @elastic/security-service-integrations
diff --git a/packages/ti_flashpoint/_dev/build/build.yml b/packages/ti_flashpoint/_dev/build/build.yml
new file mode 100644
index 00000000000..b2596b96490
--- /dev/null
+++ b/packages/ti_flashpoint/_dev/build/build.yml
@@ -0,0 +1,3 @@
+dependencies:
+ ecs:
+ reference: git@v9.2.0
diff --git a/packages/ti_flashpoint/_dev/build/docs/README.md b/packages/ti_flashpoint/_dev/build/docs/README.md
new file mode 100644
index 00000000000..74415a19e0d
--- /dev/null
+++ b/packages/ti_flashpoint/_dev/build/docs/README.md
@@ -0,0 +1,116 @@
+# Flashpoint Integration for Elastic
+
+## Overview
+
+[Flashpoint](https://flashpoint.io/) is a comprehensive threat intelligence platform that delivers actionable insights from dark web, deep web, and technical sources. It combines human-curated intelligence with automated collection to help organizations identify emerging threats, monitor adversary activity, and assess cyber risk with enriched context.
+
+The Flashpoint integration for Elastic collects vulnerabilities from the **Flashpoint Ignite API** and visualizes them in Kibana.
+
+### Compatibility
+
+The Flashpoint integration is compatible with Ignite API version **1.2**.
+
+### How it works
+
+This integration periodically queries the Flashpoint Ignite API to retrieve logs.
+
+## What data does this integration collect?
+
+This integration collects log messages of the following type:
+
+- `Vulnerabilities`: Collects `vulnerability` logs from the Flashpoint Ignite API (endpoint: `/vulnerability-intelligence/v1/vulnerabilities`),
+
+### Supported use cases
+
+Integrating Flashpoint Vulnerabilities with Elastic SIEM provides centralized visibility into vulnerability risk and exposure.
+
+Dashboards display `Total Vulnerabilities` and include tables for `Top Classifications`,` Vulnerability Names`, `Products`, and `Vendors`. Pie charts show `vulnerabilities by Ransomware Score`, `Severity`, and `Status`, while a line chart tracks `Vulnerabilities by Severity over Time`.
+
+A control panel allows filtering by `Status`, `Severity` and `Ransomware Score`. A saved searches for `CVSS v2`, `v3`, and `v4` details support deeper vulnerability analysis and prioritization.
+
+## What do I need to use this integration?
+
+### From Flashpoint
+
+To collect data through the Flashpoint Ignite API, you need to provide an **API Token**. Authentication is handled using the **API Token**, which serves as the required credential.
+
+#### Retrieve an API Token:
+
+1. Log in to the **Flashpoint** Instance.
+2. Click on your profile icon in the top-right corner and select **Manage API Tokens**.
+3. Click **Generate Token**.
+4. Enter a name for the API token and click **Generate Token**.
+5. Copy and securely store the generated API token for use in the integration configuration.
+
+## How do I deploy this integration?
+
+This integration supports both Elastic Agentless-based and Agent-based installations.
+
+### Agentless-based installation
+
+Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html).
+
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.
+
+### Agent-based installation
+
+Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host.
+
+
+### configure
+
+1. In the top search bar in Kibana, search for **Integrations**.
+2. In the search bar, type **Flashpoint**.
+3. Select the **Flashpoint** integration from the search results.
+4. Select **Add Flashpoint** to add the integration.
+5. Enable and configure only the collection methods which you will use.
+
+ * To **Collect logs from Flashpoint API**, you'll need to:
+
+ - Configure **API Token**.
+ - Adjust the integration configuration parameters if required, including the **Initial Interval**, **Interval**, **Page Size** etc. to enable data collection.
+
+6. Select **Save and continue** to save the integration.
+
+## Troubleshooting
+
+1. If vulnerability data collection is slow or fails with `context deadline exceeded`, reduce the `Page Size` and increase the `HTTP Client Timeout`.
+
+### Validation
+
+#### Dashboard populated
+
+1. In the top search bar in Kibana, search for **Dashboards**.
+2. In the search bar, type **Flashpoint**, and verify the dashboard information is populated.
+
+## Performance and scaling
+
+For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation.
+
+## Reference
+
+### ECS field reference
+
+#### Vulnerability
+
+{{fields "vulnerability"}}
+
+### Example event
+
+#### Vulnerability
+
+{{event "vulnerability"}}
+
+
+### Inputs used
+
+These input is used in the integration:
+
+- [cel](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-cel)
+
+
+### API usage
+
+This integration dataset uses the following API:
+
+* List Vulberabilities (endpoint: `/vulnerability-intelligence/v1/vulnerabilities`)
diff --git a/packages/ti_flashpoint/_dev/deploy/docker/docker-compose.yml b/packages/ti_flashpoint/_dev/deploy/docker/docker-compose.yml
new file mode 100644
index 00000000000..13f0d327c6a
--- /dev/null
+++ b/packages/ti_flashpoint/_dev/deploy/docker/docker-compose.yml
@@ -0,0 +1,15 @@
+version: '3.8'
+services:
+ ti_flashpoint:
+ image: docker.elastic.co/observability/stream:v0.20.0
+ hostname: ti_flashpoint
+ ports:
+ - 8090
+ volumes:
+ - ./files:/files:ro
+ environment:
+ PORT: '8090'
+ command:
+ - http-server
+ - --addr=:8090
+ - --config=/files/config.yml
diff --git a/packages/ti_flashpoint/_dev/deploy/docker/files/config.yml b/packages/ti_flashpoint/_dev/deploy/docker/files/config.yml
new file mode 100644
index 00000000000..0c712045816
--- /dev/null
+++ b/packages/ti_flashpoint/_dev/deploy/docker/files/config.yml
@@ -0,0 +1,1165 @@
+rules:
+ - path: /vulnerability-intelligence/v1/vulnerabilities
+ methods: ['GET']
+ query_params:
+ size: "2"
+ updated_after: "{updated_after:.*}"
+ from: "2"
+ request_headers:
+ Authorization: "Bearer xxxx"
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {
+ "total": 134731,
+ "next": "http://{{ hostname }}:{{ env "PORT" }}/vulnerability-intelligence/v1/vulnerabilities?from=4&size=2&updated_after=2025-04-10T08%3A49%3A09Z",
+ "previous": "http://{{ hostname }}:{{ env "PORT" }}/vulnerability-intelligence/v1/vulnerabilities?size=2&updated_after=2025-04-10T08%3A49%3A09Z",
+ "size": 2,
+ "from": 2,
+ "results": [
+ {
+ "id": 432901,
+ "cve_ids": [
+ "CVE-2025-13324"
+ ],
+ "title": "Mattermost Server Unspecified Incorrect Authorization Remote Authentication Bypass",
+ "keywords": "MMSA-2025-00524",
+ "description": "Mattermost Server contains an unspecified flaw that is triggered as legacy (version 1) remote cluster invite tokens were not invalidated after connection confirmation. This may allow a remote attacker who obtained an invite to continue authenticating as the remote cluster after the invitation was legitimately accepted. ",
+ "solution": "It has been reported that this has been fixed. Please refer to the product listing for upgraded versions that address this vulnerability.",
+ "technical_description": "",
+ "timelines": {
+ "published_at": "2025-12-29T23:03:36Z",
+ "last_modified_at": "2025-12-29T23:13:37Z",
+ "exploit_published_at": null,
+ "discovered_at": null,
+ "disclosed_at": "2025-11-17T00:00:00Z",
+ "vendor_informed_at": null,
+ "vendor_acknowledged_at": null,
+ "third_party_solution_provided_at": null,
+ "solution_provided_at": "2025-11-17T00:00:00Z",
+ "exploited_in_the_wild_at": null
+ },
+ "scores": {
+ "severity": "Low",
+ "cvssv3_score": 3.7,
+ "epss_score": 0.00037,
+ "epss_v1_score": 0,
+ "ransomware_score": "Low"
+ },
+ "vuln_status": "Active",
+ "cwes": [
+ {
+ "cwe_id": 863,
+ "name": "Incorrect Authorization",
+ "source": "mitre",
+ "cve_ids": "2025-13324"
+ }
+ ],
+ "exploits_count": 0,
+ "ext_references": [
+ {
+ "value": "https://mattermost.com/security-updates/",
+ "type": "Vendor Specific Advisory URL",
+ "url": "https://mattermost.com/security-updates/",
+ "description": null,
+ "created_at": "2020-09-09T19:57:14Z"
+ },
+ {
+ "value": "2025-13324",
+ "type": "CVE ID",
+ "url": "https://www.cve.org/CVERecord?id=CVE-2025-13324",
+ "description": null,
+ "created_at": "2025-12-17T18:20:39Z"
+ },
+ {
+ "value": "https://www.cisa.gov/news-events/bulletins/sb25-356",
+ "type": "Generic Informational URL",
+ "url": "https://www.cisa.gov/news-events/bulletins/sb25-356",
+ "description": null,
+ "created_at": "2025-12-23T17:58:58Z"
+ }
+ ],
+ "classifications": [
+ {
+ "name": "location_remote",
+ "longname": "Remote / Network Access",
+ "description": "This vulnerability can be exploited over a wired network (e.g., LAN, WAN, Internet)."
+ },
+ {
+ "name": "attack_type_other",
+ "longname": "Other",
+ "description": "A vulnerability that cannot be defined by any other Attack Type classification."
+ },
+ {
+ "name": "impact_integrity",
+ "longname": "Loss of Integrity",
+ "description": "Assurance that data is unaltered by unauthorized persons and authorization has not been exceeded.\r\nExamples: XSS, arbitrary command execution, most overflows, most format strings, SQL injection, unauthorized file modification/deletion/creation, remote file inclusion, etc."
+ },
+ {
+ "name": "exploit_unknown",
+ "longname": "Exploit Unknown",
+ "description": "The status of a working exploit is unknown."
+ },
+ {
+ "name": "solution_upgrade",
+ "longname": "Upgrade",
+ "description": "The vulnerability can be mitigated by installing the vendor-supplied upgrade."
+ },
+ {
+ "name": "disclosure_verified",
+ "longname": "Vendor Verified",
+ "description": "The vendor has verified this vulnerability."
+ },
+ {
+ "name": "disclosure_coordinated_disclosure",
+ "longname": "Coordinated Disclosure",
+ "description": "The researcher and vendor coordinated disclosure so that vulnerability details were released in conjunction with a solution."
+ }
+ ],
+ "cvss_v2s": [
+ {
+ "access_vector": "NETWORK",
+ "access_complexity": "MEDIUM",
+ "authentication": "NONE",
+ "confidentiality_impact": "NONE",
+ "integrity_impact": "PARTIAL",
+ "availability_impact": "NONE",
+ "source": "Flashpoint",
+ "generated_at": "2025-12-29T21:21:41Z",
+ "cve_id": null,
+ "score": 4.3,
+ "calculated_cvss_base_score": 4.3
+ }
+ ],
+ "cvss_v3s": [
+ {
+ "attack_vector": "NETWORK",
+ "attack_complexity": "HIGH",
+ "privileges_required": "NONE",
+ "user_interaction": "NONE",
+ "scope": "UNCHANGED",
+ "confidentiality_impact": "NONE",
+ "integrity_impact": "LOW",
+ "availability_impact": "NONE",
+ "source": "Flashpoint",
+ "generated_at": "2025-12-29T21:21:41Z",
+ "cve_id": null,
+ "score": 3.7,
+ "calculated_cvss_base_score": 3.7,
+ "vector_string": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C",
+ "version": "3.1",
+ "remediation_level": "OFFICIAL_FIX",
+ "report_confidence": "CONFIRMED",
+ "exploit_code_maturity": "UNPROVEN",
+ "temporal_score": 3.2,
+ "updated_at": "2025-12-29T23:03:36Z"
+ }
+ ],
+ "cvss_v4s": [
+ {
+ "score": 6.3,
+ "threat_score": 6.3,
+ "source": "Flashpoint",
+ "generated_at": "2025-12-29T21:21:41.589000Z",
+ "updated_at": "2025-12-29T21:21:41.676000Z",
+ "cve_id": null,
+ "vector_string": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X",
+ "version": "4.0",
+ "attack_vector": "NETWORK",
+ "attack_complexity": "HIGH",
+ "attack_requirements": "NONE",
+ "privileges_required": "NONE",
+ "user_interaction": "NONE",
+ "exploit_maturity": "NOT_DEFINED",
+ "vulnerable_system_confidentiality_impact": "NONE",
+ "vulnerable_system_integrity_impact": "LOW",
+ "vulnerable_system_availability_impact": "NONE",
+ "subsequent_system_confidentiality_impact": "NONE",
+ "subsequent_system_integrity_impact": "NONE",
+ "subsequent_system_availability_impact": "NONE"
+ }
+ ],
+ "tags": [
+ "oss"
+ ],
+ "products": [
+ {
+ "id": 2828027,
+ "name": "Mattermost Server"
+ }
+ ],
+ "vendors": [
+ {
+ "id": 2803312,
+ "name": "Mattermost"
+ }
+ ]
+ },
+ {
+ "id": 432900,
+ "cve_ids": [
+ "CVE-2025-62690"
+ ],
+ "title": "Mattermost Server Error Page Unspecified Open Redirect Weakness",
+ "keywords": "MMSA-2025-00533",
+ "description": "Mattermost Server contains a flaw that allows a cross-site redirection attack. This flaw exists because the application does not validate certain input upon submission to the 'Error' page. This could allow a context-dependent attacker to create a specially crafted link that, if followed, would redirect a victim from the intended legitimate website to an arbitrary website of the attacker's choosing.\r\n\r\nSuch attacks are useful as the crafted URL initially appears to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client-side software such as a web browser or document rendering programs, as well as phishing attacks that mimic the legitimate site but send user-supplied information to the attacker.",
+ "solution": "It has been reported that this has been fixed. Please refer to the product listing for upgraded versions that address this vulnerability.",
+ "technical_description": "",
+ "timelines": {
+ "published_at": "2025-12-29T22:56:58Z",
+ "last_modified_at": "2025-12-29T23:07:02Z",
+ "exploit_published_at": null,
+ "discovered_at": null,
+ "disclosed_at": "2025-11-17T00:00:00Z",
+ "vendor_informed_at": null,
+ "vendor_acknowledged_at": null,
+ "third_party_solution_provided_at": null,
+ "solution_provided_at": "2025-11-17T00:00:00Z",
+ "exploited_in_the_wild_at": null
+ },
+ "scores": {
+ "severity": "Low",
+ "cvssv3_score": 3.4,
+ "epss_score": 0.0003,
+ "epss_v1_score": 0,
+ "ransomware_score": "High"
+ },
+ "vuln_status": "Active",
+ "cwes": [
+ {
+ "cwe_id": 601,
+ "name": "URL Redirection to Untrusted Site ('Open Redirect')",
+ "source": "mitre",
+ "cve_ids": "2025-62690"
+ }
+ ],
+ "exploits_count": 0,
+ "ext_references": [
+ {
+ "value": "https://mattermost.com/security-updates/",
+ "type": "Vendor Specific Advisory URL",
+ "url": "https://mattermost.com/security-updates/",
+ "description": null,
+ "created_at": "2020-09-09T19:57:14Z"
+ },
+ {
+ "value": "2025-62690",
+ "type": "CVE ID",
+ "url": "https://www.cve.org/CVERecord?id=CVE-2025-62690",
+ "description": null,
+ "created_at": "2025-12-17T12:35:41Z"
+ },
+ {
+ "value": "https://www.cisa.gov/news-events/bulletins/sb25-356",
+ "type": "Generic Informational URL",
+ "url": "https://www.cisa.gov/news-events/bulletins/sb25-356",
+ "description": null,
+ "created_at": "2025-12-23T17:58:58Z"
+ }
+ ],
+ "classifications": [
+ {
+ "name": "attack_type_input_manip",
+ "longname": "Input Manipulation",
+ "description": "A vulnerability that is exploited by sending manipulated and unexpected data to a service or process. This includes all types of overflows, memory corruption, XSS, SQLi, RFI, traversals and more."
+ },
+ {
+ "name": "impact_integrity",
+ "longname": "Loss of Integrity",
+ "description": "Assurance that data is unaltered by unauthorized persons and authorization has not been exceeded.\r\nExamples: XSS, arbitrary command execution, most overflows, most format strings, SQL injection, unauthorized file modification/deletion/creation, remote file inclusion, etc."
+ },
+ {
+ "name": "exploit_unknown",
+ "longname": "Exploit Unknown",
+ "description": "The status of a working exploit is unknown."
+ },
+ {
+ "name": "vuln_web_check",
+ "longname": "Web Related",
+ "description": "A vulnerability in an HTTP(S) related product."
+ },
+ {
+ "name": "solution_upgrade",
+ "longname": "Upgrade",
+ "description": "The vulnerability can be mitigated by installing the vendor-supplied upgrade."
+ },
+ {
+ "name": "disclosure_verified",
+ "longname": "Vendor Verified",
+ "description": "The vendor has verified this vulnerability."
+ },
+ {
+ "name": "disclosure_coordinated_disclosure",
+ "longname": "Coordinated Disclosure",
+ "description": "The researcher and vendor coordinated disclosure so that vulnerability details were released in conjunction with a solution."
+ },
+ {
+ "name": "location_context",
+ "longname": "Context Dependent",
+ "description": "For library vulnerabilities, the attack vector for exploitation depends on the application using the library. This classification is also used for vulnerabilities where user interaction is required. This may be in the form of clicking a link in an email, visiting a specific web site, or opening a file."
+ }
+ ],
+ "cvss_v2s": [
+ {
+ "access_vector": "NETWORK",
+ "access_complexity": "MEDIUM",
+ "authentication": "NONE",
+ "confidentiality_impact": "NONE",
+ "integrity_impact": "NONE",
+ "availability_impact": "NONE",
+ "source": "Flashpoint",
+ "generated_at": "2025-12-29T21:32:17Z",
+ "cve_id": null,
+ "score": 0,
+ "calculated_cvss_base_score": 0
+ }
+ ],
+ "cvss_v3s": [
+ {
+ "attack_vector": "NETWORK",
+ "attack_complexity": "HIGH",
+ "privileges_required": "NONE",
+ "user_interaction": "REQUIRED",
+ "scope": "CHANGED",
+ "confidentiality_impact": "NONE",
+ "integrity_impact": "LOW",
+ "availability_impact": "NONE",
+ "source": "Flashpoint",
+ "generated_at": "2025-12-29T22:56:37Z",
+ "cve_id": null,
+ "score": 3.4,
+ "calculated_cvss_base_score": 3.4,
+ "vector_string": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C",
+ "version": "3.1",
+ "remediation_level": "OFFICIAL_FIX",
+ "report_confidence": "CONFIRMED",
+ "exploit_code_maturity": "UNPROVEN",
+ "temporal_score": 3,
+ "updated_at": "2025-12-29T22:56:58Z"
+ }
+ ],
+ "cvss_v4s": [
+ {
+ "score": 2.1,
+ "threat_score": 2.1,
+ "source": "Flashpoint",
+ "generated_at": "2025-12-29T22:56:37.856000Z",
+ "updated_at": "2025-12-29T22:56:37.939000Z",
+ "cve_id": null,
+ "vector_string": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X",
+ "version": "4.0",
+ "attack_vector": "NETWORK",
+ "attack_complexity": "HIGH",
+ "attack_requirements": "NONE",
+ "privileges_required": "NONE",
+ "user_interaction": "ACTIVE",
+ "exploit_maturity": "NOT_DEFINED",
+ "vulnerable_system_confidentiality_impact": "NONE",
+ "vulnerable_system_integrity_impact": "LOW",
+ "vulnerable_system_availability_impact": "NONE",
+ "subsequent_system_confidentiality_impact": "NONE",
+ "subsequent_system_integrity_impact": "LOW",
+ "subsequent_system_availability_impact": "NONE"
+ }
+ ],
+ "tags": [
+ "oss"
+ ],
+ "products": [
+ {
+ "id": 2828027,
+ "name": "Mattermost Server"
+ }
+ ],
+ "vendors": [
+ {
+ "id": 2803312,
+ "name": "Mattermost"
+ }
+ ]
+ }
+ ]
+ }
+ - path: /vulnerability-intelligence/v1/vulnerabilities
+ methods: ['GET']
+ query_params:
+ size: "2"
+ from: "4"
+ updated_after: "{updated_after:.*}"
+ request_headers:
+ Authorization: "Bearer xxxx"
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {
+ "total": 134731,
+ "next": null,
+ "previous": "http://{{ hostname }}:{{ env "PORT" }}/vulnerability-intelligence/v1/vulnerabilities?from=2&size=2&updated_after=2025-04-10T08%3A49%3A09Z",
+ "size": 2,
+ "from": 4,
+ "results": [
+ {
+ "id": 432899,
+ "cve_ids": [
+ "CVE-2025-13321"
+ ],
+ "title": "Mattermost Desktop Unspecified Insecure Logging Local Information Disclosure",
+ "keywords": "MMSA-2025-00520",
+ "description": "Mattermost Desktop contains an unspecified flaw that is triggered as sensitive information is insecurely logged in application logs. This may allow a local attacker to potentially disclose sensitive information.",
+ "solution": "It has been reported that this has been fixed. Please refer to the product listing for upgraded versions that address this vulnerability.",
+ "technical_description": "",
+ "timelines": {
+ "published_at": "2025-12-29T22:54:55Z",
+ "last_modified_at": "2025-12-29T23:04:57Z",
+ "exploit_published_at": null,
+ "discovered_at": null,
+ "disclosed_at": "2025-11-17T00:00:00Z",
+ "vendor_informed_at": null,
+ "vendor_acknowledged_at": null,
+ "third_party_solution_provided_at": null,
+ "solution_provided_at": "2025-11-17T00:00:00Z",
+ "exploited_in_the_wild_at": null
+ },
+ "scores": {
+ "severity": "Low",
+ "cvssv3_score": 3.3,
+ "epss_score": 0.00013,
+ "epss_v1_score": 0,
+ "ransomware_score": "Low"
+ },
+ "vuln_status": "Active",
+ "cwes": [
+ {
+ "cwe_id": 532,
+ "name": "Insertion of Sensitive Information into Log File",
+ "source": "mitre",
+ "cve_ids": "2025-13321"
+ }
+ ],
+ "exploits_count": 0,
+ "ext_references": [
+ {
+ "value": "https://mattermost.com/security-updates/",
+ "type": "Vendor Specific Advisory URL",
+ "url": "https://mattermost.com/security-updates/",
+ "description": null,
+ "created_at": "2020-09-09T19:57:14Z"
+ },
+ {
+ "value": "2025-13321",
+ "type": "CVE ID",
+ "url": "https://www.cve.org/CVERecord?id=CVE-2025-13321",
+ "description": null,
+ "created_at": "2025-12-17T18:20:36Z"
+ },
+ {
+ "value": "https://www.cisa.gov/news-events/bulletins/sb25-356",
+ "type": "Generic Informational URL",
+ "url": "https://www.cisa.gov/news-events/bulletins/sb25-356",
+ "description": null,
+ "created_at": "2025-12-23T17:58:58Z"
+ }
+ ],
+ "classifications": [
+ {
+ "name": "location_local",
+ "longname": "Local Access Required",
+ "description": "Local access is required to exploit this vulnerability (e.g., unix shell, windows user)."
+ },
+ {
+ "name": "attack_type_other",
+ "longname": "Other",
+ "description": "A vulnerability that cannot be defined by any other Attack Type classification."
+ },
+ {
+ "name": "impact_confidential",
+ "longname": "Loss of Confidentiality",
+ "description": "Assurance that data is protected and not disclosed to unauthorized party.\r\nExamples: password disclosures, server information, environment variables, confirmation of file existance, path dislcosure, file content access, some SQL injection."
+ },
+ {
+ "name": "exploit_unknown",
+ "longname": "Exploit Unknown",
+ "description": "The status of a working exploit is unknown."
+ },
+ {
+ "name": "solution_upgrade",
+ "longname": "Upgrade",
+ "description": "The vulnerability can be mitigated by installing the vendor-supplied upgrade."
+ },
+ {
+ "name": "disclosure_verified",
+ "longname": "Vendor Verified",
+ "description": "The vendor has verified this vulnerability."
+ },
+ {
+ "name": "disclosure_coordinated_disclosure",
+ "longname": "Coordinated Disclosure",
+ "description": "The researcher and vendor coordinated disclosure so that vulnerability details were released in conjunction with a solution."
+ },
+ {
+ "name": "vuln_authentication_required",
+ "longname": "Authentication Required",
+ "description": "This vulnerability can only be exploited after successful authentication."
+ }
+ ],
+ "cvss_v2s": [
+ {
+ "access_vector": "LOCAL",
+ "access_complexity": "LOW",
+ "authentication": "NONE",
+ "confidentiality_impact": "PARTIAL",
+ "integrity_impact": "NONE",
+ "availability_impact": "NONE",
+ "source": "Flashpoint",
+ "generated_at": "2025-12-29T20:28:55Z",
+ "cve_id": null,
+ "score": 2.1,
+ "calculated_cvss_base_score": 2.1
+ }
+ ],
+ "cvss_v3s": [
+ {
+ "attack_vector": "LOCAL",
+ "attack_complexity": "LOW",
+ "privileges_required": "LOW",
+ "user_interaction": "NONE",
+ "scope": "UNCHANGED",
+ "confidentiality_impact": "LOW",
+ "integrity_impact": "NONE",
+ "availability_impact": "NONE",
+ "source": "Flashpoint",
+ "generated_at": "2025-12-29T20:28:55Z",
+ "cve_id": null,
+ "score": 3.3,
+ "calculated_cvss_base_score": 3.3,
+ "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C",
+ "version": "3.1",
+ "remediation_level": "OFFICIAL_FIX",
+ "report_confidence": "CONFIRMED",
+ "exploit_code_maturity": "UNPROVEN",
+ "temporal_score": 2.9,
+ "updated_at": "2025-12-29T22:54:56Z"
+ }
+ ],
+ "cvss_v4s": [
+ {
+ "score": 4.8,
+ "threat_score": 4.8,
+ "source": "Flashpoint",
+ "generated_at": "2025-12-29T20:28:55.049000Z",
+ "updated_at": "2025-12-29T20:28:55.161000Z",
+ "cve_id": null,
+ "vector_string": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X",
+ "version": "4.0",
+ "attack_vector": "LOCAL",
+ "attack_complexity": "LOW",
+ "attack_requirements": "NONE",
+ "privileges_required": "LOW",
+ "user_interaction": "NONE",
+ "exploit_maturity": "NOT_DEFINED",
+ "vulnerable_system_confidentiality_impact": "LOW",
+ "vulnerable_system_integrity_impact": "NONE",
+ "vulnerable_system_availability_impact": "NONE",
+ "subsequent_system_confidentiality_impact": "NONE",
+ "subsequent_system_integrity_impact": "NONE",
+ "subsequent_system_availability_impact": "NONE"
+ }
+ ],
+ "tags": [
+ "oss"
+ ],
+ "products": [
+ {
+ "id": 2985883,
+ "name": "Mattermost Desktop"
+ }
+ ],
+ "vendors": [
+ {
+ "id": 2803312,
+ "name": "Mattermost"
+ }
+ ]
+ },
+ {
+ "id": 432898,
+ "cve_ids": [
+ "CVE-2025-13326"
+ ],
+ "title": "Mattermost Desktop Hardened Runtime Protection Mechanism Failure Local TCC Privilege Escalation",
+ "keywords": "MMSA-2025-00504",
+ "description": "Mattermost Desktop contains a flaw that is triggered as the program fails to enable the Hardened Runtime setting when packaged for Mac App Store. This may allow a local attacker to inherit TCC permissions via copying the binary to a tmp folder.",
+ "solution": "It has been reported that this has been fixed. Please refer to the product listing for upgraded versions that address this vulnerability.",
+ "technical_description": "",
+ "timelines": {
+ "published_at": "2025-12-29T22:49:59Z",
+ "last_modified_at": "2025-12-29T23:00:01Z",
+ "exploit_published_at": null,
+ "discovered_at": null,
+ "disclosed_at": "2025-11-17T00:00:00Z",
+ "vendor_informed_at": null,
+ "vendor_acknowledged_at": null,
+ "third_party_solution_provided_at": null,
+ "solution_provided_at": "2025-11-17T00:00:00Z",
+ "exploited_in_the_wild_at": null
+ },
+ "scores": {
+ "severity": "Low",
+ "cvssv3_score": 3.9,
+ "epss_score": 0.00013,
+ "epss_v1_score": 0,
+ "ransomware_score": "Low"
+ },
+ "vuln_status": "Active",
+ "cwes": [
+ {
+ "cwe_id": 693,
+ "name": "Protection Mechanism Failure",
+ "source": "mitre",
+ "cve_ids": "2025-13326"
+ }
+ ],
+ "exploits_count": 0,
+ "ext_references": [
+ {
+ "value": "https://mattermost.com/security-updates/",
+ "type": "Vendor Specific Advisory URL",
+ "url": "https://mattermost.com/security-updates/",
+ "description": null,
+ "created_at": "2020-09-09T19:57:14Z"
+ },
+ {
+ "value": "https://www.cisa.gov/news-events/bulletins/sb25-356",
+ "type": "Generic Informational URL",
+ "url": "https://www.cisa.gov/news-events/bulletins/sb25-356",
+ "description": null,
+ "created_at": "2025-12-23T17:58:58Z"
+ },
+ {
+ "value": "2025-13326",
+ "type": "CVE ID",
+ "url": "https://www.cve.org/CVERecord?id=CVE-2025-13326",
+ "description": null,
+ "created_at": "2025-12-17T18:20:42Z"
+ }
+ ],
+ "classifications": [
+ {
+ "name": "location_local",
+ "longname": "Local Access Required",
+ "description": "Local access is required to exploit this vulnerability (e.g., unix shell, windows user)."
+ },
+ {
+ "name": "attack_type_other",
+ "longname": "Other",
+ "description": "A vulnerability that cannot be defined by any other Attack Type classification."
+ },
+ {
+ "name": "impact_confidential",
+ "longname": "Loss of Confidentiality",
+ "description": "Assurance that data is protected and not disclosed to unauthorized party.\r\nExamples: password disclosures, server information, environment variables, confirmation of file existance, path dislcosure, file content access, some SQL injection."
+ },
+ {
+ "name": "impact_integrity",
+ "longname": "Loss of Integrity",
+ "description": "Assurance that data is unaltered by unauthorized persons and authorization has not been exceeded.\r\nExamples: XSS, arbitrary command execution, most overflows, most format strings, SQL injection, unauthorized file modification/deletion/creation, remote file inclusion, etc."
+ },
+ {
+ "name": "exploit_unknown",
+ "longname": "Exploit Unknown",
+ "description": "The status of a working exploit is unknown."
+ },
+ {
+ "name": "solution_upgrade",
+ "longname": "Upgrade",
+ "description": "The vulnerability can be mitigated by installing the vendor-supplied upgrade."
+ },
+ {
+ "name": "disclosure_verified",
+ "longname": "Vendor Verified",
+ "description": "The vendor has verified this vulnerability."
+ },
+ {
+ "name": "disclosure_coordinated_disclosure",
+ "longname": "Coordinated Disclosure",
+ "description": "The researcher and vendor coordinated disclosure so that vulnerability details were released in conjunction with a solution."
+ },
+ {
+ "name": "vuln_authentication_required",
+ "longname": "Authentication Required",
+ "description": "This vulnerability can only be exploited after successful authentication."
+ }
+ ],
+ "cvss_v2s": [
+ {
+ "access_vector": "LOCAL",
+ "access_complexity": "MEDIUM",
+ "authentication": "NONE",
+ "confidentiality_impact": "NONE",
+ "integrity_impact": "PARTIAL",
+ "availability_impact": "NONE",
+ "source": "Flashpoint",
+ "generated_at": "2025-12-29T20:10:04Z",
+ "cve_id": null,
+ "score": 1.9,
+ "calculated_cvss_base_score": 1.9
+ }
+ ],
+ "cvss_v3s": [
+ {
+ "attack_vector": "LOCAL",
+ "attack_complexity": "LOW",
+ "privileges_required": "LOW",
+ "user_interaction": "REQUIRED",
+ "scope": "UNCHANGED",
+ "confidentiality_impact": "LOW",
+ "integrity_impact": "LOW",
+ "availability_impact": "NONE",
+ "source": "Flashpoint",
+ "generated_at": "2025-12-29T20:10:04Z",
+ "cve_id": null,
+ "score": 3.9,
+ "calculated_cvss_base_score": 3.9,
+ "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C",
+ "version": "3.1",
+ "remediation_level": "OFFICIAL_FIX",
+ "report_confidence": "CONFIRMED",
+ "exploit_code_maturity": "UNPROVEN",
+ "temporal_score": 3.4,
+ "updated_at": "2025-12-29T22:49:59Z"
+ }
+ ],
+ "cvss_v4s": [
+ {
+ "score": 2.4,
+ "threat_score": 2.4,
+ "source": "Flashpoint",
+ "generated_at": "2025-12-29T20:10:04.144000Z",
+ "updated_at": "2025-12-29T20:10:04.254000Z",
+ "cve_id": null,
+ "vector_string": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X",
+ "version": "4.0",
+ "attack_vector": "LOCAL",
+ "attack_complexity": "LOW",
+ "attack_requirements": "NONE",
+ "privileges_required": "LOW",
+ "user_interaction": "PASSIVE",
+ "exploit_maturity": "NOT_DEFINED",
+ "vulnerable_system_confidentiality_impact": "LOW",
+ "vulnerable_system_integrity_impact": "LOW",
+ "vulnerable_system_availability_impact": "NONE",
+ "subsequent_system_confidentiality_impact": "NONE",
+ "subsequent_system_integrity_impact": "NONE",
+ "subsequent_system_availability_impact": "NONE"
+ }
+ ],
+ "tags": [
+ "oss"
+ ],
+ "products": [
+ {
+ "id": 2985883,
+ "name": "Mattermost Desktop"
+ }
+ ],
+ "vendors": [
+ {
+ "id": 2803312,
+ "name": "Mattermost"
+ }
+ ]
+ }
+ ]
+ }
+ - path: /vulnerability-intelligence/v1/vulnerabilities
+ methods: ['GET']
+ query_params:
+ size: "2"
+ updated_after: "{updated_after:.*}"
+ request_headers:
+ Authorization: "Bearer xxxx"
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {
+ "total": 134731,
+ "next": "http://{{ hostname }}:{{ env "PORT" }}/vulnerability-intelligence/v1/vulnerabilities?from=2&size=2&updated_after=2025-04-10T08%3A49%3A09Z",
+ "previous": null,
+ "size": 2,
+ "from": 0,
+ "results": [
+ {
+ "id": 432903,
+ "cve_ids": [
+ "CVE-2025-64641"
+ ],
+ "title": "Mattermost Server Unspecified Improper Access Controls Remote Information Disclosure",
+ "keywords": "",
+ "description": "Mattermost Server contains an unspecified flaw that is triggered as the program fails to verif.",
+ "solution": "It has been reported that this has been fixed. Please refer to the product listing for upgraded versions.",
+ "technical_description": "",
+ "timelines": {
+ "published_at": "2025-12-29T23:10:33Z",
+ "last_modified_at": "2025-12-29T23:20:38Z",
+ "exploit_published_at": null,
+ "discovered_at": null,
+ "disclosed_at": "2025-11-26T00:00:00Z",
+ "vendor_informed_at": null,
+ "vendor_acknowledged_at": null,
+ "third_party_solution_provided_at": null,
+ "solution_provided_at": "2025-11-26T00:00:00Z",
+ "exploited_in_the_wild_at": null
+ },
+ "scores": {
+ "severity": "Medium",
+ "cvssv3_score": 4.1,
+ "epss_score": 0.00025,
+ "epss_v1_score": 0,
+ "ransomware_score": "Low"
+ },
+ "vuln_status": "Active",
+ "cwes": [
+ {
+ "cwe_id": 863,
+ "name": "Incorrect Authorization",
+ "source": "mitre",
+ "cve_ids": "2025-64641"
+ }
+ ],
+ "exploits_count": 0,
+ "ext_references": [
+ {
+ "value": "https://mattermost.com/security-updates/",
+ "type": "Vendor Specific Advisory URL",
+ "url": "https://mattermost.com/security-updates/",
+ "description": null,
+ "created_at": "2020-09-09T19:57:14Z"
+ },
+ {
+ "value": "2025-64641",
+ "type": "CVE ID",
+ "url": "https://www.cve.org/CVERecord?id=CVE-2025-64641",
+ "description": null,
+ "created_at": "2025-12-24T08:10:35Z"
+ }
+ ],
+ "classifications": [
+ {
+ "name": "location_remote",
+ "longname": "Remote / Network Access",
+ "description": "This vulnerability can be exploited over a wired network (e.g., LAN, WAN, Internet)."
+ },
+ {
+ "name": "attack_type_other",
+ "longname": "Other",
+ "description": "A vulnerability that cannot be defined by any other Attack Type classification."
+ },
+ {
+ "name": "impact_confidential",
+ "longname": "Loss of Confidentiality",
+ "description": "Assurance that data is protected and not disclosed to unauthorized party.\r\nExamples: password disclosures, server information, environment variables, confirmation of file existance, path dislcosure, file content access, some SQL injection."
+ },
+ {
+ "name": "exploit_unknown",
+ "longname": "Exploit Unknown",
+ "description": "The status of a working exploit is unknown."
+ },
+ {
+ "name": "solution_upgrade",
+ "longname": "Upgrade",
+ "description": "The vulnerability can be mitigated by installing the vendor-supplied upgrade."
+ },
+ {
+ "name": "disclosure_verified",
+ "longname": "Vendor Verified",
+ "description": "The vendor has verified this vulnerability."
+ },
+ {
+ "name": "disclosure_coordinated_disclosure",
+ "longname": "Coordinated Disclosure",
+ "description": "The researcher and vendor coordinated disclosure so that vulnerability details were released in conjunction with a solution."
+ },
+ {
+ "name": "vuln_authentication_required",
+ "longname": "Authentication Required",
+ "description": "This vulnerability can only be exploited after successful authentication."
+ }
+ ],
+ "cvss_v2s": [
+ {
+ "access_vector": "NETWORK",
+ "access_complexity": "MEDIUM",
+ "authentication": "SINGLE_INSTANCE",
+ "confidentiality_impact": "PARTIAL",
+ "integrity_impact": "NONE",
+ "availability_impact": "NONE",
+ "source": "Flashpoint",
+ "generated_at": "2025-12-29T20:41:43Z",
+ "cve_id": null,
+ "score": 3.5,
+ "calculated_cvss_base_score": 3.5
+ }
+ ],
+ "cvss_v3s": [
+ {
+ "attack_vector": "NETWORK",
+ "attack_complexity": "LOW",
+ "privileges_required": "LOW",
+ "user_interaction": "REQUIRED",
+ "scope": "CHANGED",
+ "confidentiality_impact": "LOW",
+ "integrity_impact": "NONE",
+ "availability_impact": "NONE",
+ "source": "Flashpoint",
+ "generated_at": "2025-12-29T20:41:43Z",
+ "cve_id": null,
+ "score": 4.1,
+ "calculated_cvss_base_score": 4.1,
+ "vector_string": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C",
+ "version": "3.1",
+ "remediation_level": "OFFICIAL_FIX",
+ "report_confidence": "CONFIRMED",
+ "exploit_code_maturity": "UNPROVEN",
+ "temporal_score": 3.6,
+ "updated_at": "2025-12-29T23:10:34Z"
+ }
+ ],
+ "cvss_v4s": [
+ {
+ "score": 5.1,
+ "threat_score": 5.1,
+ "source": "Flashpoint",
+ "generated_at": "2025-12-29T20:41:43.549000Z",
+ "updated_at": "2025-12-29T20:41:43.632000Z",
+ "cve_id": null,
+ "vector_string": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X",
+ "version": "4.0",
+ "attack_vector": "NETWORK",
+ "attack_complexity": "LOW",
+ "attack_requirements": "NONE",
+ "privileges_required": "LOW",
+ "user_interaction": "PASSIVE",
+ "exploit_maturity": "NOT_DEFINED",
+ "vulnerable_system_confidentiality_impact": "LOW",
+ "vulnerable_system_integrity_impact": "NONE",
+ "vulnerable_system_availability_impact": "NONE",
+ "subsequent_system_confidentiality_impact": "LOW",
+ "subsequent_system_integrity_impact": "NONE",
+ "subsequent_system_availability_impact": "NONE"
+ }
+ ],
+ "tags": [
+ "oss",
+ "pre_nvd"
+ ],
+ "products": [
+ {
+ "id": 2828027,
+ "name": "Mattermost Server"
+ }
+ ],
+ "vendors": [
+ {
+ "id": 2803312,
+ "name": "Mattermost"
+ }
+ ]
+ },
+ {
+ "id": 432902,
+ "cve_ids": [
+ "CVE-2025-13352"
+ ],
+ "title": "Mattermost Server Unspecified Input Handling Remote Reaction Manipulation",
+ "keywords": "MMSA-2025-00521",
+ "description": "Mattermost Server contains an unspecified flaw that is triggered.",
+ "solution": "It has been reported that this has been fixed.",
+ "technical_description": "",
+ "timelines": {
+ "published_at": "2025-12-29T23:07:57Z",
+ "last_modified_at": "2025-12-29T23:17:57Z",
+ "exploit_published_at": null,
+ "discovered_at": null,
+ "disclosed_at": "2025-11-18T00:00:00Z",
+ "vendor_informed_at": null,
+ "vendor_acknowledged_at": null,
+ "third_party_solution_provided_at": null,
+ "solution_provided_at": "2025-11-18T00:00:00Z",
+ "exploited_in_the_wild_at": null
+ },
+ "scores": {
+ "severity": "Low",
+ "cvssv3_score": 3,
+ "epss_score": 0.00043,
+ "epss_v1_score": 0,
+ "ransomware_score": "High"
+ },
+ "vuln_status": "Active",
+ "cwes": [
+ {
+ "cwe_id": 1287,
+ "name": "Improper Validation of Specified Type of Input",
+ "source": "mitre",
+ "cve_ids": "2025-13352"
+ }
+ ],
+ "exploits_count": 0,
+ "ext_references": [
+ {
+ "value": "https://mattermost.com/security-updates/",
+ "type": "Vendor Specific Advisory URL",
+ "url": "https://mattermost.com/security-updates/",
+ "description": null,
+ "created_at": "2020-09-09T19:57:14Z"
+ },
+ {
+ "value": "2025-13352",
+ "type": "CVE ID",
+ "url": "https://www.cve.org/CVERecord?id=CVE-2025-13352",
+ "description": null,
+ "created_at": "2025-12-17T12:20:32Z"
+ },
+ {
+ "value": "https://www.cisa.gov/news-events/bulletins/sb25-356",
+ "type": "Generic Informational URL",
+ "url": "https://www.cisa.gov/news-events/bulletins/sb25-356",
+ "description": null,
+ "created_at": "2025-12-23T17:58:58Z"
+ }
+ ],
+ "classifications": [
+ {
+ "name": "location_remote",
+ "longname": "Remote / Network Access",
+ "description": "This vulnerability can be exploited over a wired network (e.g., LAN, WAN, Internet)."
+ },
+ {
+ "name": "attack_type_input_manip",
+ "longname": "Input Manipulation",
+ "description": "A vulnerability that is exploited by sending manipulated and unexpected data to a service or process. This includes all types of overflows, memory corruption, XSS, SQLi, RFI, traversals and more."
+ },
+ {
+ "name": "impact_integrity",
+ "longname": "Loss of Integrity",
+ "description": "Assurance that data is unaltered by unauthorized persons and authorization has not been exceeded.\r\nExamples: XSS, arbitrary command execution, most overflows, most format strings, SQL injection, unauthorized file modification/deletion/creation, remote file inclusion, etc."
+ },
+ {
+ "name": "exploit_unknown",
+ "longname": "Exploit Unknown",
+ "description": "The status of a working exploit is unknown."
+ },
+ {
+ "name": "solution_upgrade",
+ "longname": "Upgrade",
+ "description": "The vulnerability can be mitigated by installing the vendor-supplied upgrade."
+ },
+ {
+ "name": "disclosure_verified",
+ "longname": "Vendor Verified",
+ "description": "The vendor has verified this vulnerability."
+ },
+ {
+ "name": "disclosure_coordinated_disclosure",
+ "longname": "Coordinated Disclosure",
+ "description": "The researcher and vendor coordinated disclosure so that vulnerability details were released in conjunction with a solution."
+ },
+ {
+ "name": "vuln_authentication_required",
+ "longname": "Authentication Required",
+ "description": "This vulnerability can only be exploited after successful authentication."
+ }
+ ],
+ "cvss_v2s": [
+ {
+ "access_vector": "NETWORK",
+ "access_complexity": "HIGH",
+ "authentication": "SINGLE_INSTANCE",
+ "confidentiality_impact": "NONE",
+ "integrity_impact": "PARTIAL",
+ "availability_impact": "NONE",
+ "source": "Flashpoint",
+ "generated_at": "2025-12-29T20:37:55Z",
+ "cve_id": null,
+ "score": 2.1,
+ "calculated_cvss_base_score": 2.1
+ }
+ ],
+ "cvss_v3s": [
+ {
+ "attack_vector": "NETWORK",
+ "attack_complexity": "HIGH",
+ "privileges_required": "LOW",
+ "user_interaction": "REQUIRED",
+ "scope": "CHANGED",
+ "confidentiality_impact": "NONE",
+ "integrity_impact": "LOW",
+ "availability_impact": "NONE",
+ "source": "Flashpoint",
+ "generated_at": "2025-12-29T20:38:09Z",
+ "cve_id": null,
+ "score": 3,
+ "calculated_cvss_base_score": 3,
+ "vector_string": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C",
+ "version": "3.1",
+ "remediation_level": "OFFICIAL_FIX",
+ "report_confidence": "CONFIRMED",
+ "exploit_code_maturity": "UNPROVEN",
+ "temporal_score": 2.6,
+ "updated_at": "2025-12-29T23:07:57Z"
+ }
+ ],
+ "cvss_v4s": [
+ {
+ "score": 2.1,
+ "threat_score": 2.1,
+ "source": "Flashpoint",
+ "generated_at": "2025-12-29T20:38:09.439000Z",
+ "updated_at": "2025-12-29T20:38:09.527000Z",
+ "cve_id": null,
+ "vector_string": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X",
+ "version": "4.0",
+ "attack_vector": "NETWORK",
+ "attack_complexity": "HIGH",
+ "attack_requirements": "NONE",
+ "privileges_required": "LOW",
+ "user_interaction": "PASSIVE",
+ "exploit_maturity": "NOT_DEFINED",
+ "vulnerable_system_confidentiality_impact": "NONE",
+ "vulnerable_system_integrity_impact": "LOW",
+ "vulnerable_system_availability_impact": "NONE",
+ "subsequent_system_confidentiality_impact": "NONE",
+ "subsequent_system_integrity_impact": "LOW",
+ "subsequent_system_availability_impact": "NONE"
+ }
+ ],
+ "tags": [
+ "oss"
+ ],
+ "products": [
+ {
+ "id": 9472501,
+ "name": "Mattermost Plugins"
+ },
+ {
+ "id": 2828027,
+ "name": "Mattermost Server"
+ }
+ ],
+ "vendors": [
+ {
+ "id": 2803312,
+ "name": "Mattermost"
+ }
+ ]
+ }
+ ]
+ }
diff --git a/packages/ti_flashpoint/changelog.yml b/packages/ti_flashpoint/changelog.yml
new file mode 100644
index 00000000000..35fb1d2c290
--- /dev/null
+++ b/packages/ti_flashpoint/changelog.yml
@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: 0.1.0
+ changes:
+ - description: Initial release.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1
diff --git a/packages/ti_flashpoint/data_stream/vulnerability/_dev/test/pipeline/test-common-config.yml b/packages/ti_flashpoint/data_stream/vulnerability/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 00000000000..37e8fa225fd
--- /dev/null
+++ b/packages/ti_flashpoint/data_stream/vulnerability/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,3 @@
+fields:
+ tags:
+ - preserve_duplicate_custom_fields
diff --git a/packages/ti_flashpoint/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log b/packages/ti_flashpoint/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log
new file mode 100644
index 00000000000..299f97e953f
--- /dev/null
+++ b/packages/ti_flashpoint/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log
@@ -0,0 +1,3 @@
+{"id":432233,"cve_ids":["CVE-2024-36333"],"title":"AMD Adrenalin / PRO Edition Unspecified Issue (2024-36333)","keywords":"","description":"AMD Adrenalin and PRO Edition contain an unspecified flaw that may allow an attacker to have an unspecified impact. No further details have been provided by the vendor.","solution":"It has been reported that this has been fixed. Please refer to the product listing for upgraded versions that address this vulnerability.","technical_description":"","timelines":{"published_at":"2025-12-24T03:32:15Z","last_modified_at":"2025-12-24T03:32:15Z","exploit_published_at":null,"discovered_at":null,"disclosed_at":"2025-10-14T00:00:00Z","vendor_informed_at":null,"vendor_acknowledged_at":null,"third_party_solution_provided_at":null,"solution_provided_at":"2025-10-29T00:00:00Z","exploited_in_the_wild_at":null},"scores":{"severity":"Critical","cvssv3_score":9.8,"epss_score":null,"epss_v1_score":null,"ransomware_score":null},"vuln_status":"Active","cwes":[],"exploits_count":0,"ext_references":[{"value":"https://www.amd.com/en/resources/support-articles/release-notes/RN-PRO-WIN-25-Q3-1.html","type":"Vendor Specific Advisory URL","url":"https://www.amd.com/en/resources/support-articles/release-notes/RN-PRO-WIN-25-Q3-1.html","description":null,"created_at":"2025-12-23T14:46:21Z"},{"value":"2024-36333","type":"CVE ID","url":"https://www.cve.org/CVERecord?id=CVE-2024-36333","description":null,"created_at":"2025-12-23T14:44:29Z"},{"value":"https://www.amd.com/en/resources/support-articles/release-notes/RN-RAD-WIN-25-10-2.html","type":"Vendor Specific Advisory URL","url":"https://www.amd.com/en/resources/support-articles/release-notes/RN-RAD-WIN-25-10-2.html","description":null,"created_at":"2025-12-23T14:42:04Z"}],"classifications":[{"name":"location_unknown","longname":"Location Unknown","description":"The attack vector was not disclosed."},{"name":"attack_type_unknown","longname":"Attack Type Unknown","description":"The attack type for this vulnerability is not known."},{"name":"impact_unknown","longname":"Impact Unknown","description":"The exploitation impact is unknown."},{"name":"exploit_unknown","longname":"Exploit Unknown","description":"The status of a working exploit is unknown."},{"name":"solution_upgrade","longname":"Upgrade","description":"The vulnerability can be mitigated by installing the vendor-supplied upgrade."},{"name":"disclosure_verified","longname":"Vendor Verified","description":"The vendor has verified this vulnerability."}],"cvss_v2s":[{"access_vector":"NETWORK","access_complexity":"LOW","authentication":"NONE","confidentiality_impact":"COMPLETE","integrity_impact":"COMPLETE","availability_impact":"COMPLETE","source":"Flashpoint","generated_at":"2025-12-24T03:31:34Z","cve_id":null,"score":10,"calculated_cvss_base_score":10}],"cvss_v3s":[{"attack_vector":"NETWORK","attack_complexity":"LOW","privileges_required":"NONE","user_interaction":"NONE","scope":"UNCHANGED","confidentiality_impact":"HIGH","integrity_impact":"HIGH","availability_impact":"HIGH","source":"Flashpoint","generated_at":"2025-12-24T03:31:34Z","cve_id":null,"score":9.8,"calculated_cvss_base_score":9.8,"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","version":"3.1","remediation_level":"OFFICIAL_FIX","report_confidence":"CONFIRMED","exploit_code_maturity":"UNPROVEN","temporal_score":8.5,"updated_at":"2025-12-24T03:32:15Z"}],"cvss_v4s":[{"score":9.3,"threat_score":9.3,"source":"Flashpoint","generated_at":"2025-12-24T03:31:34.691000Z","updated_at":"2025-12-24T03:31:34.775000Z","cve_id":null,"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X","version":"4.0","attack_vector":"NETWORK","attack_complexity":"LOW","attack_requirements":"NONE","privileges_required":"NONE","user_interaction":"NONE","exploit_maturity":"NOT_DEFINED","vulnerable_system_confidentiality_impact":"HIGH","vulnerable_system_integrity_impact":"HIGH","vulnerable_system_availability_impact":"HIGH","subsequent_system_confidentiality_impact":"NONE","subsequent_system_integrity_impact":"NONE","subsequent_system_availability_impact":"NONE"}],"tags":[],"products":[{"id":14542739,"name":"AMD Adrenalin"},{"id":14542740,"name":"AMD PRO Edition"}],"vendors":[{"id":5438,"name":"Advanced Micro Devices"}]}
+{"id":432232,"cve_ids":["CVE-2024-36323"],"title":"AMD Adrenalin / PRO Edition Unspecified Issue (2024-36323)","keywords":"","description":"AMD Adrenalin and PRO Edition contain an unspecified flaw that may allow an attacker to have an unspecified impact. No further details have been provided by the vendor.","solution":"It has been reported that this has been fixed. Please refer to the product listing for upgraded versions that address this vulnerability.","technical_description":"","timelines":{"published_at":"2025-12-24T03:32:14Z","last_modified_at":"2025-12-24T03:32:14Z","exploit_published_at":null,"discovered_at":null,"disclosed_at":"2025-10-14T00:00:00Z","vendor_informed_at":null,"vendor_acknowledged_at":null,"third_party_solution_provided_at":null,"solution_provided_at":"2025-10-29T00:00:00Z","exploited_in_the_wild_at":null},"scores":{"severity":"Critical","cvssv3_score":9.8,"epss_score":null,"epss_v1_score":null,"ransomware_score":null},"vuln_status":"Active","cwes":[],"exploits_count":0,"ext_references":[{"value":"2024-36323","type":"CVE ID","url":"https://www.cve.org/CVERecord?id=CVE-2024-36323","description":null,"created_at":"2025-12-23T14:44:29Z"},{"value":"https://www.amd.com/en/resources/support-articles/release-notes/RN-PRO-WIN-25-Q3-1.html","type":"Vendor Specific Advisory URL","url":"https://www.amd.com/en/resources/support-articles/release-notes/RN-PRO-WIN-25-Q3-1.html","description":null,"created_at":"2025-12-23T14:46:21Z"},{"value":"https://www.amd.com/en/resources/support-articles/release-notes/RN-RAD-WIN-25-10-2.html","type":"Vendor Specific Advisory URL","url":"https://www.amd.com/en/resources/support-articles/release-notes/RN-RAD-WIN-25-10-2.html","description":null,"created_at":"2025-12-23T14:42:04Z"}],"classifications":[{"name":"location_unknown","longname":"Location Unknown","description":"The attack vector was not disclosed."},{"name":"attack_type_unknown","longname":"Attack Type Unknown","description":"The attack type for this vulnerability is not known."},{"name":"impact_unknown","longname":"Impact Unknown","description":"The exploitation impact is unknown."},{"name":"exploit_unknown","longname":"Exploit Unknown","description":"The status of a working exploit is unknown."},{"name":"solution_upgrade","longname":"Upgrade","description":"The vulnerability can be mitigated by installing the vendor-supplied upgrade."},{"name":"disclosure_verified","longname":"Vendor Verified","description":"The vendor has verified this vulnerability."}],"cvss_v2s":[{"access_vector":"NETWORK","access_complexity":"LOW","authentication":"NONE","confidentiality_impact":"COMPLETE","integrity_impact":"COMPLETE","availability_impact":"COMPLETE","source":"Flashpoint","generated_at":"2025-12-24T03:31:35Z","cve_id":null,"score":10,"calculated_cvss_base_score":10}],"cvss_v3s":[{"attack_vector":"NETWORK","attack_complexity":"LOW","privileges_required":"NONE","user_interaction":"NONE","scope":"UNCHANGED","confidentiality_impact":"HIGH","integrity_impact":"HIGH","availability_impact":"HIGH","source":"Flashpoint","generated_at":"2025-12-24T03:31:35Z","cve_id":null,"score":9.8,"calculated_cvss_base_score":9.8,"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","version":"3.1","remediation_level":"OFFICIAL_FIX","report_confidence":"CONFIRMED","exploit_code_maturity":"UNPROVEN","temporal_score":8.5,"updated_at":"2025-12-24T03:32:14Z"}],"cvss_v4s":[{"score":9.3,"threat_score":9.3,"source":"Flashpoint","generated_at":"2025-12-24T03:31:35.797000Z","updated_at":"2025-12-24T03:31:35.921000Z","cve_id":null,"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X","version":"4.0","attack_vector":"NETWORK","attack_complexity":"LOW","attack_requirements":"NONE","privileges_required":"NONE","user_interaction":"NONE","exploit_maturity":"NOT_DEFINED","vulnerable_system_confidentiality_impact":"HIGH","vulnerable_system_integrity_impact":"HIGH","vulnerable_system_availability_impact":"HIGH","subsequent_system_confidentiality_impact":"NONE","subsequent_system_integrity_impact":"NONE","subsequent_system_availability_impact":"NONE"}],"tags":[],"products":[{"id":14542739,"name":"AMD Adrenalin"},{"id":14542740,"name":"AMD PRO Edition"}],"vendors":[{"id":5438,"name":"Advanced Micro Devices"}]}
+{"id":432231,"cve_ids":["CVE-2024-36325"],"title":"AMD Adrenalin / PRO Edition Unspecified Issue (2024-36325)","keywords":"","description":"AMD Adrenalin and PRO Edition contain an unspecified flaw that may allow an attacker to have an unspecified impact. No further details have been provided by the vendor.","solution":"It has been reported that this has been fixed. Please refer to the product listing for upgraded versions that address this vulnerability.","technical_description":"","timelines":{"published_at":"2025-12-24T03:32:12Z","last_modified_at":"2025-12-24T03:32:12Z","exploit_published_at":null,"discovered_at":null,"disclosed_at":"2025-10-14T00:00:00Z","vendor_informed_at":null,"vendor_acknowledged_at":null,"third_party_solution_provided_at":null,"solution_provided_at":"2025-10-29T00:00:00Z","exploited_in_the_wild_at":null},"scores":{"severity":"Critical","cvssv3_score":9.8,"epss_score":null,"epss_v1_score":null,"ransomware_score":null},"vuln_status":"Active","cwes":[],"exploits_count":0,"ext_references":[{"value":"2024-36325","type":"CVE ID","url":"https://www.cve.org/CVERecord?id=CVE-2024-36325","description":null,"created_at":"2025-12-22T15:48:34Z"},{"value":"https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-chromeos_17.html","type":"Vendor Specific Advisory URL","url":"https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-chromeos_17.html","description":null,"created_at":"2025-12-22T15:44:46Z"},{"value":"https://www.amd.com/en/resources/support-articles/release-notes/RN-PRO-WIN-25-Q3-1.html","type":"Vendor Specific Advisory URL","url":"https://www.amd.com/en/resources/support-articles/release-notes/RN-PRO-WIN-25-Q3-1.html","description":null,"created_at":"2025-12-23T14:46:21Z"},{"value":"https://www.amd.com/en/resources/support-articles/release-notes/RN-RAD-WIN-25-10-2.html","type":"Vendor Specific Advisory URL","url":"https://www.amd.com/en/resources/support-articles/release-notes/RN-RAD-WIN-25-10-2.html","description":null,"created_at":"2025-12-23T14:42:04Z"}],"classifications":[{"name":"location_unknown","longname":"Location Unknown","description":"The attack vector was not disclosed."},{"name":"attack_type_unknown","longname":"Attack Type Unknown","description":"The attack type for this vulnerability is not known."},{"name":"impact_unknown","longname":"Impact Unknown","description":"The exploitation impact is unknown."},{"name":"exploit_unknown","longname":"Exploit Unknown","description":"The status of a working exploit is unknown."},{"name":"solution_upgrade","longname":"Upgrade","description":"The vulnerability can be mitigated by installing the vendor-supplied upgrade."},{"name":"disclosure_verified","longname":"Vendor Verified","description":"The vendor has verified this vulnerability."}],"cvss_v2s":[{"access_vector":"NETWORK","access_complexity":"LOW","authentication":"NONE","confidentiality_impact":"COMPLETE","integrity_impact":"COMPLETE","availability_impact":"COMPLETE","source":"Flashpoint","generated_at":"2025-12-24T03:31:37Z","cve_id":null,"score":10,"calculated_cvss_base_score":10}],"cvss_v3s":[{"attack_vector":"NETWORK","attack_complexity":"LOW","privileges_required":"NONE","user_interaction":"NONE","scope":"UNCHANGED","confidentiality_impact":"HIGH","integrity_impact":"HIGH","availability_impact":"HIGH","source":"Flashpoint","generated_at":"2025-12-24T03:31:37Z","cve_id":null,"score":9.8,"calculated_cvss_base_score":9.8,"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","version":"3.1","remediation_level":"OFFICIAL_FIX","report_confidence":"CONFIRMED","exploit_code_maturity":"UNPROVEN","temporal_score":8.5,"updated_at":"2025-12-24T03:32:12Z"}],"cvss_v4s":[{"score":9.3,"threat_score":9.3,"source":"Flashpoint","generated_at":"2025-12-24T03:31:37.053000Z","updated_at":"2025-12-24T03:31:37.199000Z","cve_id":null,"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X","version":"4.0","attack_vector":"NETWORK","attack_complexity":"LOW","attack_requirements":"NONE","privileges_required":"NONE","user_interaction":"NONE","exploit_maturity":"NOT_DEFINED","vulnerable_system_confidentiality_impact":"HIGH","vulnerable_system_integrity_impact":"HIGH","vulnerable_system_availability_impact":"HIGH","subsequent_system_confidentiality_impact":"NONE","subsequent_system_integrity_impact":"NONE","subsequent_system_availability_impact":"NONE"}],"tags":["oss"],"products":[{"id":100811,"name":"Chrome OS"},{"id":14542739,"name":"AMD Adrenalin"},{"id":14542740,"name":"AMD PRO Edition"}],"vendors":[{"id":2613,"name":"Google"},{"id":5438,"name":"Advanced Micro Devices"}]}
diff --git a/packages/ti_flashpoint/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json b/packages/ti_flashpoint/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json
new file mode 100644
index 00000000000..e416d3d7d2a
--- /dev/null
+++ b/packages/ti_flashpoint/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json
@@ -0,0 +1,609 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2025-12-24T03:32:15.000Z",
+ "ecs": {
+ "version": "9.2.0"
+ },
+ "event": {
+ "category": [
+ "vulnerability"
+ ],
+ "created": "2025-12-24T03:32:15.000Z",
+ "id": "432233",
+ "kind": "event",
+ "original": "{\"id\":432233,\"cve_ids\":[\"CVE-2024-36333\"],\"title\":\"AMD Adrenalin / PRO Edition Unspecified Issue (2024-36333)\",\"keywords\":\"\",\"description\":\"AMD Adrenalin and PRO Edition contain an unspecified flaw that may allow an attacker to have an unspecified impact. No further details have been provided by the vendor.\",\"solution\":\"It has been reported that this has been fixed. Please refer to the product listing for upgraded versions that address this vulnerability.\",\"technical_description\":\"\",\"timelines\":{\"published_at\":\"2025-12-24T03:32:15Z\",\"last_modified_at\":\"2025-12-24T03:32:15Z\",\"exploit_published_at\":null,\"discovered_at\":null,\"disclosed_at\":\"2025-10-14T00:00:00Z\",\"vendor_informed_at\":null,\"vendor_acknowledged_at\":null,\"third_party_solution_provided_at\":null,\"solution_provided_at\":\"2025-10-29T00:00:00Z\",\"exploited_in_the_wild_at\":null},\"scores\":{\"severity\":\"Critical\",\"cvssv3_score\":9.8,\"epss_score\":null,\"epss_v1_score\":null,\"ransomware_score\":null},\"vuln_status\":\"Active\",\"cwes\":[],\"exploits_count\":0,\"ext_references\":[{\"value\":\"https://www.amd.com/en/resources/support-articles/release-notes/RN-PRO-WIN-25-Q3-1.html\",\"type\":\"Vendor Specific Advisory URL\",\"url\":\"https://www.amd.com/en/resources/support-articles/release-notes/RN-PRO-WIN-25-Q3-1.html\",\"description\":null,\"created_at\":\"2025-12-23T14:46:21Z\"},{\"value\":\"2024-36333\",\"type\":\"CVE ID\",\"url\":\"https://www.cve.org/CVERecord?id=CVE-2024-36333\",\"description\":null,\"created_at\":\"2025-12-23T14:44:29Z\"},{\"value\":\"https://www.amd.com/en/resources/support-articles/release-notes/RN-RAD-WIN-25-10-2.html\",\"type\":\"Vendor Specific Advisory URL\",\"url\":\"https://www.amd.com/en/resources/support-articles/release-notes/RN-RAD-WIN-25-10-2.html\",\"description\":null,\"created_at\":\"2025-12-23T14:42:04Z\"}],\"classifications\":[{\"name\":\"location_unknown\",\"longname\":\"Location Unknown\",\"description\":\"The attack vector was not disclosed.\"},{\"name\":\"attack_type_unknown\",\"longname\":\"Attack Type Unknown\",\"description\":\"The attack type for this vulnerability is not known.\"},{\"name\":\"impact_unknown\",\"longname\":\"Impact Unknown\",\"description\":\"The exploitation impact is unknown.\"},{\"name\":\"exploit_unknown\",\"longname\":\"Exploit Unknown\",\"description\":\"The status of a working exploit is unknown.\"},{\"name\":\"solution_upgrade\",\"longname\":\"Upgrade\",\"description\":\"The vulnerability can be mitigated by installing the vendor-supplied upgrade.\"},{\"name\":\"disclosure_verified\",\"longname\":\"Vendor Verified\",\"description\":\"The vendor has verified this vulnerability.\"}],\"cvss_v2s\":[{\"access_vector\":\"NETWORK\",\"access_complexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentiality_impact\":\"COMPLETE\",\"integrity_impact\":\"COMPLETE\",\"availability_impact\":\"COMPLETE\",\"source\":\"Flashpoint\",\"generated_at\":\"2025-12-24T03:31:34Z\",\"cve_id\":null,\"score\":10,\"calculated_cvss_base_score\":10}],\"cvss_v3s\":[{\"attack_vector\":\"NETWORK\",\"attack_complexity\":\"LOW\",\"privileges_required\":\"NONE\",\"user_interaction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentiality_impact\":\"HIGH\",\"integrity_impact\":\"HIGH\",\"availability_impact\":\"HIGH\",\"source\":\"Flashpoint\",\"generated_at\":\"2025-12-24T03:31:34Z\",\"cve_id\":null,\"score\":9.8,\"calculated_cvss_base_score\":9.8,\"vector_string\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C\",\"version\":\"3.1\",\"remediation_level\":\"OFFICIAL_FIX\",\"report_confidence\":\"CONFIRMED\",\"exploit_code_maturity\":\"UNPROVEN\",\"temporal_score\":8.5,\"updated_at\":\"2025-12-24T03:32:15Z\"}],\"cvss_v4s\":[{\"score\":9.3,\"threat_score\":9.3,\"source\":\"Flashpoint\",\"generated_at\":\"2025-12-24T03:31:34.691000Z\",\"updated_at\":\"2025-12-24T03:31:34.775000Z\",\"cve_id\":null,\"vector_string\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X\",\"version\":\"4.0\",\"attack_vector\":\"NETWORK\",\"attack_complexity\":\"LOW\",\"attack_requirements\":\"NONE\",\"privileges_required\":\"NONE\",\"user_interaction\":\"NONE\",\"exploit_maturity\":\"NOT_DEFINED\",\"vulnerable_system_confidentiality_impact\":\"HIGH\",\"vulnerable_system_integrity_impact\":\"HIGH\",\"vulnerable_system_availability_impact\":\"HIGH\",\"subsequent_system_confidentiality_impact\":\"NONE\",\"subsequent_system_integrity_impact\":\"NONE\",\"subsequent_system_availability_impact\":\"NONE\"}],\"tags\":[],\"products\":[{\"id\":14542739,\"name\":\"AMD Adrenalin\"},{\"id\":14542740,\"name\":\"AMD PRO Edition\"}],\"vendors\":[{\"id\":5438,\"name\":\"Advanced Micro Devices\"}]}",
+ "type": [
+ "info"
+ ]
+ },
+ "message": "AMD Adrenalin and PRO Edition contain an unspecified flaw that may allow an attacker to have an unspecified impact. No further details have been provided by the vendor.",
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "ti_flashpoint": {
+ "vulnerability": {
+ "classifications": [
+ {
+ "description": "The attack vector was not disclosed.",
+ "longname": "Location Unknown",
+ "name": "location_unknown"
+ },
+ {
+ "description": "The attack type for this vulnerability is not known.",
+ "longname": "Attack Type Unknown",
+ "name": "attack_type_unknown"
+ },
+ {
+ "description": "The exploitation impact is unknown.",
+ "longname": "Impact Unknown",
+ "name": "impact_unknown"
+ },
+ {
+ "description": "The status of a working exploit is unknown.",
+ "longname": "Exploit Unknown",
+ "name": "exploit_unknown"
+ },
+ {
+ "description": "The vulnerability can be mitigated by installing the vendor-supplied upgrade.",
+ "longname": "Upgrade",
+ "name": "solution_upgrade"
+ },
+ {
+ "description": "The vendor has verified this vulnerability.",
+ "longname": "Vendor Verified",
+ "name": "disclosure_verified"
+ }
+ ],
+ "cve_ids": [
+ "CVE-2024-36333"
+ ],
+ "cvss_v2s": [
+ {
+ "access_complexity": "LOW",
+ "access_vector": "NETWORK",
+ "authentication": "NONE",
+ "availability_impact": "COMPLETE",
+ "calculated_cvss_base_score": 10.0,
+ "confidentiality_impact": "COMPLETE",
+ "generated_at": "2025-12-24T03:31:34.000Z",
+ "integrity_impact": "COMPLETE",
+ "score": 10.0,
+ "source": "Flashpoint"
+ }
+ ],
+ "cvss_v3s": [
+ {
+ "attack_complexity": "LOW",
+ "attack_vector": "NETWORK",
+ "availability_impact": "HIGH",
+ "calculated_cvss_base_score": 9.8,
+ "confidentiality_impact": "HIGH",
+ "exploit_code_maturity": "UNPROVEN",
+ "generated_at": "2025-12-24T03:31:34.000Z",
+ "integrity_impact": "HIGH",
+ "privileges_required": "NONE",
+ "remediation_level": "OFFICIAL_FIX",
+ "report_confidence": "CONFIRMED",
+ "scope": "UNCHANGED",
+ "score": 9.8,
+ "source": "Flashpoint",
+ "temporal_score": 8.5,
+ "updated_at": "2025-12-24T03:32:15.000Z",
+ "user_interaction": "NONE",
+ "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
+ "version": "3.1"
+ }
+ ],
+ "cvss_v4s": [
+ {
+ "attack_complexity": "LOW",
+ "attack_requirements": "NONE",
+ "attack_vector": "NETWORK",
+ "exploit_maturity": "NOT_DEFINED",
+ "generated_at": "2025-12-24T03:31:34.691Z",
+ "privileges_required": "NONE",
+ "score": 9.3,
+ "source": "Flashpoint",
+ "subsequent_system_availability_impact": "NONE",
+ "subsequent_system_confidentiality_impact": "NONE",
+ "subsequent_system_integrity_impact": "NONE",
+ "threat_score": 9.3,
+ "updated_at": "2025-12-24T03:31:34.775Z",
+ "user_interaction": "NONE",
+ "vector_string": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X",
+ "version": "4.0",
+ "vulnerable_system_availability_impact": "HIGH",
+ "vulnerable_system_confidentiality_impact": "HIGH",
+ "vulnerable_system_integrity_impact": "HIGH"
+ }
+ ],
+ "description": "AMD Adrenalin and PRO Edition contain an unspecified flaw that may allow an attacker to have an unspecified impact. No further details have been provided by the vendor.",
+ "exploits_count": 0,
+ "ext_references": [
+ {
+ "created_at": "2025-12-23T14:46:21.000Z",
+ "type": "Vendor Specific Advisory URL",
+ "url": "https://www.amd.com/en/resources/support-articles/release-notes/RN-PRO-WIN-25-Q3-1.html",
+ "value": "https://www.amd.com/en/resources/support-articles/release-notes/RN-PRO-WIN-25-Q3-1.html"
+ },
+ {
+ "created_at": "2025-12-23T14:44:29.000Z",
+ "type": "CVE ID",
+ "url": "https://www.cve.org/CVERecord?id=CVE-2024-36333",
+ "value": "2024-36333"
+ },
+ {
+ "created_at": "2025-12-23T14:42:04.000Z",
+ "type": "Vendor Specific Advisory URL",
+ "url": "https://www.amd.com/en/resources/support-articles/release-notes/RN-RAD-WIN-25-10-2.html",
+ "value": "https://www.amd.com/en/resources/support-articles/release-notes/RN-RAD-WIN-25-10-2.html"
+ }
+ ],
+ "id": "432233",
+ "products": [
+ {
+ "id": "14542739",
+ "name": "AMD Adrenalin"
+ },
+ {
+ "id": "14542740",
+ "name": "AMD PRO Edition"
+ }
+ ],
+ "scores": {
+ "cvssv3_score": 9.8,
+ "severity": "Critical"
+ },
+ "solution": "It has been reported that this has been fixed. Please refer to the product listing for upgraded versions that address this vulnerability.",
+ "timelines": {
+ "disclosed_at": "2025-10-14T00:00:00.000Z",
+ "last_modified_at": "2025-12-24T03:32:15.000Z",
+ "published_at": "2025-12-24T03:32:15.000Z",
+ "solution_provided_at": "2025-10-29T00:00:00.000Z"
+ },
+ "title": "AMD Adrenalin / PRO Edition Unspecified Issue (2024-36333)",
+ "vendors": [
+ {
+ "id": "5438",
+ "name": "Advanced Micro Devices"
+ }
+ ],
+ "vuln_status": "Active"
+ }
+ },
+ "vulnerability": {
+ "classification": "cvss",
+ "description": "AMD Adrenalin and PRO Edition contain an unspecified flaw that may allow an attacker to have an unspecified impact. No further details have been provided by the vendor.",
+ "id": [
+ "432233",
+ "CVE-2024-36333"
+ ],
+ "score": {
+ "base": [
+ 10.0,
+ 9.8,
+ 9.3
+ ],
+ "temporal": [
+ 8.5
+ ],
+ "version": [
+ "3.1",
+ "4.0"
+ ]
+ },
+ "severity": "Critical"
+ }
+ },
+ {
+ "@timestamp": "2025-12-24T03:32:14.000Z",
+ "ecs": {
+ "version": "9.2.0"
+ },
+ "event": {
+ "category": [
+ "vulnerability"
+ ],
+ "created": "2025-12-24T03:32:14.000Z",
+ "id": "432232",
+ "kind": "event",
+ "original": "{\"id\":432232,\"cve_ids\":[\"CVE-2024-36323\"],\"title\":\"AMD Adrenalin / PRO Edition Unspecified Issue (2024-36323)\",\"keywords\":\"\",\"description\":\"AMD Adrenalin and PRO Edition contain an unspecified flaw that may allow an attacker to have an unspecified impact. No further details have been provided by the vendor.\",\"solution\":\"It has been reported that this has been fixed. Please refer to the product listing for upgraded versions that address this vulnerability.\",\"technical_description\":\"\",\"timelines\":{\"published_at\":\"2025-12-24T03:32:14Z\",\"last_modified_at\":\"2025-12-24T03:32:14Z\",\"exploit_published_at\":null,\"discovered_at\":null,\"disclosed_at\":\"2025-10-14T00:00:00Z\",\"vendor_informed_at\":null,\"vendor_acknowledged_at\":null,\"third_party_solution_provided_at\":null,\"solution_provided_at\":\"2025-10-29T00:00:00Z\",\"exploited_in_the_wild_at\":null},\"scores\":{\"severity\":\"Critical\",\"cvssv3_score\":9.8,\"epss_score\":null,\"epss_v1_score\":null,\"ransomware_score\":null},\"vuln_status\":\"Active\",\"cwes\":[],\"exploits_count\":0,\"ext_references\":[{\"value\":\"2024-36323\",\"type\":\"CVE ID\",\"url\":\"https://www.cve.org/CVERecord?id=CVE-2024-36323\",\"description\":null,\"created_at\":\"2025-12-23T14:44:29Z\"},{\"value\":\"https://www.amd.com/en/resources/support-articles/release-notes/RN-PRO-WIN-25-Q3-1.html\",\"type\":\"Vendor Specific Advisory URL\",\"url\":\"https://www.amd.com/en/resources/support-articles/release-notes/RN-PRO-WIN-25-Q3-1.html\",\"description\":null,\"created_at\":\"2025-12-23T14:46:21Z\"},{\"value\":\"https://www.amd.com/en/resources/support-articles/release-notes/RN-RAD-WIN-25-10-2.html\",\"type\":\"Vendor Specific Advisory URL\",\"url\":\"https://www.amd.com/en/resources/support-articles/release-notes/RN-RAD-WIN-25-10-2.html\",\"description\":null,\"created_at\":\"2025-12-23T14:42:04Z\"}],\"classifications\":[{\"name\":\"location_unknown\",\"longname\":\"Location Unknown\",\"description\":\"The attack vector was not disclosed.\"},{\"name\":\"attack_type_unknown\",\"longname\":\"Attack Type Unknown\",\"description\":\"The attack type for this vulnerability is not known.\"},{\"name\":\"impact_unknown\",\"longname\":\"Impact Unknown\",\"description\":\"The exploitation impact is unknown.\"},{\"name\":\"exploit_unknown\",\"longname\":\"Exploit Unknown\",\"description\":\"The status of a working exploit is unknown.\"},{\"name\":\"solution_upgrade\",\"longname\":\"Upgrade\",\"description\":\"The vulnerability can be mitigated by installing the vendor-supplied upgrade.\"},{\"name\":\"disclosure_verified\",\"longname\":\"Vendor Verified\",\"description\":\"The vendor has verified this vulnerability.\"}],\"cvss_v2s\":[{\"access_vector\":\"NETWORK\",\"access_complexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentiality_impact\":\"COMPLETE\",\"integrity_impact\":\"COMPLETE\",\"availability_impact\":\"COMPLETE\",\"source\":\"Flashpoint\",\"generated_at\":\"2025-12-24T03:31:35Z\",\"cve_id\":null,\"score\":10,\"calculated_cvss_base_score\":10}],\"cvss_v3s\":[{\"attack_vector\":\"NETWORK\",\"attack_complexity\":\"LOW\",\"privileges_required\":\"NONE\",\"user_interaction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentiality_impact\":\"HIGH\",\"integrity_impact\":\"HIGH\",\"availability_impact\":\"HIGH\",\"source\":\"Flashpoint\",\"generated_at\":\"2025-12-24T03:31:35Z\",\"cve_id\":null,\"score\":9.8,\"calculated_cvss_base_score\":9.8,\"vector_string\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C\",\"version\":\"3.1\",\"remediation_level\":\"OFFICIAL_FIX\",\"report_confidence\":\"CONFIRMED\",\"exploit_code_maturity\":\"UNPROVEN\",\"temporal_score\":8.5,\"updated_at\":\"2025-12-24T03:32:14Z\"}],\"cvss_v4s\":[{\"score\":9.3,\"threat_score\":9.3,\"source\":\"Flashpoint\",\"generated_at\":\"2025-12-24T03:31:35.797000Z\",\"updated_at\":\"2025-12-24T03:31:35.921000Z\",\"cve_id\":null,\"vector_string\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X\",\"version\":\"4.0\",\"attack_vector\":\"NETWORK\",\"attack_complexity\":\"LOW\",\"attack_requirements\":\"NONE\",\"privileges_required\":\"NONE\",\"user_interaction\":\"NONE\",\"exploit_maturity\":\"NOT_DEFINED\",\"vulnerable_system_confidentiality_impact\":\"HIGH\",\"vulnerable_system_integrity_impact\":\"HIGH\",\"vulnerable_system_availability_impact\":\"HIGH\",\"subsequent_system_confidentiality_impact\":\"NONE\",\"subsequent_system_integrity_impact\":\"NONE\",\"subsequent_system_availability_impact\":\"NONE\"}],\"tags\":[],\"products\":[{\"id\":14542739,\"name\":\"AMD Adrenalin\"},{\"id\":14542740,\"name\":\"AMD PRO Edition\"}],\"vendors\":[{\"id\":5438,\"name\":\"Advanced Micro Devices\"}]}",
+ "type": [
+ "info"
+ ]
+ },
+ "message": "AMD Adrenalin and PRO Edition contain an unspecified flaw that may allow an attacker to have an unspecified impact. No further details have been provided by the vendor.",
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "ti_flashpoint": {
+ "vulnerability": {
+ "classifications": [
+ {
+ "description": "The attack vector was not disclosed.",
+ "longname": "Location Unknown",
+ "name": "location_unknown"
+ },
+ {
+ "description": "The attack type for this vulnerability is not known.",
+ "longname": "Attack Type Unknown",
+ "name": "attack_type_unknown"
+ },
+ {
+ "description": "The exploitation impact is unknown.",
+ "longname": "Impact Unknown",
+ "name": "impact_unknown"
+ },
+ {
+ "description": "The status of a working exploit is unknown.",
+ "longname": "Exploit Unknown",
+ "name": "exploit_unknown"
+ },
+ {
+ "description": "The vulnerability can be mitigated by installing the vendor-supplied upgrade.",
+ "longname": "Upgrade",
+ "name": "solution_upgrade"
+ },
+ {
+ "description": "The vendor has verified this vulnerability.",
+ "longname": "Vendor Verified",
+ "name": "disclosure_verified"
+ }
+ ],
+ "cve_ids": [
+ "CVE-2024-36323"
+ ],
+ "cvss_v2s": [
+ {
+ "access_complexity": "LOW",
+ "access_vector": "NETWORK",
+ "authentication": "NONE",
+ "availability_impact": "COMPLETE",
+ "calculated_cvss_base_score": 10.0,
+ "confidentiality_impact": "COMPLETE",
+ "generated_at": "2025-12-24T03:31:35.000Z",
+ "integrity_impact": "COMPLETE",
+ "score": 10.0,
+ "source": "Flashpoint"
+ }
+ ],
+ "cvss_v3s": [
+ {
+ "attack_complexity": "LOW",
+ "attack_vector": "NETWORK",
+ "availability_impact": "HIGH",
+ "calculated_cvss_base_score": 9.8,
+ "confidentiality_impact": "HIGH",
+ "exploit_code_maturity": "UNPROVEN",
+ "generated_at": "2025-12-24T03:31:35.000Z",
+ "integrity_impact": "HIGH",
+ "privileges_required": "NONE",
+ "remediation_level": "OFFICIAL_FIX",
+ "report_confidence": "CONFIRMED",
+ "scope": "UNCHANGED",
+ "score": 9.8,
+ "source": "Flashpoint",
+ "temporal_score": 8.5,
+ "updated_at": "2025-12-24T03:32:14.000Z",
+ "user_interaction": "NONE",
+ "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
+ "version": "3.1"
+ }
+ ],
+ "cvss_v4s": [
+ {
+ "attack_complexity": "LOW",
+ "attack_requirements": "NONE",
+ "attack_vector": "NETWORK",
+ "exploit_maturity": "NOT_DEFINED",
+ "generated_at": "2025-12-24T03:31:35.797Z",
+ "privileges_required": "NONE",
+ "score": 9.3,
+ "source": "Flashpoint",
+ "subsequent_system_availability_impact": "NONE",
+ "subsequent_system_confidentiality_impact": "NONE",
+ "subsequent_system_integrity_impact": "NONE",
+ "threat_score": 9.3,
+ "updated_at": "2025-12-24T03:31:35.921Z",
+ "user_interaction": "NONE",
+ "vector_string": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X",
+ "version": "4.0",
+ "vulnerable_system_availability_impact": "HIGH",
+ "vulnerable_system_confidentiality_impact": "HIGH",
+ "vulnerable_system_integrity_impact": "HIGH"
+ }
+ ],
+ "description": "AMD Adrenalin and PRO Edition contain an unspecified flaw that may allow an attacker to have an unspecified impact. No further details have been provided by the vendor.",
+ "exploits_count": 0,
+ "ext_references": [
+ {
+ "created_at": "2025-12-23T14:44:29.000Z",
+ "type": "CVE ID",
+ "url": "https://www.cve.org/CVERecord?id=CVE-2024-36323",
+ "value": "2024-36323"
+ },
+ {
+ "created_at": "2025-12-23T14:46:21.000Z",
+ "type": "Vendor Specific Advisory URL",
+ "url": "https://www.amd.com/en/resources/support-articles/release-notes/RN-PRO-WIN-25-Q3-1.html",
+ "value": "https://www.amd.com/en/resources/support-articles/release-notes/RN-PRO-WIN-25-Q3-1.html"
+ },
+ {
+ "created_at": "2025-12-23T14:42:04.000Z",
+ "type": "Vendor Specific Advisory URL",
+ "url": "https://www.amd.com/en/resources/support-articles/release-notes/RN-RAD-WIN-25-10-2.html",
+ "value": "https://www.amd.com/en/resources/support-articles/release-notes/RN-RAD-WIN-25-10-2.html"
+ }
+ ],
+ "id": "432232",
+ "products": [
+ {
+ "id": "14542739",
+ "name": "AMD Adrenalin"
+ },
+ {
+ "id": "14542740",
+ "name": "AMD PRO Edition"
+ }
+ ],
+ "scores": {
+ "cvssv3_score": 9.8,
+ "severity": "Critical"
+ },
+ "solution": "It has been reported that this has been fixed. Please refer to the product listing for upgraded versions that address this vulnerability.",
+ "timelines": {
+ "disclosed_at": "2025-10-14T00:00:00.000Z",
+ "last_modified_at": "2025-12-24T03:32:14.000Z",
+ "published_at": "2025-12-24T03:32:14.000Z",
+ "solution_provided_at": "2025-10-29T00:00:00.000Z"
+ },
+ "title": "AMD Adrenalin / PRO Edition Unspecified Issue (2024-36323)",
+ "vendors": [
+ {
+ "id": "5438",
+ "name": "Advanced Micro Devices"
+ }
+ ],
+ "vuln_status": "Active"
+ }
+ },
+ "vulnerability": {
+ "classification": "cvss",
+ "description": "AMD Adrenalin and PRO Edition contain an unspecified flaw that may allow an attacker to have an unspecified impact. No further details have been provided by the vendor.",
+ "id": [
+ "432232",
+ "CVE-2024-36323"
+ ],
+ "score": {
+ "base": [
+ 10.0,
+ 9.8,
+ 9.3
+ ],
+ "temporal": [
+ 8.5
+ ],
+ "version": [
+ "3.1",
+ "4.0"
+ ]
+ },
+ "severity": "Critical"
+ }
+ },
+ {
+ "@timestamp": "2025-12-24T03:32:12.000Z",
+ "ecs": {
+ "version": "9.2.0"
+ },
+ "event": {
+ "category": [
+ "vulnerability"
+ ],
+ "created": "2025-12-24T03:32:12.000Z",
+ "id": "432231",
+ "kind": "event",
+ "original": "{\"id\":432231,\"cve_ids\":[\"CVE-2024-36325\"],\"title\":\"AMD Adrenalin / PRO Edition Unspecified Issue (2024-36325)\",\"keywords\":\"\",\"description\":\"AMD Adrenalin and PRO Edition contain an unspecified flaw that may allow an attacker to have an unspecified impact. No further details have been provided by the vendor.\",\"solution\":\"It has been reported that this has been fixed. Please refer to the product listing for upgraded versions that address this vulnerability.\",\"technical_description\":\"\",\"timelines\":{\"published_at\":\"2025-12-24T03:32:12Z\",\"last_modified_at\":\"2025-12-24T03:32:12Z\",\"exploit_published_at\":null,\"discovered_at\":null,\"disclosed_at\":\"2025-10-14T00:00:00Z\",\"vendor_informed_at\":null,\"vendor_acknowledged_at\":null,\"third_party_solution_provided_at\":null,\"solution_provided_at\":\"2025-10-29T00:00:00Z\",\"exploited_in_the_wild_at\":null},\"scores\":{\"severity\":\"Critical\",\"cvssv3_score\":9.8,\"epss_score\":null,\"epss_v1_score\":null,\"ransomware_score\":null},\"vuln_status\":\"Active\",\"cwes\":[],\"exploits_count\":0,\"ext_references\":[{\"value\":\"2024-36325\",\"type\":\"CVE ID\",\"url\":\"https://www.cve.org/CVERecord?id=CVE-2024-36325\",\"description\":null,\"created_at\":\"2025-12-22T15:48:34Z\"},{\"value\":\"https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-chromeos_17.html\",\"type\":\"Vendor Specific Advisory URL\",\"url\":\"https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-chromeos_17.html\",\"description\":null,\"created_at\":\"2025-12-22T15:44:46Z\"},{\"value\":\"https://www.amd.com/en/resources/support-articles/release-notes/RN-PRO-WIN-25-Q3-1.html\",\"type\":\"Vendor Specific Advisory URL\",\"url\":\"https://www.amd.com/en/resources/support-articles/release-notes/RN-PRO-WIN-25-Q3-1.html\",\"description\":null,\"created_at\":\"2025-12-23T14:46:21Z\"},{\"value\":\"https://www.amd.com/en/resources/support-articles/release-notes/RN-RAD-WIN-25-10-2.html\",\"type\":\"Vendor Specific Advisory URL\",\"url\":\"https://www.amd.com/en/resources/support-articles/release-notes/RN-RAD-WIN-25-10-2.html\",\"description\":null,\"created_at\":\"2025-12-23T14:42:04Z\"}],\"classifications\":[{\"name\":\"location_unknown\",\"longname\":\"Location Unknown\",\"description\":\"The attack vector was not disclosed.\"},{\"name\":\"attack_type_unknown\",\"longname\":\"Attack Type Unknown\",\"description\":\"The attack type for this vulnerability is not known.\"},{\"name\":\"impact_unknown\",\"longname\":\"Impact Unknown\",\"description\":\"The exploitation impact is unknown.\"},{\"name\":\"exploit_unknown\",\"longname\":\"Exploit Unknown\",\"description\":\"The status of a working exploit is unknown.\"},{\"name\":\"solution_upgrade\",\"longname\":\"Upgrade\",\"description\":\"The vulnerability can be mitigated by installing the vendor-supplied upgrade.\"},{\"name\":\"disclosure_verified\",\"longname\":\"Vendor Verified\",\"description\":\"The vendor has verified this vulnerability.\"}],\"cvss_v2s\":[{\"access_vector\":\"NETWORK\",\"access_complexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentiality_impact\":\"COMPLETE\",\"integrity_impact\":\"COMPLETE\",\"availability_impact\":\"COMPLETE\",\"source\":\"Flashpoint\",\"generated_at\":\"2025-12-24T03:31:37Z\",\"cve_id\":null,\"score\":10,\"calculated_cvss_base_score\":10}],\"cvss_v3s\":[{\"attack_vector\":\"NETWORK\",\"attack_complexity\":\"LOW\",\"privileges_required\":\"NONE\",\"user_interaction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentiality_impact\":\"HIGH\",\"integrity_impact\":\"HIGH\",\"availability_impact\":\"HIGH\",\"source\":\"Flashpoint\",\"generated_at\":\"2025-12-24T03:31:37Z\",\"cve_id\":null,\"score\":9.8,\"calculated_cvss_base_score\":9.8,\"vector_string\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C\",\"version\":\"3.1\",\"remediation_level\":\"OFFICIAL_FIX\",\"report_confidence\":\"CONFIRMED\",\"exploit_code_maturity\":\"UNPROVEN\",\"temporal_score\":8.5,\"updated_at\":\"2025-12-24T03:32:12Z\"}],\"cvss_v4s\":[{\"score\":9.3,\"threat_score\":9.3,\"source\":\"Flashpoint\",\"generated_at\":\"2025-12-24T03:31:37.053000Z\",\"updated_at\":\"2025-12-24T03:31:37.199000Z\",\"cve_id\":null,\"vector_string\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X\",\"version\":\"4.0\",\"attack_vector\":\"NETWORK\",\"attack_complexity\":\"LOW\",\"attack_requirements\":\"NONE\",\"privileges_required\":\"NONE\",\"user_interaction\":\"NONE\",\"exploit_maturity\":\"NOT_DEFINED\",\"vulnerable_system_confidentiality_impact\":\"HIGH\",\"vulnerable_system_integrity_impact\":\"HIGH\",\"vulnerable_system_availability_impact\":\"HIGH\",\"subsequent_system_confidentiality_impact\":\"NONE\",\"subsequent_system_integrity_impact\":\"NONE\",\"subsequent_system_availability_impact\":\"NONE\"}],\"tags\":[\"oss\"],\"products\":[{\"id\":100811,\"name\":\"Chrome OS\"},{\"id\":14542739,\"name\":\"AMD Adrenalin\"},{\"id\":14542740,\"name\":\"AMD PRO Edition\"}],\"vendors\":[{\"id\":2613,\"name\":\"Google\"},{\"id\":5438,\"name\":\"Advanced Micro Devices\"}]}",
+ "type": [
+ "info"
+ ]
+ },
+ "message": "AMD Adrenalin and PRO Edition contain an unspecified flaw that may allow an attacker to have an unspecified impact. No further details have been provided by the vendor.",
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "ti_flashpoint": {
+ "vulnerability": {
+ "classifications": [
+ {
+ "description": "The attack vector was not disclosed.",
+ "longname": "Location Unknown",
+ "name": "location_unknown"
+ },
+ {
+ "description": "The attack type for this vulnerability is not known.",
+ "longname": "Attack Type Unknown",
+ "name": "attack_type_unknown"
+ },
+ {
+ "description": "The exploitation impact is unknown.",
+ "longname": "Impact Unknown",
+ "name": "impact_unknown"
+ },
+ {
+ "description": "The status of a working exploit is unknown.",
+ "longname": "Exploit Unknown",
+ "name": "exploit_unknown"
+ },
+ {
+ "description": "The vulnerability can be mitigated by installing the vendor-supplied upgrade.",
+ "longname": "Upgrade",
+ "name": "solution_upgrade"
+ },
+ {
+ "description": "The vendor has verified this vulnerability.",
+ "longname": "Vendor Verified",
+ "name": "disclosure_verified"
+ }
+ ],
+ "cve_ids": [
+ "CVE-2024-36325"
+ ],
+ "cvss_v2s": [
+ {
+ "access_complexity": "LOW",
+ "access_vector": "NETWORK",
+ "authentication": "NONE",
+ "availability_impact": "COMPLETE",
+ "calculated_cvss_base_score": 10.0,
+ "confidentiality_impact": "COMPLETE",
+ "generated_at": "2025-12-24T03:31:37.000Z",
+ "integrity_impact": "COMPLETE",
+ "score": 10.0,
+ "source": "Flashpoint"
+ }
+ ],
+ "cvss_v3s": [
+ {
+ "attack_complexity": "LOW",
+ "attack_vector": "NETWORK",
+ "availability_impact": "HIGH",
+ "calculated_cvss_base_score": 9.8,
+ "confidentiality_impact": "HIGH",
+ "exploit_code_maturity": "UNPROVEN",
+ "generated_at": "2025-12-24T03:31:37.000Z",
+ "integrity_impact": "HIGH",
+ "privileges_required": "NONE",
+ "remediation_level": "OFFICIAL_FIX",
+ "report_confidence": "CONFIRMED",
+ "scope": "UNCHANGED",
+ "score": 9.8,
+ "source": "Flashpoint",
+ "temporal_score": 8.5,
+ "updated_at": "2025-12-24T03:32:12.000Z",
+ "user_interaction": "NONE",
+ "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
+ "version": "3.1"
+ }
+ ],
+ "cvss_v4s": [
+ {
+ "attack_complexity": "LOW",
+ "attack_requirements": "NONE",
+ "attack_vector": "NETWORK",
+ "exploit_maturity": "NOT_DEFINED",
+ "generated_at": "2025-12-24T03:31:37.053Z",
+ "privileges_required": "NONE",
+ "score": 9.3,
+ "source": "Flashpoint",
+ "subsequent_system_availability_impact": "NONE",
+ "subsequent_system_confidentiality_impact": "NONE",
+ "subsequent_system_integrity_impact": "NONE",
+ "threat_score": 9.3,
+ "updated_at": "2025-12-24T03:31:37.199Z",
+ "user_interaction": "NONE",
+ "vector_string": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X",
+ "version": "4.0",
+ "vulnerable_system_availability_impact": "HIGH",
+ "vulnerable_system_confidentiality_impact": "HIGH",
+ "vulnerable_system_integrity_impact": "HIGH"
+ }
+ ],
+ "description": "AMD Adrenalin and PRO Edition contain an unspecified flaw that may allow an attacker to have an unspecified impact. No further details have been provided by the vendor.",
+ "exploits_count": 0,
+ "ext_references": [
+ {
+ "created_at": "2025-12-22T15:48:34.000Z",
+ "type": "CVE ID",
+ "url": "https://www.cve.org/CVERecord?id=CVE-2024-36325",
+ "value": "2024-36325"
+ },
+ {
+ "created_at": "2025-12-22T15:44:46.000Z",
+ "type": "Vendor Specific Advisory URL",
+ "url": "https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-chromeos_17.html",
+ "value": "https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-chromeos_17.html"
+ },
+ {
+ "created_at": "2025-12-23T14:46:21.000Z",
+ "type": "Vendor Specific Advisory URL",
+ "url": "https://www.amd.com/en/resources/support-articles/release-notes/RN-PRO-WIN-25-Q3-1.html",
+ "value": "https://www.amd.com/en/resources/support-articles/release-notes/RN-PRO-WIN-25-Q3-1.html"
+ },
+ {
+ "created_at": "2025-12-23T14:42:04.000Z",
+ "type": "Vendor Specific Advisory URL",
+ "url": "https://www.amd.com/en/resources/support-articles/release-notes/RN-RAD-WIN-25-10-2.html",
+ "value": "https://www.amd.com/en/resources/support-articles/release-notes/RN-RAD-WIN-25-10-2.html"
+ }
+ ],
+ "id": "432231",
+ "products": [
+ {
+ "id": "100811",
+ "name": "Chrome OS"
+ },
+ {
+ "id": "14542739",
+ "name": "AMD Adrenalin"
+ },
+ {
+ "id": "14542740",
+ "name": "AMD PRO Edition"
+ }
+ ],
+ "scores": {
+ "cvssv3_score": 9.8,
+ "severity": "Critical"
+ },
+ "solution": "It has been reported that this has been fixed. Please refer to the product listing for upgraded versions that address this vulnerability.",
+ "tags": [
+ "oss"
+ ],
+ "timelines": {
+ "disclosed_at": "2025-10-14T00:00:00.000Z",
+ "last_modified_at": "2025-12-24T03:32:12.000Z",
+ "published_at": "2025-12-24T03:32:12.000Z",
+ "solution_provided_at": "2025-10-29T00:00:00.000Z"
+ },
+ "title": "AMD Adrenalin / PRO Edition Unspecified Issue (2024-36325)",
+ "vendors": [
+ {
+ "id": "2613",
+ "name": "Google"
+ },
+ {
+ "id": "5438",
+ "name": "Advanced Micro Devices"
+ }
+ ],
+ "vuln_status": "Active"
+ }
+ },
+ "vulnerability": {
+ "classification": "cvss",
+ "description": "AMD Adrenalin and PRO Edition contain an unspecified flaw that may allow an attacker to have an unspecified impact. No further details have been provided by the vendor.",
+ "id": [
+ "432231",
+ "CVE-2024-36325"
+ ],
+ "score": {
+ "base": [
+ 10.0,
+ 9.8,
+ 9.3
+ ],
+ "temporal": [
+ 8.5
+ ],
+ "version": [
+ "3.1",
+ "4.0"
+ ]
+ },
+ "severity": "Critical"
+ }
+ }
+ ]
+}
diff --git a/packages/ti_flashpoint/data_stream/vulnerability/_dev/test/system/test-default-config.yml b/packages/ti_flashpoint/data_stream/vulnerability/_dev/test/system/test-default-config.yml
new file mode 100644
index 00000000000..6b62313e822
--- /dev/null
+++ b/packages/ti_flashpoint/data_stream/vulnerability/_dev/test/system/test-default-config.yml
@@ -0,0 +1,12 @@
+input: cel
+service: ti_flashpoint
+vars:
+ url: http://{{Hostname}}:{{Port}}
+ api_token: xxxx
+data_stream:
+ vars:
+ preserve_original_event: true
+ preserve_duplicate_custom_fields: true
+ page_size: 2
+assert:
+ hit_count: 6
diff --git a/packages/ti_flashpoint/data_stream/vulnerability/agent/stream/cel.yml.hbs b/packages/ti_flashpoint/data_stream/vulnerability/agent/stream/cel.yml.hbs
new file mode 100644
index 00000000000..3531ad1bbab
--- /dev/null
+++ b/packages/ti_flashpoint/data_stream/vulnerability/agent/stream/cel.yml.hbs
@@ -0,0 +1,133 @@
+config_version: 2
+interval: {{interval}}
+resource.tracer:
+ enabled: {{enable_request_tracer}}
+ filename: "../../logs/cel/http-request-trace-*.ndjson"
+ maxbackups: 5
+{{#if proxy_url}}
+resource.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+resource.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+resource.timeout: {{http_client_timeout}}
+{{/if}}
+{{#if max_executions}}
+max_executions: {{max_executions}}
+{{/if}}
+resource.url: {{url}}
+
+state:
+ initial_interval: {{initial_interval}}
+ page_size: {{page_size}}
+ api_token: {{api_token}}
+redact:
+ fields:
+ - api_token
+program: |
+ state.with(
+ request(
+ "GET",
+ state.?next.url.orValue(
+ state.url.trim_right("/") + "/vulnerability-intelligence/v1/vulnerabilities?" + {
+ "size": [string(state.page_size)],
+ "updated_after": [state.?cursor.last_timestamp.orValue((now - duration(state.initial_interval)).format("2006-01-02T15:04:05")) + "Z"]
+ }.format_query()
+ )
+ ).with({
+ "Header": {
+ "Accept": ["application/json"],
+ "Authorization": ["Bearer " + state.api_token],
+ }
+ }).do_request().as(resp, resp.StatusCode == 200 ?
+ resp.Body.decode_json().as(body,
+ {
+ // Publish events
+ "events": ((has(body.results) && size(body.results) > 0) ?
+ body.results.map(e, {
+ "message": e.encode_json()
+ })
+ :
+ // Added placeholder to ensure cursor gets stored
+ // This will be dropped later in the pipeline
+ [{"message": "empty_events_placeholder"}]
+ ),
+ "cursor": {
+ // 'max_last_modified_at' tracks the maximum 'last_modified_at' timestamp
+ // encountered across all pages within the current polling cycle.
+ ?"max_last_modified_at": (has(body.results) && size(body.results) > 0) ?
+ (has(state.?cursor.max_last_modified_at) ?
+ optional.of(
+ max([
+ state.cursor.max_last_modified_at.parse_time("2006-01-02T15:04:05"),
+ body.results.map(e, timestamp(e.timelines.last_modified_at)).max()
+ ]).format("2006-01-02T15:04:05")
+ )
+ :
+ optional.of(body.results.map(e, timestamp(e.timelines.last_modified_at)).max().format("2006-01-02T15:04:05"))
+ )
+ :
+ state.?cursor.max_last_modified_at,
+
+ // 'last_timestamp' is finalized only on the last page of pagination
+ // and is used as the starting point for the next scheduled run.
+ ?"last_timestamp": has(body.next) && body.next == null ?
+ ((has(body.results) && size(body.results) > 0) ?
+ (has(state.?cursor.max_last_modified_at) ?
+ optional.of(
+ max([
+ state.cursor.max_last_modified_at.parse_time("2006-01-02T15:04:05"),
+ body.results.map(e, timestamp(e.timelines.last_modified_at)).max(),
+ ]).format("2006-01-02T15:04:05")
+ )
+ :
+ optional.of(body.results.map(e, timestamp(e.timelines.last_modified_at)).max().format("2006-01-02T15:04:05"))
+ )
+ :
+ state.?cursor.max_last_modified_at)
+ :
+ state.?cursor.last_timestamp
+ },
+ "next": {
+ ?"url": has(body.next) && body.next != null ? optional.of(body.next) : optional.none()
+ },
+ "want_more": has(body.next) && body.next != null
+ }
+ )
+ :
+ {
+ "events": {
+ "error": {
+ "code": string(resp.StatusCode),
+ "id": string(resp.Status),
+ "message": "GET " + state.url.trim_right("/") + "/vulnerability-intelligence/v1/vulnerabilities: " + (
+ size(resp.Body) != 0 ?
+ string(resp.Body)
+ :
+ string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
+ ),
+ },
+ },
+ "next": {},
+ "want_more": false
+ }
+ )
+ )
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#if preserve_duplicate_custom_fields}}
+ - preserve_duplicate_custom_fields
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/ti_flashpoint/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml b/packages/ti_flashpoint/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..bf555af0678
--- /dev/null
+++ b/packages/ti_flashpoint/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,874 @@
+---
+description: Pipeline for processing vulnerability logs.
+processors:
+ - drop:
+ tag: drop_empty_events_placeholder_1f3e6c12
+ if: ctx.message == 'empty_events_placeholder'
+ - set:
+ tag: set_ecs_version_to_9_2_0_3273339c
+ field: ecs.version
+ value: 9.2.0
+ - terminate:
+ description: error message set and no data to process.
+ tag: terminate_data_collection_error_4c75f12b
+ if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null
+
+ # remove agentless metadata
+ - remove:
+ description: Removes the fields added by Agentless as metadata, as they can collide with ECS fields.
+ tag: remove_agentless_tags_44eed408
+ if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String
+ field:
+ - organization
+ - division
+ - team
+ ignore_missing: true
+
+ # parse the event JSON
+ - rename:
+ description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document.
+ tag: rename_message_to_event_original_c74b1d7e
+ if: ctx.event?.original == null
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - remove:
+ description: The `message` field is no longer required if the document has an `event.original` field.
+ tag: remove_message_84808ee4
+ if: ctx.event?.original != null
+ field:
+ - message
+ ignore_missing: true
+ - json:
+ tag: json_event_original_into_json_5e54dc16
+ field: event.original
+ target_field: json
+
+ # Add fingerprint
+ - fingerprint:
+ tag: fingerprint_into__id_3606769e
+ fields:
+ - json.id
+ - json.timelines.last_modified_at
+ target_field: _id
+ ignore_missing: true
+
+ # Set event.* fields
+ - set:
+ tag: set_event_kind_to_event_de80643c
+ field: event.kind
+ value: event
+ - append:
+ tag: Append_event_type_to_info_8a66ccaa
+ field: event.type
+ value: info
+ - append:
+ tag: Append_event_category_to_vulnerability_5737514c
+ field: event.category
+ value: vulnerability
+
+ # rename fields to snake_case (hyphen to underscore)
+ - script:
+ description: Convert field names from hyphen to underscore.
+ tag: script_normalize_field_names_10f34910
+ lang: painless
+ source: |-
+ // Replace '-' with '_' in field names
+ String normalize(String str) {
+ return str.replace('-', '_');
+ }
+
+ // Recursive function to process objects
+ def normalizeFields(def obj) {
+ if (obj instanceof Map) {
+ def newObj = new HashMap();
+ for (entry in obj.entrySet()) {
+ String newKey = normalize(entry.getKey());
+ newObj.put(newKey, normalizeFields(entry.getValue()));
+ }
+ return newObj;
+ } else if (obj instanceof List) {
+ def newList = new ArrayList();
+ for (item in obj) {
+ newList.add(normalizeFields(item));
+ }
+ return newList;
+ }
+ return obj;
+ }
+
+ // Apply transformation
+ if (ctx.json != null) {
+ ctx.ti_flashpoint = ctx.ti_flashpoint ?: [:];
+ ctx.ti_flashpoint.vulnerability = normalizeFields(ctx.json);
+ ctx.remove('json');
+ }
+
+ # Date processors
+ - date:
+ tag: date_ti_flashpoint_vulnerability_timelines_disclosed_at_into_ti_flashpoint_vulnerability_timelines_disclosed_at_737ff512
+ if: ctx.ti_flashpoint?.vulnerability?.timelines?.disclosed_at != null && ctx.ti_flashpoint.vulnerability.timelines.disclosed_at != ''
+ field: ti_flashpoint.vulnerability.timelines.disclosed_at
+ target_field: ti_flashpoint.vulnerability.timelines.disclosed_at
+ formats:
+ - ISO8601
+ on_failure:
+ - remove:
+ tag: remove_ti_flashpoint_vulnerability_timelines_disclosed_at_7c062f2a
+ field:
+ - ti_flashpoint.vulnerability.timelines.disclosed_at
+ - append:
+ tag: append_error_message_b4679182
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ tag: date_ti_flashpoint_vulnerability_timelines_discovered_at_into_ti_flashpoint_vulnerability_timelines_discovered_at_f7432a5c
+ if: ctx.ti_flashpoint?.vulnerability?.timelines?.discovered_at != null && ctx.ti_flashpoint.vulnerability.timelines.discovered_at != ''
+ field: ti_flashpoint.vulnerability.timelines.discovered_at
+ target_field: ti_flashpoint.vulnerability.timelines.discovered_at
+ formats:
+ - ISO8601
+ on_failure:
+ - remove:
+ tag: remove_ti_flashpoint_vulnerability_timelines_discovered_at_bc5f5d04
+ field:
+ - ti_flashpoint.vulnerability.timelines.discovered_at
+ - append:
+ tag: append_error_message_de16ca7c
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ tag: date_ti_flashpoint_vulnerability_timelines_exploit_published_at_into_ti_flashpoint_vulnerability_timelines_exploit_published_at_d0afead2
+ if: ctx.ti_flashpoint?.vulnerability?.timelines?.exploit_published_at != null && ctx.ti_flashpoint.vulnerability.timelines.exploit_published_at != ''
+ field: ti_flashpoint.vulnerability.timelines.exploit_published_at
+ target_field: ti_flashpoint.vulnerability.timelines.exploit_published_at
+ formats:
+ - ISO8601
+ on_failure:
+ - remove:
+ tag: remove_ti_flashpoint_vulnerability_timelines_exploit_published_at_5a3357e8
+ field:
+ - ti_flashpoint.vulnerability.timelines.exploit_published_at
+ - append:
+ tag: append_error_message_ea67c242
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ tag: date_ti_flashpoint_vulnerability_timelines_exploited_in_the_wild_at_into_ti_flashpoint_vulnerability_timelines_exploited_in_the_wild_at_381522ac
+ if: ctx.ti_flashpoint?.vulnerability?.timelines?.exploited_in_the_wild_at != null && ctx.ti_flashpoint.vulnerability.timelines.exploited_in_the_wild_at != ''
+ field: ti_flashpoint.vulnerability.timelines.exploited_in_the_wild_at
+ target_field: ti_flashpoint.vulnerability.timelines.exploited_in_the_wild_at
+ formats:
+ - ISO8601
+ on_failure:
+ - remove:
+ tag: remove_ti_flashpoint_vulnerability_timelines_exploited_in_the_wild_at_e407d55f
+ field:
+ - ti_flashpoint.vulnerability.timelines.exploited_in_the_wild_at
+ - append:
+ tag: append_error_message_a8c4d4cc
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ tag: date_ti_flashpoint_vulnerability_timelines_last_modified_at_into_ti_flashpoint_vulnerability_timelines_last_modified_at_f8892236
+ if: ctx.ti_flashpoint?.vulnerability?.timelines?.last_modified_at != null && ctx.ti_flashpoint.vulnerability.timelines.last_modified_at != ''
+ field: ti_flashpoint.vulnerability.timelines.last_modified_at
+ target_field: ti_flashpoint.vulnerability.timelines.last_modified_at
+ formats:
+ - ISO8601
+ on_failure:
+ - remove:
+ tag: remove_ti_flashpoint_vulnerability_timelines_last_modified_at_49a13f40
+ field:
+ - ti_flashpoint.vulnerability.timelines.last_modified_at
+ - append:
+ tag: append_error_message_85ea3ef6
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ tag: date_ti_flashpoint_vulnerability_timelines_published_at_into_ti_flashpoint_vulnerability_timelines_published_at_6b2a37a6
+ if: ctx.ti_flashpoint?.vulnerability?.timelines?.published_at != null && ctx.ti_flashpoint.vulnerability.timelines.published_at != ''
+ field: ti_flashpoint.vulnerability.timelines.published_at
+ target_field: ti_flashpoint.vulnerability.timelines.published_at
+ formats:
+ - ISO8601
+ on_failure:
+ - remove:
+ tag: remove_ti_flashpoint_vulnerability_timelines_published_at_7c0d2658
+ field:
+ - ti_flashpoint.vulnerability.timelines.published_at
+ - append:
+ tag: append_error_message_ee852366
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ tag: date_ti_flashpoint_vulnerability_timelines_solution_provided_at_into_ti_flashpoint_vulnerability_timelines_solution_provided_at_51cef6d4
+ if: ctx.ti_flashpoint?.vulnerability?.timelines?.solution_provided_at != null && ctx.ti_flashpoint.vulnerability.timelines.solution_provided_at != ''
+ field: ti_flashpoint.vulnerability.timelines.solution_provided_at
+ target_field: ti_flashpoint.vulnerability.timelines.solution_provided_at
+ formats:
+ - ISO8601
+ on_failure:
+ - remove:
+ tag: remove_ti_flashpoint_vulnerability_timelines_solution_provided_at_6947d7a9
+ field:
+ - ti_flashpoint.vulnerability.timelines.solution_provided_at
+ - append:
+ tag: append_error_message_dc4e0964
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ tag: date_ti_flashpoint_vulnerability_timelines_third_party_solution_provided_at_into_ti_flashpoint_vulnerability_timelines_third_party_solution_provided_at_72a8d2da
+ if: ctx.ti_flashpoint?.vulnerability?.timelines?.third_party_solution_provided_at != null && ctx.ti_flashpoint.vulnerability.timelines.third_party_solution_provided_at != ''
+ field: ti_flashpoint.vulnerability.timelines.third_party_solution_provided_at
+ target_field: ti_flashpoint.vulnerability.timelines.third_party_solution_provided_at
+ formats:
+ - ISO8601
+ on_failure:
+ - remove:
+ tag: remove_ti_flashpoint_vulnerability_timelines_third_party_solution_provided_at_77353778
+ field:
+ - ti_flashpoint.vulnerability.timelines.third_party_solution_provided_at
+ - append:
+ tag: append_error_message_0236f4ba
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ tag: date_ti_flashpoint_vulnerability_timelines_vendor_acknowledged_at_into_ti_flashpoint_vulnerability_timelines_vendor_acknowledged_at_1105dae0
+ if: ctx.ti_flashpoint?.vulnerability?.timelines?.vendor_acknowledged_at != null && ctx.ti_flashpoint.vulnerability.timelines.vendor_acknowledged_at != ''
+ field: ti_flashpoint.vulnerability.timelines.vendor_acknowledged_at
+ target_field: ti_flashpoint.vulnerability.timelines.vendor_acknowledged_at
+ formats:
+ - ISO8601
+ on_failure:
+ - remove:
+ tag: remove_ti_flashpoint_vulnerability_timelines_vendor_acknowledged_at_dc2bd855
+ field:
+ - ti_flashpoint.vulnerability.timelines.vendor_acknowledged_at
+ - append:
+ tag: append_error_message_ee376d50
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ tag: date_ti_flashpoint_vulnerability_timelines_vendor_informed_at_into_ti_flashpoint_vulnerability_timelines_vendor_informed_at_d35e2608
+ if: ctx.ti_flashpoint?.vulnerability?.timelines?.vendor_informed_at != null && ctx.ti_flashpoint.vulnerability.timelines.vendor_informed_at != ''
+ field: ti_flashpoint.vulnerability.timelines.vendor_informed_at
+ target_field: ti_flashpoint.vulnerability.timelines.vendor_informed_at
+ formats:
+ - ISO8601
+ on_failure:
+ - remove:
+ tag: remove_ti_flashpoint_vulnerability_timelines_vendor_informed_at_5c011989
+ field:
+ - ti_flashpoint.vulnerability.timelines.vendor_informed_at
+ - append:
+ tag: append_error_message_bc5bb068
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_cvss_v2s_699adc9b
+ if: ctx.ti_flashpoint?.vulnerability?.cvss_v2s instanceof List
+ field: ti_flashpoint.vulnerability.cvss_v2s
+ processor:
+ date:
+ tag: date__ingest__value_generated_at_into__ingest__value_generated_at_e94db8dd
+ field: _ingest._value.generated_at
+ target_field: _ingest._value.generated_at
+ formats:
+ - ISO8601
+ on_failure:
+ - remove:
+ tag: remove__ingest__value_generated_at_bb878571
+ field:
+ - _ingest._value.generated_at
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_cvss_v3s_d4b7901a
+ if: ctx.ti_flashpoint?.vulnerability?.cvss_v3s instanceof List
+ field: ti_flashpoint.vulnerability.cvss_v3s
+ processor:
+ date:
+ tag: date__ingest__value_generated_at_into__ingest__value_generated_at_9aa1db31
+ field: _ingest._value.generated_at
+ target_field: _ingest._value.generated_at
+ formats:
+ - ISO8601
+ on_failure:
+ - remove:
+ tag: remove__ingest__value_generated_at_bf08a825
+ field:
+ - _ingest._value.generated_at
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_cvss_v3s_d3b78e87
+ if: ctx.ti_flashpoint?.vulnerability?.cvss_v3s instanceof List
+ field: ti_flashpoint.vulnerability.cvss_v3s
+ processor:
+ date:
+ tag: date__ingest__value_updated_at_into__ingest__value_updated_at_5764a101
+ field: _ingest._value.updated_at
+ target_field: _ingest._value.updated_at
+ formats:
+ - ISO8601
+ on_failure:
+ - remove:
+ tag: remove__ingest__value_updated_at_66f90147
+ field:
+ - _ingest._value.updated_at
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_cvss_v4s_5a0cbac6
+ if: ctx.ti_flashpoint?.vulnerability?.cvss_v4s instanceof List
+ field: ti_flashpoint.vulnerability.cvss_v4s
+ processor:
+ date:
+ tag: date__ingest__value_generated_at_into__ingest__value_generated_at_4e3e9975
+ field: _ingest._value.generated_at
+ target_field: _ingest._value.generated_at
+ formats:
+ - ISO8601
+ on_failure:
+ - remove:
+ tag: remove__ingest__value_generated_at_74eec5b9
+ field:
+ - _ingest._value.generated_at
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_cvss_v4s_590cb933
+ if: ctx.ti_flashpoint?.vulnerability?.cvss_v4s instanceof List
+ field: ti_flashpoint.vulnerability.cvss_v4s
+ processor:
+ date:
+ tag: date__ingest__value_updated_at_into__ingest__value_updated_at_cd81df25
+ field: _ingest._value.updated_at
+ target_field: _ingest._value.updated_at
+ formats:
+ - ISO8601
+ on_failure:
+ - remove:
+ tag: remove__ingest__value_updated_at_93d5599b
+ field:
+ - _ingest._value.updated_at
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_ext_references_14beb767
+ if: ctx.ti_flashpoint?.vulnerability?.ext_references instanceof List
+ field: ti_flashpoint.vulnerability.ext_references
+ processor:
+ date:
+ tag: date__ingest__value_created_at_into__ingest__value_created_at_12f913cb
+ field: _ingest._value.created_at
+ target_field: _ingest._value.created_at
+ formats:
+ - ISO8601
+ on_failure:
+ - remove:
+ tag: remove__ingest__value_created_at_aef458b8
+ field:
+ - _ingest._value.created_at
+
+ # Convert to Long
+ - convert:
+ tag: convert_ti_flashpoint_vulnerability_exploits_count_to_long_72327703
+ field: ti_flashpoint.vulnerability.exploits_count
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ tag: remove_ti_flashpoint_vulnerability_exploits_count_47b3cb11
+ field:
+ - ti_flashpoint.vulnerability.exploits_count
+ - append:
+ tag: append_error_message_04b0fe31
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+
+ # Convert to Double
+ - convert:
+ tag: convert_ti_flashpoint_vulnerability_scores_cvssv3_score_to_double_b97a772c
+ field: ti_flashpoint.vulnerability.scores.cvssv3_score
+ type: double
+ ignore_missing: true
+ on_failure:
+ - remove:
+ tag: remove_ti_flashpoint_vulnerability_scores_cvssv3_score_84b74166
+ field:
+ - ti_flashpoint.vulnerability.scores.cvssv3_score
+ - append:
+ tag: append_error_message_246f524c
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ tag: convert_ti_flashpoint_vulnerability_scores_epss_score_to_double_95df7349
+ field: ti_flashpoint.vulnerability.scores.epss_score
+ type: double
+ ignore_missing: true
+ on_failure:
+ - remove:
+ tag: remove_ti_flashpoint_vulnerability_scores_epss_score_4ecf604e
+ field:
+ - ti_flashpoint.vulnerability.scores.epss_score
+ - append:
+ tag: append_error_message_0b0159bf
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ tag: convert_ti_flashpoint_vulnerability_scores_epss_v1_score_to_double_34c35ce5
+ field: ti_flashpoint.vulnerability.scores.epss_v1_score
+ type: double
+ ignore_missing: true
+ on_failure:
+ - remove:
+ tag: remove_ti_flashpoint_vulnerability_scores_epss_v1_score_c303bfb2
+ field:
+ - ti_flashpoint.vulnerability.scores.epss_v1_score
+ - append:
+ tag: append_error_message_0a6f808b
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_cvss_v2s_d112382d
+ if: ctx.ti_flashpoint?.vulnerability?.cvss_v2s instanceof List
+ field: ti_flashpoint.vulnerability.cvss_v2s
+ processor:
+ convert:
+ tag: convert__ingest__value_calculated_cvss_base_score_to_double_1108d30f
+ field: _ingest._value.calculated_cvss_base_score
+ type: double
+ ignore_missing: true
+ on_failure:
+ - remove:
+ tag: remove__ingest__value_calculated_cvss_base_score_a9866cb7
+ field:
+ - _ingest._value.calculated_cvss_base_score
+ - append:
+ tag: append_error_message_a5ba0d8d
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_cvss_v3s_fece96a1
+ if: ctx.ti_flashpoint?.vulnerability?.cvss_v3s instanceof List
+ field: ti_flashpoint.vulnerability.cvss_v3s
+ processor:
+ convert:
+ tag: convert__ingest__value_calculated_cvss_base_score_to_double_74ea9383
+ field: _ingest._value.calculated_cvss_base_score
+ type: double
+ ignore_missing: true
+ on_failure:
+ - remove:
+ tag: remove__ingest__value_calculated_cvss_base_score_8d385c1b
+ field:
+ - _ingest._value.calculated_cvss_base_score
+ - append:
+ tag: append_error_message_eb7bd3b1
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_cvss_v3s_fbce91e8
+ if: ctx.ti_flashpoint?.vulnerability?.cvss_v3s instanceof List
+ field: ti_flashpoint.vulnerability.cvss_v3s
+ processor:
+ convert:
+ tag: convert__ingest__value_temporal_score_to_double_060c9f7f
+ field: _ingest._value.temporal_score
+ type: double
+ ignore_missing: true
+ on_failure:
+ - remove:
+ tag: remove__ingest__value_temporal_score_387c44e7
+ field:
+ - _ingest._value.temporal_score
+ - append:
+ tag: append_error_message_07be273d
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_cvss_v4s_152a4e85
+ if: ctx.ti_flashpoint?.vulnerability?.cvss_v4s instanceof List
+ field: ti_flashpoint.vulnerability.cvss_v4s
+ processor:
+ convert:
+ tag: convert__ingest__value_threat_score_to_double_d3428e59
+ field: _ingest._value.threat_score
+ type: double
+ ignore_missing: true
+ on_failure:
+ - remove:
+ tag: remove__ingest__value_threat_score_c7981737
+ field:
+ - _ingest._value.threat_score
+ - append:
+ tag: append_error_message_b294d10f
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+
+ # Convert to Float
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_cvss_v2s_ce123374
+ if: ctx.ti_flashpoint?.vulnerability?.cvss_v2s instanceof List
+ field: ti_flashpoint.vulnerability.cvss_v2s
+ processor:
+ convert:
+ tag: convert__ingest__value_score_to_float_aea0fabb
+ field: _ingest._value.score
+ type: float
+ ignore_missing: true
+ on_failure:
+ - remove:
+ tag: remove__ingest__value_score_2d4e5774
+ field:
+ - _ingest._value.score
+ - append:
+ tag: append_error_message_74cc1ef9
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_cvss_v3s_fcce937b
+ if: ctx.ti_flashpoint?.vulnerability?.cvss_v3s instanceof List
+ field: ti_flashpoint.vulnerability.cvss_v3s
+ processor:
+ convert:
+ tag: convert__ingest__value_score_to_float_2034b4df
+ field: _ingest._value.score
+ type: float
+ ignore_missing: true
+ on_failure:
+ - remove:
+ tag: remove__ingest__value_score_261237a8
+ field:
+ - _ingest._value.score
+ - append:
+ tag: append_error_message_91e41a9d
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_cvss_v4s_122a49cc
+ if: ctx.ti_flashpoint?.vulnerability?.cvss_v4s instanceof List
+ field: ti_flashpoint.vulnerability.cvss_v4s
+ processor:
+ convert:
+ tag: convert__ingest__value_score_to_float_76ff7e33
+ field: _ingest._value.score
+ type: float
+ ignore_missing: true
+ on_failure:
+ - remove:
+ tag: remove__ingest__value_score_deeebd3c
+ field:
+ - _ingest._value.score
+ - append:
+ tag: append_error_message_041ca5e1
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+
+ # Convert to String
+ - convert:
+ tag: convert_ti_flashpoint_vulnerability_id_to_string_d9e1251f
+ field: ti_flashpoint.vulnerability.id
+ type: string
+ ignore_missing: true
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_cwes_8a45cce2
+ if: ctx.ti_flashpoint?.vulnerability?.cwes instanceof List
+ field: ti_flashpoint.vulnerability.cwes
+ processor:
+ convert:
+ tag: convert__ingest__value_cwe_id_to_string_5691ae55
+ field: _ingest._value.cwe_id
+ type: string
+ ignore_missing: true
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_products_477bab32
+ if: ctx.ti_flashpoint?.vulnerability?.products instanceof List
+ field: ti_flashpoint.vulnerability.products
+ processor:
+ convert:
+ tag: convert__ingest__value_id_to_string_7ce51ccb
+ field: _ingest._value.id
+ type: string
+ ignore_missing: true
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_vendors_b2ba1c50
+ if: ctx.ti_flashpoint?.vulnerability?.vendors instanceof List
+ field: ti_flashpoint.vulnerability.vendors
+ processor:
+ convert:
+ tag: convert__ingest__value_id_to_string_5818c7b5
+ field: _ingest._value.id
+ type: string
+ ignore_missing: true
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_cvss_v2s_cf123507
+ if: ctx.ti_flashpoint?.vulnerability?.cvss_v2s instanceof List
+ field: ti_flashpoint.vulnerability.cvss_v2s
+ processor:
+ convert:
+ tag: convert__ingest__value_version_to_string_c850fbc8
+ field: _ingest._value.version
+ type: string
+ ignore_missing: true
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_cvss_v3s_01ce9b5a
+ if: ctx.ti_flashpoint?.vulnerability?.cvss_v3s instanceof List
+ field: ti_flashpoint.vulnerability.cvss_v3s
+ processor:
+ convert:
+ tag: convert__ingest__value_version_to_string_c684b2d4
+ field: _ingest._value.version
+ type: string
+ ignore_missing: true
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_cvss_v4s_132a4b5f
+ if: ctx.ti_flashpoint?.vulnerability?.cvss_v4s instanceof List
+ field: ti_flashpoint.vulnerability.cvss_v4s
+ processor:
+ convert:
+ tag: convert__ingest__value_version_to_string_eb868e40
+ field: _ingest._value.version
+ type: string
+ ignore_missing: true
+
+ # Map custom fields to corresponding ECS and related fields.
+ - set:
+ tag: set_event_created_from_ti_flashpoint_vulnerability_timelines_published_at_41756a89
+ field: event.created
+ copy_from: ti_flashpoint.vulnerability.timelines.published_at
+ ignore_empty_value: true
+ - set:
+ tag: set_@timestamp_from_ti_flashpoint_vulnerability_timelines_last_modified_at_2b341595
+ field: '@timestamp'
+ copy_from: ti_flashpoint.vulnerability.timelines.last_modified_at
+ ignore_empty_value: true
+ - set:
+ tag: set_vulnerability_severity_from_ti_flashpoint_vulnerability_scores_severity_e393344e
+ field: vulnerability.severity
+ copy_from: ti_flashpoint.vulnerability.scores.severity
+ ignore_empty_value: true
+ - set:
+ tag: set_event_id_from_ti_flashpoint_vulnerability_id_4910e2a1
+ field: event.id
+ copy_from: ti_flashpoint.vulnerability.id
+ ignore_empty_value: true
+ - set:
+ tag: set_message_from_ti_flashpoint_vulnerability_description_974aae6a
+ field: message
+ copy_from: ti_flashpoint.vulnerability.description
+ ignore_empty_value: true
+ - set:
+ tag: set_vulnerability_description_from_ti_flashpoint_vulnerability_description_6a8f6639
+ field: vulnerability.description
+ copy_from: ti_flashpoint.vulnerability.description
+ ignore_empty_value: true
+ - append:
+ tag: append_vulnerability_id_from_ti_flashpoint_vulnerability_id_4525ba71
+ if: ctx.ti_flashpoint?.vulnerability?.id != null
+ field: vulnerability.id
+ value: '{{{ti_flashpoint.vulnerability.id}}}'
+ allow_duplicates: false
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_cve_ids_826f991d
+ if: ctx.ti_flashpoint?.vulnerability?.cve_ids instanceof List
+ field: ti_flashpoint.vulnerability.cve_ids
+ processor:
+ append:
+ tag: append_vulnerability_id_4f375211
+ field: vulnerability.id
+ value: '{{{_ingest._value}}}'
+ allow_duplicates: false
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_cvss_v2s_df0233fe
+ if: ctx.ti_flashpoint?.vulnerability?.cvss_v2s instanceof List
+ field: ti_flashpoint.vulnerability.cvss_v2s
+ processor:
+ append:
+ tag: append_vulnerability_score_base_f7474107
+ field: vulnerability.score.base
+ value: '{{{_ingest._value.score}}}'
+ allow_duplicates: false
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_cvss_v2s_de02326b
+ if: ctx.ti_flashpoint?.vulnerability?.cvss_v2s instanceof List
+ field: ti_flashpoint.vulnerability.cvss_v2s
+ processor:
+ append:
+ tag: append_vulnerability_id_69d71a91
+ field: vulnerability.id
+ value: '{{{_ingest._value.cve_id}}}'
+ allow_duplicates: false
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_cvss_v3s_911f7a2a
+ if: ctx.ti_flashpoint?.vulnerability?.cvss_v3s instanceof List
+ field: ti_flashpoint.vulnerability.cvss_v3s
+ processor:
+ append:
+ tag: append_vulnerability_score_base_411d1c33
+ field: vulnerability.score.base
+ value: '{{{_ingest._value.score}}}'
+ allow_duplicates: false
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_cvss_v4s_164a4156
+ if: ctx.ti_flashpoint?.vulnerability?.cvss_v4s instanceof List
+ field: ti_flashpoint.vulnerability.cvss_v4s
+ processor:
+ append:
+ tag: append_vulnerability_score_base_7bfab9df
+ field: vulnerability.score.base
+ value: '{{{_ingest._value.score}}}'
+ allow_duplicates: false
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_cvss_v3s_901f7897
+ if: ctx.ti_flashpoint?.vulnerability?.cvss_v3s instanceof List
+ field: ti_flashpoint.vulnerability.cvss_v3s
+ processor:
+ append:
+ tag: append_vulnerability_id_76e50f0d
+ field: vulnerability.id
+ value: '{{{_ingest._value.cve_id}}}'
+ allow_duplicates: false
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_cvss_v3s_8f1f7704
+ if: ctx.ti_flashpoint?.vulnerability?.cvss_v3s instanceof List
+ field: ti_flashpoint.vulnerability.cvss_v3s
+ processor:
+ append:
+ tag: append_vulnerability_score_temporal_fdfa1fab
+ field: vulnerability.score.temporal
+ value: '{{{_ingest._value.temporal_score}}}'
+ allow_duplicates: false
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_cvss_v4s_154a3fc3
+ if: ctx.ti_flashpoint?.vulnerability?.cvss_v4s instanceof List
+ field: ti_flashpoint.vulnerability.cvss_v4s
+ processor:
+ append:
+ tag: append_vulnerability_id_f99afcb9
+ field: vulnerability.id
+ value: '{{{_ingest._value.cve_id}}}'
+ allow_duplicates: false
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_cvss_v2s_dd0230d8
+ if: ctx.ti_flashpoint?.vulnerability?.cvss_v2s instanceof List
+ field: ti_flashpoint.vulnerability.cvss_v2s
+ processor:
+ append:
+ tag: append_vulnerability_score_version_5bdc7078
+ field: vulnerability.score.version
+ value: '{{{_ingest._value.version}}}'
+ allow_duplicates: false
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_cvss_v3s_8e1f7571
+ if: ctx.ti_flashpoint?.vulnerability?.cvss_v3s instanceof List
+ field: ti_flashpoint.vulnerability.cvss_v3s
+ processor:
+ append:
+ tag: append_vulnerability_score_version_c5945194
+ field: vulnerability.score.version
+ value: '{{{_ingest._value.version}}}'
+ allow_duplicates: false
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_cvss_v4s_144a3e30
+ if: ctx.ti_flashpoint?.vulnerability?.cvss_v4s instanceof List
+ field: ti_flashpoint.vulnerability.cvss_v4s
+ processor:
+ append:
+ tag: append_vulnerability_score_version_17be2670
+ field: vulnerability.score.version
+ value: '{{{_ingest._value.version}}}'
+ allow_duplicates: false
+ - foreach:
+ tag: foreach_of_vulnerability_score_base_e5bd7971
+ if: ctx.vulnerability?.score?.base instanceof List
+ field: vulnerability.score.base
+ processor:
+ convert:
+ tag: convert__ingest__value_to_float_9acbea96
+ field: _ingest._value
+ type: float
+ ignore_missing: true
+ ignore_failure: true
+ - foreach:
+ tag: foreach_of_vulnerability_score_temporal_fa9e393d
+ if: ctx.vulnerability?.score?.temporal instanceof List
+ field: vulnerability.score.temporal
+ processor:
+ convert:
+ tag: convert__ingest__value_to_float_c643e98a
+ field: _ingest._value
+ type: float
+ ignore_missing: true
+ ignore_failure: true
+ - set:
+ tag: set_vulnerability_classification_to_cvss_7b102a71
+ field: vulnerability.classification
+ value: cvss
+
+ # Remove duplicate custom fields if preserve_duplicate_custom_fields are not enabled
+ - foreach:
+ tag: foreach_of_ti_flashpoint_vulnerability_cvss_v3s_8aeb4fce
+ if: ctx.ti_flashpoint?.vulnerability?.cvss_v3s instanceof List && (ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields'))
+ field: ti_flashpoint.vulnerability.cvss_v3s
+ processor:
+ remove:
+ tag: remove_custom_duplicate_fields_for_cvss_v3s_a0e5793f
+ field:
+ - _ingest._value.temporal_score
+ ignore_missing: true
+ - remove:
+ tag: remove_custom_duplicate_fields_285c8bbe
+ if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields')
+ field:
+ - ti_flashpoint.vulnerability.timelines.published_at
+ - ti_flashpoint.vulnerability.timelines.last_modified_at
+ - ti_flashpoint.vulnerability.scores.severity
+ - ti_flashpoint.vulnerability.id
+ - ti_flashpoint.vulnerability.description
+ ignore_missing: true
+
+ # Cleanup
+ - script:
+ description: This script processor iterates over the whole document to remove fields with null values.
+ tag: script_to_drop_null_values_8360f3de
+ lang: painless
+ source: |-
+ void handleMap(Map map) {
+ map.values().removeIf(v -> {
+ if (v instanceof Map) {
+ handleMap(v);
+ } else if (v instanceof List) {
+ handleList(v);
+ }
+ return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)
+ });
+ }
+ void handleList(List list) {
+ list.removeIf(v -> {
+ if (v instanceof Map) {
+ handleMap(v);
+ } else if (v instanceof List) {
+ handleList(v);
+ }
+ return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)
+ });
+ }
+ handleMap(ctx);
+ - set:
+ tag: set_event_kind_to_pipeline_error_92954dfa
+ if: ctx.error?.message != null
+ field: event.kind
+ value: pipeline_error
+ - append:
+ tag: append_tags_9fe66b2c
+ if: ctx.error?.message != null
+ field: tags
+ value: preserve_original_event
+ allow_duplicates: false
+on_failure:
+ - append:
+ tag: append_error_message_e0c9bd63
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ tag: set_event_kind_to_pipeline_error_f51b77ad
+ field: event.kind
+ value: pipeline_error
+ - append:
+ tag: append_tags_d762b9c5
+ field: tags
+ value: preserve_original_event
+ allow_duplicates: false
diff --git a/packages/ti_flashpoint/data_stream/vulnerability/fields/base-fields.yml b/packages/ti_flashpoint/data_stream/vulnerability/fields/base-fields.yml
new file mode 100644
index 00000000000..c1700ab35de
--- /dev/null
+++ b/packages/ti_flashpoint/data_stream/vulnerability/fields/base-fields.yml
@@ -0,0 +1,16 @@
+- name: data_stream.dataset
+ external: ecs
+- name: data_stream.namespace
+ external: ecs
+- name: data_stream.type
+ external: ecs
+- name: event.dataset
+ type: constant_keyword
+ external: ecs
+ value: ti_flashpoint.vulnerability
+- name: event.module
+ type: constant_keyword
+ external: ecs
+ value: ti_flashpoint
+- name: '@timestamp'
+ external: ecs
diff --git a/packages/ti_flashpoint/data_stream/vulnerability/fields/beats.yml b/packages/ti_flashpoint/data_stream/vulnerability/fields/beats.yml
new file mode 100644
index 00000000000..4084f1dc7f5
--- /dev/null
+++ b/packages/ti_flashpoint/data_stream/vulnerability/fields/beats.yml
@@ -0,0 +1,6 @@
+- name: input.type
+ type: keyword
+ description: Type of filebeat input.
+- name: log.offset
+ type: long
+ description: Log offset.
diff --git a/packages/ti_flashpoint/data_stream/vulnerability/fields/ecs.yml b/packages/ti_flashpoint/data_stream/vulnerability/fields/ecs.yml
new file mode 100644
index 00000000000..5c567aa1371
--- /dev/null
+++ b/packages/ti_flashpoint/data_stream/vulnerability/fields/ecs.yml
@@ -0,0 +1,13 @@
+# Define ECS constant fields as constant_keyword
+- name: observer.product
+ external: ecs
+ type: constant_keyword
+ value: Ignite
+- name: observer.vendor
+ external: ecs
+ type: constant_keyword
+ value: Flashpoint
+- name: vulnerability.scanner.vendor
+ external: ecs
+ type: constant_keyword
+ value: Flashpoint
diff --git a/packages/ti_flashpoint/data_stream/vulnerability/fields/fields.yml b/packages/ti_flashpoint/data_stream/vulnerability/fields/fields.yml
new file mode 100644
index 00000000000..facc97f3c50
--- /dev/null
+++ b/packages/ti_flashpoint/data_stream/vulnerability/fields/fields.yml
@@ -0,0 +1,248 @@
+- name: ti_flashpoint
+ type: group
+ fields:
+ - name: vulnerability
+ type: group
+ fields:
+ - name: classifications
+ type: group
+ fields:
+ - name: description
+ type: keyword
+ - name: longname
+ type: keyword
+ - name: name
+ type: keyword
+ - name: cve_ids
+ type: keyword
+ - name: cvss_v2s
+ type: group
+ fields:
+ - name: access_complexity
+ type: keyword
+ description: The Common Vulnerabilities and Exposures (CVE) IDs associated with the vulnerability.
+ - name: access_vector
+ type: keyword
+ - name: authentication
+ type: keyword
+ - name: availability_impact
+ type: keyword
+ - name: calculated_cvss_base_score
+ type: double
+ - name: confidentiality_impact
+ type: keyword
+ - name: cve_id
+ type: keyword
+ - name: generated_at
+ type: date
+ description: The CVE ID assigned by a CNA (CVE Numbering Authority).
+ - name: integrity_impact
+ type: keyword
+ - name: score
+ type: double
+ - name: source
+ type: keyword
+ - name: cvss_v3s
+ type: group
+ fields:
+ - name: attack_complexity
+ type: keyword
+ - name: attack_vector
+ type: keyword
+ - name: availability_impact
+ type: keyword
+ - name: calculated_cvss_base_score
+ type: double
+ - name: confidentiality_impact
+ type: keyword
+ - name: cve_id
+ type: keyword
+ - name: exploit_code_maturity
+ type: keyword
+ description: The CVE ID assigned by a CNA (CVE Numbering Authority).
+ - name: generated_at
+ type: date
+ - name: integrity_impact
+ type: keyword
+ - name: privileges_required
+ type: keyword
+ - name: remediation_level
+ type: keyword
+ - name: report_confidence
+ type: keyword
+ - name: scope
+ type: keyword
+ - name: score
+ type: double
+ - name: source
+ type: keyword
+ - name: temporal_score
+ type: double
+ - name: updated_at
+ type: date
+ - name: user_interaction
+ type: keyword
+ - name: vector_string
+ type: keyword
+ - name: version
+ type: keyword
+ - name: cvss_v4s
+ type: group
+ fields:
+ - name: attack_complexity
+ type: keyword
+ - name: attack_requirements
+ type: keyword
+ - name: attack_vector
+ type: keyword
+ - name: cve_id
+ type: keyword
+ - name: exploit_maturity
+ type: keyword
+ - name: generated_at
+ type: date
+ - name: privileges_required
+ type: keyword
+ - name: score
+ type: double
+ - name: source
+ type: keyword
+ - name: subsequent_system_availability_impact
+ type: keyword
+ - name: subsequent_system_confidentiality_impact
+ type: keyword
+ - name: subsequent_system_integrity_impact
+ type: keyword
+ - name: threat_score
+ type: double
+ - name: updated_at
+ type: date
+ - name: user_interaction
+ type: keyword
+ - name: vector_string
+ type: keyword
+ - name: version
+ type: keyword
+ - name: vulnerable_system_availability_impact
+ type: keyword
+ - name: vulnerable_system_confidentiality_impact
+ type: keyword
+ - name: vulnerable_system_integrity_impact
+ type: keyword
+ - name: cwes
+ type: group
+ fields:
+ - name: cve_ids
+ type: keyword
+ - name: cwe_id
+ type: keyword
+ - name: name
+ type: keyword
+ description: The CWE ID assigned by Mitre.
+ - name: source
+ type: keyword
+ - name: description
+ type: keyword
+ - name: exploits_count
+ type: long
+ - name: ext_references
+ type: group
+ fields:
+ - name: created_at
+ type: date
+ description: A text description of the software, nature of the vulnerability, and the direct impact if exploited.
+ - name: description
+ type: keyword
+ - name: type
+ type: keyword
+ - name: url
+ type: keyword
+ - name: value
+ type: keyword
+ - name: id
+ type: keyword
+ - name: keywords
+ type: keyword
+ description: The unique numeric identifier assigned by Flashpoint for a single vulnerability.
+ - name: name
+ type: keyword
+ description: Any words, numeric strings, or other identifiers that relate to the vulnerability that do not otherwise appear in the entry.
+ - name: products
+ type: group
+ fields:
+ - name: id
+ type: keyword
+ - name: name
+ type: keyword
+ description: The unique numeric identifier assigned by Flashpoint for a single product.
+ - name: scores
+ type: group
+ fields:
+ - name: cvssv3_score
+ type: double
+ - name: epss_score
+ type: double
+ description: The Common Vulnerability Scoring System (CVSS version 3) score for the vulnerability.
+ - name: epss_v1_score
+ type: double
+ description: The epss score from first.org for vulnerabilities with a CVE-ID.
+ - name: ransomware_score
+ type: keyword
+ description: The epss score version 1 for all vulnerabilities including those that do not have a CVE-ID.
+ - name: severity
+ type: keyword
+ description: The likelihood a vulnerability will be used in a ransomware attack.
+ - name: solution
+ type: keyword
+ - name: tags
+ type: keyword
+ description: A brief description of how the vulnerability can be mitigated or resolved.
+ - name: technical_description
+ type: keyword
+ - name: timelines
+ type: group
+ fields:
+ - name: disclosed_at
+ type: date
+ description: Additional notes, usually of a technical nature, that further explain the issue, exploitation caveats or requirements, and further analysis or observations by Flashpoint.
+ - name: discovered_at
+ type: date
+ description: The date when the vulnerability was disclosed.
+ - name: exploit_published_at
+ type: date
+ description: The date when the vulnerability was discovered.
+ - name: exploited_in_the_wild_at
+ type: date
+ description: The date when an exploit was published for the vulnerability.
+ - name: last_modified_at
+ type: date
+ description: The date when the vulnerability was exploited in the wild.
+ - name: published_at
+ type: date
+ description: The date when the vulnerability was last edited on the system.
+ - name: solution_provided_at
+ type: date
+ description: The date when the vulnerability was published on the system.
+ - name: third_party_solution_provided_at
+ type: date
+ description: The earliest date when a solution was provided for the vulnerability.
+ - name: vendor_acknowledged_at
+ type: date
+ description: The date a third party solution was provided for the vulnerability.
+ - name: vendor_informed_at
+ type: date
+ description: The date the vendor acknowledged the vulnerability.
+ - name: title
+ type: keyword
+ description: The date the vendor was informed of the vulnerability.
+ - name: vendors
+ type: group
+ fields:
+ - name: id
+ type: keyword
+ description: A concise title describing the vulnerability.
+ - name: name
+ type: keyword
+ description: The unique numeric identifier assigned by Flashpoint for a single vendor.
+ - name: vuln_status
+ type: keyword
diff --git a/packages/ti_flashpoint/data_stream/vulnerability/manifest.yml b/packages/ti_flashpoint/data_stream/vulnerability/manifest.yml
new file mode 100644
index 00000000000..7fc25c9a34d
--- /dev/null
+++ b/packages/ti_flashpoint/data_stream/vulnerability/manifest.yml
@@ -0,0 +1,95 @@
+title: Vulnerability
+type: logs
+streams:
+ - input: cel
+ title: Vulnerability
+ description: Collect Vulnerability logs from Flashpoint.
+ template_path: cel.yml.hbs
+ vars:
+ - name: initial_interval
+ type: text
+ title: Initial Interval
+ multi: false
+ required: true
+ show_user: true
+ default: 24h
+ description: How far back to pull the logs from Flashpoint API. Supported units for this parameter are h/m/s.
+ - name: interval
+ type: text
+ title: Interval
+ description: Duration between requests to the Flashpoint API. Supported units for this parameter are h/m/s.
+ multi: false
+ required: true
+ show_user: true
+ default: 5m
+ - name: page_size
+ type: integer
+ title: Page Size
+ description: Page size for the response of the Flashpoint API.
+ multi: false
+ required: true
+ show_user: false
+ default: 1000
+ - name: max_executions
+ type: integer
+ title: Maximum Pages Per Interval
+ description: Maximum Pages Per Interval is the maximum number of pages that can be collected at each interval.
+ multi: false
+ required: false
+ show_user: false
+ default: 1000
+ - name: enable_request_tracer
+ type: bool
+ title: Enable request tracing
+ multi: false
+ default: false
+ required: false
+ show_user: false
+ description: >-
+ The request tracer logs requests and responses to the agent's local file-system for debugging configurations.
+ Enabling this request tracing compromises security and should only be used for debugging. Disabling the request
+ tracer will delete any stored traces.
+ See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable)
+ for details.
+ - name: preserve_original_event
+ type: bool
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field event.original.
+ multi: false
+ required: false
+ show_user: true
+ default: false
+ - name: tags
+ type: text
+ title: Tags
+ description: Tags for the data-stream.
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - ti_flashpoint-vulnerability
+ - name: http_client_timeout
+ type: text
+ title: HTTP Client Timeout
+ description: Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.
+ multi: false
+ required: true
+ show_user: false
+ default: 120s
+ - name: preserve_duplicate_custom_fields
+ required: false
+ title: Preserve duplicate custom fields
+ description: Preserve ti_flashpoint.vulnerability fields that were copied to Elastic Common Schema (ECS) fields.
+ type: bool
+ multi: false
+ show_user: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.
diff --git a/packages/ti_flashpoint/data_stream/vulnerability/sample_event.json b/packages/ti_flashpoint/data_stream/vulnerability/sample_event.json
new file mode 100644
index 00000000000..849ae3757be
--- /dev/null
+++ b/packages/ti_flashpoint/data_stream/vulnerability/sample_event.json
@@ -0,0 +1,248 @@
+{
+ "@timestamp": "2025-12-29T23:00:01.000Z",
+ "agent": {
+ "ephemeral_id": "3bbc57c0-c38a-4f3a-9905-2cee6c3fb8bd",
+ "id": "b569ce8a-9868-4436-822b-649b5e3943b2",
+ "name": "elastic-agent-85390",
+ "type": "filebeat",
+ "version": "8.18.0"
+ },
+ "data_stream": {
+ "dataset": "ti_flashpoint.vulnerability",
+ "namespace": "41124",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "9.2.0"
+ },
+ "elastic_agent": {
+ "id": "b569ce8a-9868-4436-822b-649b5e3943b2",
+ "snapshot": false,
+ "version": "8.18.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": [
+ "vulnerability"
+ ],
+ "created": "2025-12-29T22:49:59.000Z",
+ "dataset": "ti_flashpoint.vulnerability",
+ "id": "432898",
+ "ingested": "2025-12-31T07:20:37Z",
+ "kind": "event",
+ "original": "{\"classifications\":[{\"description\":\"Local access is required to exploit this vulnerability (e.g., unix shell, windows user).\",\"longname\":\"Local Access Required\",\"name\":\"location_local\"},{\"description\":\"A vulnerability that cannot be defined by any other Attack Type classification.\",\"longname\":\"Other\",\"name\":\"attack_type_other\"},{\"description\":\"Assurance that data is protected and not disclosed to unauthorized party.\\r\\nExamples: password disclosures, server information, environment variables, confirmation of file existance, path dislcosure, file content access, some SQL injection.\",\"longname\":\"Loss of Confidentiality\",\"name\":\"impact_confidential\"},{\"description\":\"Assurance that data is unaltered by unauthorized persons and authorization has not been exceeded.\\r\\nExamples: XSS, arbitrary command execution, most overflows, most format strings, SQL injection, unauthorized file modification/deletion/creation, remote file inclusion, etc.\",\"longname\":\"Loss of Integrity\",\"name\":\"impact_integrity\"},{\"description\":\"The status of a working exploit is unknown.\",\"longname\":\"Exploit Unknown\",\"name\":\"exploit_unknown\"},{\"description\":\"The vulnerability can be mitigated by installing the vendor-supplied upgrade.\",\"longname\":\"Upgrade\",\"name\":\"solution_upgrade\"},{\"description\":\"The vendor has verified this vulnerability.\",\"longname\":\"Vendor Verified\",\"name\":\"disclosure_verified\"},{\"description\":\"The researcher and vendor coordinated disclosure so that vulnerability details were released in conjunction with a solution.\",\"longname\":\"Coordinated Disclosure\",\"name\":\"disclosure_coordinated_disclosure\"},{\"description\":\"This vulnerability can only be exploited after successful authentication.\",\"longname\":\"Authentication Required\",\"name\":\"vuln_authentication_required\"}],\"cve_ids\":[\"CVE-2025-13326\"],\"cvss_v2s\":[{\"access_complexity\":\"MEDIUM\",\"access_vector\":\"LOCAL\",\"authentication\":\"NONE\",\"availability_impact\":\"NONE\",\"calculated_cvss_base_score\":1.9,\"confidentiality_impact\":\"NONE\",\"cve_id\":null,\"generated_at\":\"2025-12-29T20:10:04Z\",\"integrity_impact\":\"PARTIAL\",\"score\":1.9,\"source\":\"Flashpoint\"}],\"cvss_v3s\":[{\"attack_complexity\":\"LOW\",\"attack_vector\":\"LOCAL\",\"availability_impact\":\"NONE\",\"calculated_cvss_base_score\":3.9,\"confidentiality_impact\":\"LOW\",\"cve_id\":null,\"exploit_code_maturity\":\"UNPROVEN\",\"generated_at\":\"2025-12-29T20:10:04Z\",\"integrity_impact\":\"LOW\",\"privileges_required\":\"LOW\",\"remediation_level\":\"OFFICIAL_FIX\",\"report_confidence\":\"CONFIRMED\",\"scope\":\"UNCHANGED\",\"score\":3.9,\"source\":\"Flashpoint\",\"temporal_score\":3.4,\"updated_at\":\"2025-12-29T22:49:59Z\",\"user_interaction\":\"REQUIRED\",\"vector_string\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C\",\"version\":\"3.1\"}],\"cvss_v4s\":[{\"attack_complexity\":\"LOW\",\"attack_requirements\":\"NONE\",\"attack_vector\":\"LOCAL\",\"cve_id\":null,\"exploit_maturity\":\"NOT_DEFINED\",\"generated_at\":\"2025-12-29T20:10:04.144000Z\",\"privileges_required\":\"LOW\",\"score\":2.4,\"source\":\"Flashpoint\",\"subsequent_system_availability_impact\":\"NONE\",\"subsequent_system_confidentiality_impact\":\"NONE\",\"subsequent_system_integrity_impact\":\"NONE\",\"threat_score\":2.4,\"updated_at\":\"2025-12-29T20:10:04.254000Z\",\"user_interaction\":\"PASSIVE\",\"vector_string\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X\",\"version\":\"4.0\",\"vulnerable_system_availability_impact\":\"NONE\",\"vulnerable_system_confidentiality_impact\":\"LOW\",\"vulnerable_system_integrity_impact\":\"LOW\"}],\"cwes\":[{\"cve_ids\":\"2025-13326\",\"cwe_id\":693,\"name\":\"Protection Mechanism Failure\",\"source\":\"mitre\"}],\"description\":\"Mattermost Desktop contains a flaw that is triggered as the program fails to enable the Hardened Runtime setting when packaged for Mac App Store. This may allow a local attacker to inherit TCC permissions via copying the binary to a tmp folder.\",\"exploits_count\":0,\"ext_references\":[{\"created_at\":\"2020-09-09T19:57:14Z\",\"description\":null,\"type\":\"Vendor Specific Advisory URL\",\"url\":\"https://mattermost.com/security-updates/\",\"value\":\"https://mattermost.com/security-updates/\"},{\"created_at\":\"2025-12-23T17:58:58Z\",\"description\":null,\"type\":\"Generic Informational URL\",\"url\":\"https://www.cisa.gov/news-events/bulletins/sb25-356\",\"value\":\"https://www.cisa.gov/news-events/bulletins/sb25-356\"},{\"created_at\":\"2025-12-17T18:20:42Z\",\"description\":null,\"type\":\"CVE ID\",\"url\":\"https://www.cve.org/CVERecord?id=CVE-2025-13326\",\"value\":\"2025-13326\"}],\"id\":432898,\"keywords\":\"MMSA-2025-00504\",\"products\":[{\"id\":2985883,\"name\":\"Mattermost Desktop\"}],\"scores\":{\"cvssv3_score\":3.9,\"epss_score\":0.00013,\"epss_v1_score\":0,\"ransomware_score\":\"Low\",\"severity\":\"Low\"},\"solution\":\"It has been reported that this has been fixed. Please refer to the product listing for upgraded versions that address this vulnerability.\",\"tags\":[\"oss\"],\"technical_description\":\"\",\"timelines\":{\"disclosed_at\":\"2025-11-17T00:00:00Z\",\"discovered_at\":null,\"exploit_published_at\":null,\"exploited_in_the_wild_at\":null,\"last_modified_at\":\"2025-12-29T23:00:01Z\",\"published_at\":\"2025-12-29T22:49:59Z\",\"solution_provided_at\":\"2025-11-17T00:00:00Z\",\"third_party_solution_provided_at\":null,\"vendor_acknowledged_at\":null,\"vendor_informed_at\":null},\"title\":\"Mattermost Desktop Hardened Runtime Protection Mechanism Failure Local TCC Privilege Escalation\",\"vendors\":[{\"id\":2803312,\"name\":\"Mattermost\"}],\"vuln_status\":\"Active\"}",
+ "type": [
+ "info"
+ ]
+ },
+ "input": {
+ "type": "cel"
+ },
+ "message": "Mattermost Desktop contains a flaw that is triggered as the program fails to enable the Hardened Runtime setting when packaged for Mac App Store. This may allow a local attacker to inherit TCC permissions via copying the binary to a tmp folder.",
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields",
+ "forwarded",
+ "ti_flashpoint-vulnerability"
+ ],
+ "ti_flashpoint": {
+ "vulnerability": {
+ "classifications": [
+ {
+ "description": "Local access is required to exploit this vulnerability (e.g., unix shell, windows user).",
+ "longname": "Local Access Required",
+ "name": "location_local"
+ },
+ {
+ "description": "A vulnerability that cannot be defined by any other Attack Type classification.",
+ "longname": "Other",
+ "name": "attack_type_other"
+ },
+ {
+ "description": "Assurance that data is protected and not disclosed to unauthorized party.\r\nExamples: password disclosures, server information, environment variables, confirmation of file existance, path dislcosure, file content access, some SQL injection.",
+ "longname": "Loss of Confidentiality",
+ "name": "impact_confidential"
+ },
+ {
+ "description": "Assurance that data is unaltered by unauthorized persons and authorization has not been exceeded.\r\nExamples: XSS, arbitrary command execution, most overflows, most format strings, SQL injection, unauthorized file modification/deletion/creation, remote file inclusion, etc.",
+ "longname": "Loss of Integrity",
+ "name": "impact_integrity"
+ },
+ {
+ "description": "The status of a working exploit is unknown.",
+ "longname": "Exploit Unknown",
+ "name": "exploit_unknown"
+ },
+ {
+ "description": "The vulnerability can be mitigated by installing the vendor-supplied upgrade.",
+ "longname": "Upgrade",
+ "name": "solution_upgrade"
+ },
+ {
+ "description": "The vendor has verified this vulnerability.",
+ "longname": "Vendor Verified",
+ "name": "disclosure_verified"
+ },
+ {
+ "description": "The researcher and vendor coordinated disclosure so that vulnerability details were released in conjunction with a solution.",
+ "longname": "Coordinated Disclosure",
+ "name": "disclosure_coordinated_disclosure"
+ },
+ {
+ "description": "This vulnerability can only be exploited after successful authentication.",
+ "longname": "Authentication Required",
+ "name": "vuln_authentication_required"
+ }
+ ],
+ "cve_ids": [
+ "CVE-2025-13326"
+ ],
+ "cvss_v2s": [
+ {
+ "access_complexity": "MEDIUM",
+ "access_vector": "LOCAL",
+ "authentication": "NONE",
+ "availability_impact": "NONE",
+ "calculated_cvss_base_score": 1.9,
+ "confidentiality_impact": "NONE",
+ "generated_at": "2025-12-29T20:10:04.000Z",
+ "integrity_impact": "PARTIAL",
+ "score": 1.9,
+ "source": "Flashpoint"
+ }
+ ],
+ "cvss_v3s": [
+ {
+ "attack_complexity": "LOW",
+ "attack_vector": "LOCAL",
+ "availability_impact": "NONE",
+ "calculated_cvss_base_score": 3.9,
+ "confidentiality_impact": "LOW",
+ "exploit_code_maturity": "UNPROVEN",
+ "generated_at": "2025-12-29T20:10:04.000Z",
+ "integrity_impact": "LOW",
+ "privileges_required": "LOW",
+ "remediation_level": "OFFICIAL_FIX",
+ "report_confidence": "CONFIRMED",
+ "scope": "UNCHANGED",
+ "score": 3.9,
+ "source": "Flashpoint",
+ "temporal_score": 3.4,
+ "updated_at": "2025-12-29T22:49:59.000Z",
+ "user_interaction": "REQUIRED",
+ "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C",
+ "version": "3.1"
+ }
+ ],
+ "cvss_v4s": [
+ {
+ "attack_complexity": "LOW",
+ "attack_requirements": "NONE",
+ "attack_vector": "LOCAL",
+ "exploit_maturity": "NOT_DEFINED",
+ "generated_at": "2025-12-29T20:10:04.144Z",
+ "privileges_required": "LOW",
+ "score": 2.4,
+ "source": "Flashpoint",
+ "subsequent_system_availability_impact": "NONE",
+ "subsequent_system_confidentiality_impact": "NONE",
+ "subsequent_system_integrity_impact": "NONE",
+ "threat_score": 2.4,
+ "updated_at": "2025-12-29T20:10:04.254Z",
+ "user_interaction": "PASSIVE",
+ "vector_string": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X",
+ "version": "4.0",
+ "vulnerable_system_availability_impact": "NONE",
+ "vulnerable_system_confidentiality_impact": "LOW",
+ "vulnerable_system_integrity_impact": "LOW"
+ }
+ ],
+ "cwes": [
+ {
+ "cve_ids": "2025-13326",
+ "cwe_id": "693",
+ "name": "Protection Mechanism Failure",
+ "source": "mitre"
+ }
+ ],
+ "description": "Mattermost Desktop contains a flaw that is triggered as the program fails to enable the Hardened Runtime setting when packaged for Mac App Store. This may allow a local attacker to inherit TCC permissions via copying the binary to a tmp folder.",
+ "exploits_count": 0,
+ "ext_references": [
+ {
+ "created_at": "2020-09-09T19:57:14.000Z",
+ "type": "Vendor Specific Advisory URL",
+ "url": "https://mattermost.com/security-updates/",
+ "value": "https://mattermost.com/security-updates/"
+ },
+ {
+ "created_at": "2025-12-23T17:58:58.000Z",
+ "type": "Generic Informational URL",
+ "url": "https://www.cisa.gov/news-events/bulletins/sb25-356",
+ "value": "https://www.cisa.gov/news-events/bulletins/sb25-356"
+ },
+ {
+ "created_at": "2025-12-17T18:20:42.000Z",
+ "type": "CVE ID",
+ "url": "https://www.cve.org/CVERecord?id=CVE-2025-13326",
+ "value": "2025-13326"
+ }
+ ],
+ "id": "432898",
+ "keywords": "MMSA-2025-00504",
+ "products": [
+ {
+ "id": "2985883",
+ "name": "Mattermost Desktop"
+ }
+ ],
+ "scores": {
+ "cvssv3_score": 3.9,
+ "epss_score": 0.00013,
+ "epss_v1_score": 0,
+ "ransomware_score": "Low",
+ "severity": "Low"
+ },
+ "solution": "It has been reported that this has been fixed. Please refer to the product listing for upgraded versions that address this vulnerability.",
+ "tags": [
+ "oss"
+ ],
+ "timelines": {
+ "disclosed_at": "2025-11-17T00:00:00.000Z",
+ "last_modified_at": "2025-12-29T23:00:01.000Z",
+ "published_at": "2025-12-29T22:49:59.000Z",
+ "solution_provided_at": "2025-11-17T00:00:00.000Z"
+ },
+ "title": "Mattermost Desktop Hardened Runtime Protection Mechanism Failure Local TCC Privilege Escalation",
+ "vendors": [
+ {
+ "id": "2803312",
+ "name": "Mattermost"
+ }
+ ],
+ "vuln_status": "Active"
+ }
+ },
+ "vulnerability": {
+ "classification": "cvss",
+ "description": "Mattermost Desktop contains a flaw that is triggered as the program fails to enable the Hardened Runtime setting when packaged for Mac App Store. This may allow a local attacker to inherit TCC permissions via copying the binary to a tmp folder.",
+ "id": [
+ "432898",
+ "CVE-2025-13326"
+ ],
+ "score": {
+ "base": [
+ 1.9,
+ 3.9,
+ 2.4
+ ],
+ "temporal": [
+ 3.4
+ ],
+ "version": [
+ "3.1",
+ "4.0"
+ ]
+ },
+ "severity": "Low"
+ }
+}
diff --git a/packages/ti_flashpoint/docs/README.md b/packages/ti_flashpoint/docs/README.md
new file mode 100644
index 00000000000..08308655ebe
--- /dev/null
+++ b/packages/ti_flashpoint/docs/README.md
@@ -0,0 +1,475 @@
+# Flashpoint Integration for Elastic
+
+## Overview
+
+[Flashpoint](https://flashpoint.io/) is a comprehensive threat intelligence platform that delivers actionable insights from dark web, deep web, and technical sources. It combines human-curated intelligence with automated collection to help organizations identify emerging threats, monitor adversary activity, and assess cyber risk with enriched context.
+
+The Flashpoint integration for Elastic collects vulnerabilities from the **Flashpoint Ignite API** and visualizes them in Kibana.
+
+### Compatibility
+
+The Flashpoint integration is compatible with Ignite API version **1.2**.
+
+### How it works
+
+This integration periodically queries the Flashpoint Ignite API to retrieve logs.
+
+## What data does this integration collect?
+
+This integration collects log messages of the following type:
+
+- `Vulnerabilities`: Collects `vulnerability` logs from the Flashpoint Ignite API (endpoint: `/vulnerability-intelligence/v1/vulnerabilities`),
+
+### Supported use cases
+
+Integrating Flashpoint Vulnerabilities with Elastic SIEM provides centralized visibility into vulnerability risk and exposure.
+
+Dashboards display `Total Vulnerabilities` and include tables for `Top Classifications`,` Vulnerability Names`, `Products`, and `Vendors`. Pie charts show `vulnerabilities by Ransomware Score`, `Severity`, and `Status`, while a line chart tracks `Vulnerabilities by Severity over Time`.
+
+A control panel allows filtering by `Status`, `Severity` and `Ransomware Score`. A saved searches for `CVSS v2`, `v3`, and `v4` details support deeper vulnerability analysis and prioritization.
+
+## What do I need to use this integration?
+
+### From Flashpoint
+
+To collect data through the Flashpoint Ignite API, you need to provide an **API Token**. Authentication is handled using the **API Token**, which serves as the required credential.
+
+#### Retrieve an API Token:
+
+1. Log in to the **Flashpoint** Instance.
+2. Click on your profile icon in the top-right corner and select **Manage API Tokens**.
+3. Click **Generate Token**.
+4. Enter a name for the API token and click **Generate Token**.
+5. Copy and securely store the generated API token for use in the integration configuration.
+
+## How do I deploy this integration?
+
+This integration supports both Elastic Agentless-based and Agent-based installations.
+
+### Agentless-based installation
+
+Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html).
+
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.
+
+### Agent-based installation
+
+Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host.
+
+
+### configure
+
+1. In the top search bar in Kibana, search for **Integrations**.
+2. In the search bar, type **Flashpoint**.
+3. Select the **Flashpoint** integration from the search results.
+4. Select **Add Flashpoint** to add the integration.
+5. Enable and configure only the collection methods which you will use.
+
+ * To **Collect logs from Flashpoint API**, you'll need to:
+
+ - Configure **API Token**.
+ - Adjust the integration configuration parameters if required, including the **Initial Interval**, **Interval**, **Page Size** etc. to enable data collection.
+
+6. Select **Save and continue** to save the integration.
+
+## Troubleshooting
+
+1. If vulnerability data collection is slow or fails with `context deadline exceeded`, reduce the `Page Size` and increase the `HTTP Client Timeout`.
+
+### Validation
+
+#### Dashboard populated
+
+1. In the top search bar in Kibana, search for **Dashboards**.
+2. In the search bar, type **Flashpoint**, and verify the dashboard information is populated.
+
+## Performance and scaling
+
+For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation.
+
+## Reference
+
+### ECS field reference
+
+#### Vulnerability
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword |
+| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword |
+| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword |
+| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword |
+| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword |
+| input.type | Type of filebeat input. | keyword |
+| log.offset | Log offset. | long |
+| observer.product | The product name of the observer. | constant_keyword |
+| observer.vendor | Vendor name of the observer. | constant_keyword |
+| ti_flashpoint.vulnerability.classifications.description | | keyword |
+| ti_flashpoint.vulnerability.classifications.longname | | keyword |
+| ti_flashpoint.vulnerability.classifications.name | | keyword |
+| ti_flashpoint.vulnerability.cve_ids | | keyword |
+| ti_flashpoint.vulnerability.cvss_v2s.access_complexity | The Common Vulnerabilities and Exposures (CVE) IDs associated with the vulnerability. | keyword |
+| ti_flashpoint.vulnerability.cvss_v2s.access_vector | | keyword |
+| ti_flashpoint.vulnerability.cvss_v2s.authentication | | keyword |
+| ti_flashpoint.vulnerability.cvss_v2s.availability_impact | | keyword |
+| ti_flashpoint.vulnerability.cvss_v2s.calculated_cvss_base_score | | double |
+| ti_flashpoint.vulnerability.cvss_v2s.confidentiality_impact | | keyword |
+| ti_flashpoint.vulnerability.cvss_v2s.cve_id | | keyword |
+| ti_flashpoint.vulnerability.cvss_v2s.generated_at | The CVE ID assigned by a CNA (CVE Numbering Authority). | date |
+| ti_flashpoint.vulnerability.cvss_v2s.integrity_impact | | keyword |
+| ti_flashpoint.vulnerability.cvss_v2s.score | | double |
+| ti_flashpoint.vulnerability.cvss_v2s.source | | keyword |
+| ti_flashpoint.vulnerability.cvss_v3s.attack_complexity | | keyword |
+| ti_flashpoint.vulnerability.cvss_v3s.attack_vector | | keyword |
+| ti_flashpoint.vulnerability.cvss_v3s.availability_impact | | keyword |
+| ti_flashpoint.vulnerability.cvss_v3s.calculated_cvss_base_score | | double |
+| ti_flashpoint.vulnerability.cvss_v3s.confidentiality_impact | | keyword |
+| ti_flashpoint.vulnerability.cvss_v3s.cve_id | | keyword |
+| ti_flashpoint.vulnerability.cvss_v3s.exploit_code_maturity | The CVE ID assigned by a CNA (CVE Numbering Authority). | keyword |
+| ti_flashpoint.vulnerability.cvss_v3s.generated_at | | date |
+| ti_flashpoint.vulnerability.cvss_v3s.integrity_impact | | keyword |
+| ti_flashpoint.vulnerability.cvss_v3s.privileges_required | | keyword |
+| ti_flashpoint.vulnerability.cvss_v3s.remediation_level | | keyword |
+| ti_flashpoint.vulnerability.cvss_v3s.report_confidence | | keyword |
+| ti_flashpoint.vulnerability.cvss_v3s.scope | | keyword |
+| ti_flashpoint.vulnerability.cvss_v3s.score | | double |
+| ti_flashpoint.vulnerability.cvss_v3s.source | | keyword |
+| ti_flashpoint.vulnerability.cvss_v3s.temporal_score | | double |
+| ti_flashpoint.vulnerability.cvss_v3s.updated_at | | date |
+| ti_flashpoint.vulnerability.cvss_v3s.user_interaction | | keyword |
+| ti_flashpoint.vulnerability.cvss_v3s.vector_string | | keyword |
+| ti_flashpoint.vulnerability.cvss_v3s.version | | keyword |
+| ti_flashpoint.vulnerability.cvss_v4s.attack_complexity | | keyword |
+| ti_flashpoint.vulnerability.cvss_v4s.attack_requirements | | keyword |
+| ti_flashpoint.vulnerability.cvss_v4s.attack_vector | | keyword |
+| ti_flashpoint.vulnerability.cvss_v4s.cve_id | | keyword |
+| ti_flashpoint.vulnerability.cvss_v4s.exploit_maturity | | keyword |
+| ti_flashpoint.vulnerability.cvss_v4s.generated_at | | date |
+| ti_flashpoint.vulnerability.cvss_v4s.privileges_required | | keyword |
+| ti_flashpoint.vulnerability.cvss_v4s.score | | double |
+| ti_flashpoint.vulnerability.cvss_v4s.source | | keyword |
+| ti_flashpoint.vulnerability.cvss_v4s.subsequent_system_availability_impact | | keyword |
+| ti_flashpoint.vulnerability.cvss_v4s.subsequent_system_confidentiality_impact | | keyword |
+| ti_flashpoint.vulnerability.cvss_v4s.subsequent_system_integrity_impact | | keyword |
+| ti_flashpoint.vulnerability.cvss_v4s.threat_score | | double |
+| ti_flashpoint.vulnerability.cvss_v4s.updated_at | | date |
+| ti_flashpoint.vulnerability.cvss_v4s.user_interaction | | keyword |
+| ti_flashpoint.vulnerability.cvss_v4s.vector_string | | keyword |
+| ti_flashpoint.vulnerability.cvss_v4s.version | | keyword |
+| ti_flashpoint.vulnerability.cvss_v4s.vulnerable_system_availability_impact | | keyword |
+| ti_flashpoint.vulnerability.cvss_v4s.vulnerable_system_confidentiality_impact | | keyword |
+| ti_flashpoint.vulnerability.cvss_v4s.vulnerable_system_integrity_impact | | keyword |
+| ti_flashpoint.vulnerability.cwes.cve_ids | | keyword |
+| ti_flashpoint.vulnerability.cwes.cwe_id | | keyword |
+| ti_flashpoint.vulnerability.cwes.name | The CWE ID assigned by Mitre. | keyword |
+| ti_flashpoint.vulnerability.cwes.source | | keyword |
+| ti_flashpoint.vulnerability.description | | keyword |
+| ti_flashpoint.vulnerability.exploits_count | | long |
+| ti_flashpoint.vulnerability.ext_references.created_at | A text description of the software, nature of the vulnerability, and the direct impact if exploited. | date |
+| ti_flashpoint.vulnerability.ext_references.description | | keyword |
+| ti_flashpoint.vulnerability.ext_references.type | | keyword |
+| ti_flashpoint.vulnerability.ext_references.url | | keyword |
+| ti_flashpoint.vulnerability.ext_references.value | | keyword |
+| ti_flashpoint.vulnerability.id | | keyword |
+| ti_flashpoint.vulnerability.keywords | The unique numeric identifier assigned by Flashpoint for a single vulnerability. | keyword |
+| ti_flashpoint.vulnerability.name | Any words, numeric strings, or other identifiers that relate to the vulnerability that do not otherwise appear in the entry. | keyword |
+| ti_flashpoint.vulnerability.products.id | | keyword |
+| ti_flashpoint.vulnerability.products.name | The unique numeric identifier assigned by Flashpoint for a single product. | keyword |
+| ti_flashpoint.vulnerability.scores.cvssv3_score | | double |
+| ti_flashpoint.vulnerability.scores.epss_score | The Common Vulnerability Scoring System (CVSS version 3) score for the vulnerability. | double |
+| ti_flashpoint.vulnerability.scores.epss_v1_score | The epss score from first.org for vulnerabilities with a CVE-ID. | double |
+| ti_flashpoint.vulnerability.scores.ransomware_score | The epss score version 1 for all vulnerabilities including those that do not have a CVE-ID. | keyword |
+| ti_flashpoint.vulnerability.scores.severity | The likelihood a vulnerability will be used in a ransomware attack. | keyword |
+| ti_flashpoint.vulnerability.solution | | keyword |
+| ti_flashpoint.vulnerability.tags | A brief description of how the vulnerability can be mitigated or resolved. | keyword |
+| ti_flashpoint.vulnerability.technical_description | | keyword |
+| ti_flashpoint.vulnerability.timelines.disclosed_at | Additional notes, usually of a technical nature, that further explain the issue, exploitation caveats or requirements, and further analysis or observations by Flashpoint. | date |
+| ti_flashpoint.vulnerability.timelines.discovered_at | The date when the vulnerability was disclosed. | date |
+| ti_flashpoint.vulnerability.timelines.exploit_published_at | The date when the vulnerability was discovered. | date |
+| ti_flashpoint.vulnerability.timelines.exploited_in_the_wild_at | The date when an exploit was published for the vulnerability. | date |
+| ti_flashpoint.vulnerability.timelines.last_modified_at | The date when the vulnerability was exploited in the wild. | date |
+| ti_flashpoint.vulnerability.timelines.published_at | The date when the vulnerability was last edited on the system. | date |
+| ti_flashpoint.vulnerability.timelines.solution_provided_at | The date when the vulnerability was published on the system. | date |
+| ti_flashpoint.vulnerability.timelines.third_party_solution_provided_at | The earliest date when a solution was provided for the vulnerability. | date |
+| ti_flashpoint.vulnerability.timelines.vendor_acknowledged_at | The date a third party solution was provided for the vulnerability. | date |
+| ti_flashpoint.vulnerability.timelines.vendor_informed_at | The date the vendor acknowledged the vulnerability. | date |
+| ti_flashpoint.vulnerability.title | The date the vendor was informed of the vulnerability. | keyword |
+| ti_flashpoint.vulnerability.vendors.id | A concise title describing the vulnerability. | keyword |
+| ti_flashpoint.vulnerability.vendors.name | The unique numeric identifier assigned by Flashpoint for a single vendor. | keyword |
+| ti_flashpoint.vulnerability.vuln_status | | keyword |
+| vulnerability.scanner.vendor | The name of the vulnerability scanner vendor. | constant_keyword |
+
+
+### Example event
+
+#### Vulnerability
+
+An example event for `vulnerability` looks as following:
+
+```json
+{
+ "@timestamp": "2025-12-29T23:00:01.000Z",
+ "agent": {
+ "ephemeral_id": "3bbc57c0-c38a-4f3a-9905-2cee6c3fb8bd",
+ "id": "b569ce8a-9868-4436-822b-649b5e3943b2",
+ "name": "elastic-agent-85390",
+ "type": "filebeat",
+ "version": "8.18.0"
+ },
+ "data_stream": {
+ "dataset": "ti_flashpoint.vulnerability",
+ "namespace": "41124",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "9.2.0"
+ },
+ "elastic_agent": {
+ "id": "b569ce8a-9868-4436-822b-649b5e3943b2",
+ "snapshot": false,
+ "version": "8.18.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": [
+ "vulnerability"
+ ],
+ "created": "2025-12-29T22:49:59.000Z",
+ "dataset": "ti_flashpoint.vulnerability",
+ "id": "432898",
+ "ingested": "2025-12-31T07:20:37Z",
+ "kind": "event",
+ "original": "{\"classifications\":[{\"description\":\"Local access is required to exploit this vulnerability (e.g., unix shell, windows user).\",\"longname\":\"Local Access Required\",\"name\":\"location_local\"},{\"description\":\"A vulnerability that cannot be defined by any other Attack Type classification.\",\"longname\":\"Other\",\"name\":\"attack_type_other\"},{\"description\":\"Assurance that data is protected and not disclosed to unauthorized party.\\r\\nExamples: password disclosures, server information, environment variables, confirmation of file existance, path dislcosure, file content access, some SQL injection.\",\"longname\":\"Loss of Confidentiality\",\"name\":\"impact_confidential\"},{\"description\":\"Assurance that data is unaltered by unauthorized persons and authorization has not been exceeded.\\r\\nExamples: XSS, arbitrary command execution, most overflows, most format strings, SQL injection, unauthorized file modification/deletion/creation, remote file inclusion, etc.\",\"longname\":\"Loss of Integrity\",\"name\":\"impact_integrity\"},{\"description\":\"The status of a working exploit is unknown.\",\"longname\":\"Exploit Unknown\",\"name\":\"exploit_unknown\"},{\"description\":\"The vulnerability can be mitigated by installing the vendor-supplied upgrade.\",\"longname\":\"Upgrade\",\"name\":\"solution_upgrade\"},{\"description\":\"The vendor has verified this vulnerability.\",\"longname\":\"Vendor Verified\",\"name\":\"disclosure_verified\"},{\"description\":\"The researcher and vendor coordinated disclosure so that vulnerability details were released in conjunction with a solution.\",\"longname\":\"Coordinated Disclosure\",\"name\":\"disclosure_coordinated_disclosure\"},{\"description\":\"This vulnerability can only be exploited after successful authentication.\",\"longname\":\"Authentication Required\",\"name\":\"vuln_authentication_required\"}],\"cve_ids\":[\"CVE-2025-13326\"],\"cvss_v2s\":[{\"access_complexity\":\"MEDIUM\",\"access_vector\":\"LOCAL\",\"authentication\":\"NONE\",\"availability_impact\":\"NONE\",\"calculated_cvss_base_score\":1.9,\"confidentiality_impact\":\"NONE\",\"cve_id\":null,\"generated_at\":\"2025-12-29T20:10:04Z\",\"integrity_impact\":\"PARTIAL\",\"score\":1.9,\"source\":\"Flashpoint\"}],\"cvss_v3s\":[{\"attack_complexity\":\"LOW\",\"attack_vector\":\"LOCAL\",\"availability_impact\":\"NONE\",\"calculated_cvss_base_score\":3.9,\"confidentiality_impact\":\"LOW\",\"cve_id\":null,\"exploit_code_maturity\":\"UNPROVEN\",\"generated_at\":\"2025-12-29T20:10:04Z\",\"integrity_impact\":\"LOW\",\"privileges_required\":\"LOW\",\"remediation_level\":\"OFFICIAL_FIX\",\"report_confidence\":\"CONFIRMED\",\"scope\":\"UNCHANGED\",\"score\":3.9,\"source\":\"Flashpoint\",\"temporal_score\":3.4,\"updated_at\":\"2025-12-29T22:49:59Z\",\"user_interaction\":\"REQUIRED\",\"vector_string\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C\",\"version\":\"3.1\"}],\"cvss_v4s\":[{\"attack_complexity\":\"LOW\",\"attack_requirements\":\"NONE\",\"attack_vector\":\"LOCAL\",\"cve_id\":null,\"exploit_maturity\":\"NOT_DEFINED\",\"generated_at\":\"2025-12-29T20:10:04.144000Z\",\"privileges_required\":\"LOW\",\"score\":2.4,\"source\":\"Flashpoint\",\"subsequent_system_availability_impact\":\"NONE\",\"subsequent_system_confidentiality_impact\":\"NONE\",\"subsequent_system_integrity_impact\":\"NONE\",\"threat_score\":2.4,\"updated_at\":\"2025-12-29T20:10:04.254000Z\",\"user_interaction\":\"PASSIVE\",\"vector_string\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X\",\"version\":\"4.0\",\"vulnerable_system_availability_impact\":\"NONE\",\"vulnerable_system_confidentiality_impact\":\"LOW\",\"vulnerable_system_integrity_impact\":\"LOW\"}],\"cwes\":[{\"cve_ids\":\"2025-13326\",\"cwe_id\":693,\"name\":\"Protection Mechanism Failure\",\"source\":\"mitre\"}],\"description\":\"Mattermost Desktop contains a flaw that is triggered as the program fails to enable the Hardened Runtime setting when packaged for Mac App Store. This may allow a local attacker to inherit TCC permissions via copying the binary to a tmp folder.\",\"exploits_count\":0,\"ext_references\":[{\"created_at\":\"2020-09-09T19:57:14Z\",\"description\":null,\"type\":\"Vendor Specific Advisory URL\",\"url\":\"https://mattermost.com/security-updates/\",\"value\":\"https://mattermost.com/security-updates/\"},{\"created_at\":\"2025-12-23T17:58:58Z\",\"description\":null,\"type\":\"Generic Informational URL\",\"url\":\"https://www.cisa.gov/news-events/bulletins/sb25-356\",\"value\":\"https://www.cisa.gov/news-events/bulletins/sb25-356\"},{\"created_at\":\"2025-12-17T18:20:42Z\",\"description\":null,\"type\":\"CVE ID\",\"url\":\"https://www.cve.org/CVERecord?id=CVE-2025-13326\",\"value\":\"2025-13326\"}],\"id\":432898,\"keywords\":\"MMSA-2025-00504\",\"products\":[{\"id\":2985883,\"name\":\"Mattermost Desktop\"}],\"scores\":{\"cvssv3_score\":3.9,\"epss_score\":0.00013,\"epss_v1_score\":0,\"ransomware_score\":\"Low\",\"severity\":\"Low\"},\"solution\":\"It has been reported that this has been fixed. Please refer to the product listing for upgraded versions that address this vulnerability.\",\"tags\":[\"oss\"],\"technical_description\":\"\",\"timelines\":{\"disclosed_at\":\"2025-11-17T00:00:00Z\",\"discovered_at\":null,\"exploit_published_at\":null,\"exploited_in_the_wild_at\":null,\"last_modified_at\":\"2025-12-29T23:00:01Z\",\"published_at\":\"2025-12-29T22:49:59Z\",\"solution_provided_at\":\"2025-11-17T00:00:00Z\",\"third_party_solution_provided_at\":null,\"vendor_acknowledged_at\":null,\"vendor_informed_at\":null},\"title\":\"Mattermost Desktop Hardened Runtime Protection Mechanism Failure Local TCC Privilege Escalation\",\"vendors\":[{\"id\":2803312,\"name\":\"Mattermost\"}],\"vuln_status\":\"Active\"}",
+ "type": [
+ "info"
+ ]
+ },
+ "input": {
+ "type": "cel"
+ },
+ "message": "Mattermost Desktop contains a flaw that is triggered as the program fails to enable the Hardened Runtime setting when packaged for Mac App Store. This may allow a local attacker to inherit TCC permissions via copying the binary to a tmp folder.",
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields",
+ "forwarded",
+ "ti_flashpoint-vulnerability"
+ ],
+ "ti_flashpoint": {
+ "vulnerability": {
+ "classifications": [
+ {
+ "description": "Local access is required to exploit this vulnerability (e.g., unix shell, windows user).",
+ "longname": "Local Access Required",
+ "name": "location_local"
+ },
+ {
+ "description": "A vulnerability that cannot be defined by any other Attack Type classification.",
+ "longname": "Other",
+ "name": "attack_type_other"
+ },
+ {
+ "description": "Assurance that data is protected and not disclosed to unauthorized party.\r\nExamples: password disclosures, server information, environment variables, confirmation of file existance, path dislcosure, file content access, some SQL injection.",
+ "longname": "Loss of Confidentiality",
+ "name": "impact_confidential"
+ },
+ {
+ "description": "Assurance that data is unaltered by unauthorized persons and authorization has not been exceeded.\r\nExamples: XSS, arbitrary command execution, most overflows, most format strings, SQL injection, unauthorized file modification/deletion/creation, remote file inclusion, etc.",
+ "longname": "Loss of Integrity",
+ "name": "impact_integrity"
+ },
+ {
+ "description": "The status of a working exploit is unknown.",
+ "longname": "Exploit Unknown",
+ "name": "exploit_unknown"
+ },
+ {
+ "description": "The vulnerability can be mitigated by installing the vendor-supplied upgrade.",
+ "longname": "Upgrade",
+ "name": "solution_upgrade"
+ },
+ {
+ "description": "The vendor has verified this vulnerability.",
+ "longname": "Vendor Verified",
+ "name": "disclosure_verified"
+ },
+ {
+ "description": "The researcher and vendor coordinated disclosure so that vulnerability details were released in conjunction with a solution.",
+ "longname": "Coordinated Disclosure",
+ "name": "disclosure_coordinated_disclosure"
+ },
+ {
+ "description": "This vulnerability can only be exploited after successful authentication.",
+ "longname": "Authentication Required",
+ "name": "vuln_authentication_required"
+ }
+ ],
+ "cve_ids": [
+ "CVE-2025-13326"
+ ],
+ "cvss_v2s": [
+ {
+ "access_complexity": "MEDIUM",
+ "access_vector": "LOCAL",
+ "authentication": "NONE",
+ "availability_impact": "NONE",
+ "calculated_cvss_base_score": 1.9,
+ "confidentiality_impact": "NONE",
+ "generated_at": "2025-12-29T20:10:04.000Z",
+ "integrity_impact": "PARTIAL",
+ "score": 1.9,
+ "source": "Flashpoint"
+ }
+ ],
+ "cvss_v3s": [
+ {
+ "attack_complexity": "LOW",
+ "attack_vector": "LOCAL",
+ "availability_impact": "NONE",
+ "calculated_cvss_base_score": 3.9,
+ "confidentiality_impact": "LOW",
+ "exploit_code_maturity": "UNPROVEN",
+ "generated_at": "2025-12-29T20:10:04.000Z",
+ "integrity_impact": "LOW",
+ "privileges_required": "LOW",
+ "remediation_level": "OFFICIAL_FIX",
+ "report_confidence": "CONFIRMED",
+ "scope": "UNCHANGED",
+ "score": 3.9,
+ "source": "Flashpoint",
+ "temporal_score": 3.4,
+ "updated_at": "2025-12-29T22:49:59.000Z",
+ "user_interaction": "REQUIRED",
+ "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C",
+ "version": "3.1"
+ }
+ ],
+ "cvss_v4s": [
+ {
+ "attack_complexity": "LOW",
+ "attack_requirements": "NONE",
+ "attack_vector": "LOCAL",
+ "exploit_maturity": "NOT_DEFINED",
+ "generated_at": "2025-12-29T20:10:04.144Z",
+ "privileges_required": "LOW",
+ "score": 2.4,
+ "source": "Flashpoint",
+ "subsequent_system_availability_impact": "NONE",
+ "subsequent_system_confidentiality_impact": "NONE",
+ "subsequent_system_integrity_impact": "NONE",
+ "threat_score": 2.4,
+ "updated_at": "2025-12-29T20:10:04.254Z",
+ "user_interaction": "PASSIVE",
+ "vector_string": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X",
+ "version": "4.0",
+ "vulnerable_system_availability_impact": "NONE",
+ "vulnerable_system_confidentiality_impact": "LOW",
+ "vulnerable_system_integrity_impact": "LOW"
+ }
+ ],
+ "cwes": [
+ {
+ "cve_ids": "2025-13326",
+ "cwe_id": "693",
+ "name": "Protection Mechanism Failure",
+ "source": "mitre"
+ }
+ ],
+ "description": "Mattermost Desktop contains a flaw that is triggered as the program fails to enable the Hardened Runtime setting when packaged for Mac App Store. This may allow a local attacker to inherit TCC permissions via copying the binary to a tmp folder.",
+ "exploits_count": 0,
+ "ext_references": [
+ {
+ "created_at": "2020-09-09T19:57:14.000Z",
+ "type": "Vendor Specific Advisory URL",
+ "url": "https://mattermost.com/security-updates/",
+ "value": "https://mattermost.com/security-updates/"
+ },
+ {
+ "created_at": "2025-12-23T17:58:58.000Z",
+ "type": "Generic Informational URL",
+ "url": "https://www.cisa.gov/news-events/bulletins/sb25-356",
+ "value": "https://www.cisa.gov/news-events/bulletins/sb25-356"
+ },
+ {
+ "created_at": "2025-12-17T18:20:42.000Z",
+ "type": "CVE ID",
+ "url": "https://www.cve.org/CVERecord?id=CVE-2025-13326",
+ "value": "2025-13326"
+ }
+ ],
+ "id": "432898",
+ "keywords": "MMSA-2025-00504",
+ "products": [
+ {
+ "id": "2985883",
+ "name": "Mattermost Desktop"
+ }
+ ],
+ "scores": {
+ "cvssv3_score": 3.9,
+ "epss_score": 0.00013,
+ "epss_v1_score": 0,
+ "ransomware_score": "Low",
+ "severity": "Low"
+ },
+ "solution": "It has been reported that this has been fixed. Please refer to the product listing for upgraded versions that address this vulnerability.",
+ "tags": [
+ "oss"
+ ],
+ "timelines": {
+ "disclosed_at": "2025-11-17T00:00:00.000Z",
+ "last_modified_at": "2025-12-29T23:00:01.000Z",
+ "published_at": "2025-12-29T22:49:59.000Z",
+ "solution_provided_at": "2025-11-17T00:00:00.000Z"
+ },
+ "title": "Mattermost Desktop Hardened Runtime Protection Mechanism Failure Local TCC Privilege Escalation",
+ "vendors": [
+ {
+ "id": "2803312",
+ "name": "Mattermost"
+ }
+ ],
+ "vuln_status": "Active"
+ }
+ },
+ "vulnerability": {
+ "classification": "cvss",
+ "description": "Mattermost Desktop contains a flaw that is triggered as the program fails to enable the Hardened Runtime setting when packaged for Mac App Store. This may allow a local attacker to inherit TCC permissions via copying the binary to a tmp folder.",
+ "id": [
+ "432898",
+ "CVE-2025-13326"
+ ],
+ "score": {
+ "base": [
+ 1.9,
+ 3.9,
+ 2.4
+ ],
+ "temporal": [
+ 3.4
+ ],
+ "version": [
+ "3.1",
+ "4.0"
+ ]
+ },
+ "severity": "Low"
+ }
+}
+```
+
+
+### Inputs used
+
+These input is used in the integration:
+
+- [cel](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-cel)
+
+
+### API usage
+
+This integration dataset uses the following API:
+
+* List Vulberabilities (endpoint: `/vulnerability-intelligence/v1/vulnerabilities`)
diff --git a/packages/ti_flashpoint/img/ti_flashpoint-logo.svg b/packages/ti_flashpoint/img/ti_flashpoint-logo.svg
new file mode 100644
index 00000000000..982608a02f6
--- /dev/null
+++ b/packages/ti_flashpoint/img/ti_flashpoint-logo.svg
@@ -0,0 +1,5 @@
+
diff --git a/packages/ti_flashpoint/img/ti_flashpoint-vulnerabilities_dashboard.png b/packages/ti_flashpoint/img/ti_flashpoint-vulnerabilities_dashboard.png
new file mode 100644
index 00000000000..a227390536d
Binary files /dev/null and b/packages/ti_flashpoint/img/ti_flashpoint-vulnerabilities_dashboard.png differ
diff --git a/packages/ti_flashpoint/kibana/dashboard/ti_flashpoint-cfe7739d-dce8-46e0-9f7e-4d077bc5c7bc.json b/packages/ti_flashpoint/kibana/dashboard/ti_flashpoint-cfe7739d-dce8-46e0-9f7e-4d077bc5c7bc.json
new file mode 100644
index 00000000000..0ca279a5604
--- /dev/null
+++ b/packages/ti_flashpoint/kibana/dashboard/ti_flashpoint-cfe7739d-dce8-46e0-9f7e-4d077bc5c7bc.json
@@ -0,0 +1,1589 @@
+{
+ "attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": {
+ "ignoreFilters": false,
+ "ignoreQuery": false,
+ "ignoreTimerange": false,
+ "ignoreValidations": false
+ },
+ "panelsJSON": {
+ "75cccfa5-ddb9-401a-9b05-f17f16c24b69": {
+ "explicitInput": {
+ "dataViewId": "logs-*",
+ "fieldName": "vulnerability.severity",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ },
+ "title": "Severity"
+ },
+ "grow": true,
+ "order": 1,
+ "type": "optionsListControl",
+ "width": "medium"
+ },
+ "7ef4c8d7-5d8f-457f-8cb0-1d3367c9e454": {
+ "explicitInput": {
+ "dataViewId": "logs-*",
+ "fieldName": "ti_flashpoint.vulnerability.vuln_status",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ },
+ "title": "Status"
+ },
+ "grow": true,
+ "order": 0,
+ "type": "optionsListControl",
+ "width": "medium"
+ },
+ "db5f26d1-1435-4870-b416-f2a03997b49a": {
+ "explicitInput": {
+ "dataViewId": "logs-*",
+ "fieldName": "ti_flashpoint.vulnerability.scores.ransomware_score",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ },
+ "title": "Ransomware Score"
+ },
+ "grow": true,
+ "order": 2,
+ "type": "optionsListControl",
+ "width": "medium"
+ }
+ },
+ "showApplySelections": false
+ },
+ "description": "This dashboard shows Vulnerabilities collected by the Flashpoint Integration.",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "ti_flashpoint.vulnerability"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "ti_flashpoint.vulnerability"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 14,
+ "i": "9c6f56ea-7794-4915-95b5-dde2a962047e",
+ "w": 48,
+ "x": 0,
+ "y": 71
+ },
+ "panelIndex": "9c6f56ea-7794-4915-95b5-dde2a962047e",
+ "panelRefName": "panel_9c6f56ea-7794-4915-95b5-dde2a962047e",
+ "title": "[Logs Flashpoint] Essential CVSS V2 Details",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 15,
+ "i": "a8361af6-9134-427d-af7c-a094a8cf4ed6",
+ "w": 48,
+ "x": 0,
+ "y": 85
+ },
+ "panelIndex": "a8361af6-9134-427d-af7c-a094a8cf4ed6",
+ "panelRefName": "panel_a8361af6-9134-427d-af7c-a094a8cf4ed6",
+ "title": "[Logs Flashpoint] Essential CVSS V3 Details",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-58327a25-364a-4792-a34e-df00bfea8fcb",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "58327a25-364a-4792-a34e-df00bfea8fcb": {
+ "columnOrder": [
+ "6cb4a0e2-2708-4df7-8e36-b55e620bf678",
+ "33e7c671-8cbd-45bf-a88a-c28bdeda5bdf"
+ ],
+ "columns": {
+ "33e7c671-8cbd-45bf-a88a-c28bdeda5bdf": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "6cb4a0e2-2708-4df7-8e36-b55e620bf678": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Severity",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "33e7c671-8cbd-45bf-a88a-c28bdeda5bdf",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "vulnerability.severity"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "58327a25-364a-4792-a34e-df00bfea8fcb",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "33e7c671-8cbd-45bf-a88a-c28bdeda5bdf"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "6cb4a0e2-2708-4df7-8e36-b55e620bf678"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "a42c4c77-255a-4d45-b449-77577a053bf5",
+ "w": 24,
+ "x": 0,
+ "y": 24
+ },
+ "panelIndex": "a42c4c77-255a-4d45-b449-77577a053bf5",
+ "title": "Vulnerabilities by Severities",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-01a8ee92-2836-4a8f-9e0d-f2dddc8ad100",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "01a8ee92-2836-4a8f-9e0d-f2dddc8ad100": {
+ "columnOrder": [
+ "f33aeabc-3a60-43b8-8b53-e22c158c112a",
+ "57acd9c7-7d12-469a-80ae-9caf72ff30ba"
+ ],
+ "columns": {
+ "57acd9c7-7d12-469a-80ae-9caf72ff30ba": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "f33aeabc-3a60-43b8-8b53-e22c158c112a": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Ransomware Score",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "57acd9c7-7d12-469a-80ae-9caf72ff30ba",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "ti_flashpoint.vulnerability.scores.ransomware_score"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "01a8ee92-2836-4a8f-9e0d-f2dddc8ad100",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "57acd9c7-7d12-469a-80ae-9caf72ff30ba"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "f33aeabc-3a60-43b8-8b53-e22c158c112a"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "dd6b074c-eca8-4781-8ee0-9d913e8f9468",
+ "w": 24,
+ "x": 24,
+ "y": 24
+ },
+ "panelIndex": "dd6b074c-eca8-4781-8ee0-9d913e8f9468",
+ "title": "Vulnerabilities by Ransomware Scores",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-ca85adb2-fd4c-452e-a4b7-79962f41429f",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "ca85adb2-fd4c-452e-a4b7-79962f41429f": {
+ "columnOrder": [
+ "6fa13383-e035-4859-b11c-4e60aae142f9"
+ ],
+ "columns": {
+ "6fa13383-e035-4859-b11c-4e60aae142f9": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Total Vulnerabilities",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "event.id"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*"
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#6092C0",
+ "layerId": "ca85adb2-fd4c-452e-a4b7-79962f41429f",
+ "layerType": "data",
+ "metricAccessor": "6fa13383-e035-4859-b11c-4e60aae142f9"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "hidePanelTitles": true,
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 12,
+ "i": "7847ab78-8266-4f54-8de0-34048ca5232c",
+ "w": 13,
+ "x": 17,
+ "y": 0
+ },
+ "panelIndex": "7847ab78-8266-4f54-8de0-34048ca5232c",
+ "title": "",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-77ad2fd5-90ba-409a-816e-52e59ddf74cf",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "77ad2fd5-90ba-409a-816e-52e59ddf74cf": {
+ "columnOrder": [
+ "a9ac70fb-bff3-4ed6-b323-cffa7ec489d5",
+ "495fb2e6-2005-4ca9-aef0-a93873824081"
+ ],
+ "columns": {
+ "495fb2e6-2005-4ca9-aef0-a93873824081": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "a9ac70fb-bff3-4ed6-b323-cffa7ec489d5": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Status",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "495fb2e6-2005-4ca9-aef0-a93873824081",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "ti_flashpoint.vulnerability.vuln_status"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "77ad2fd5-90ba-409a-816e-52e59ddf74cf",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "495fb2e6-2005-4ca9-aef0-a93873824081"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "a9ac70fb-bff3-4ed6-b323-cffa7ec489d5"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 12,
+ "i": "78ff4a48-7768-4eb4-8890-9dbd116f94d1",
+ "w": 18,
+ "x": 30,
+ "y": 0
+ },
+ "panelIndex": "78ff4a48-7768-4eb4-8890-9dbd116f94d1",
+ "title": "Vulnerabilities by Status",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "id": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "This dashboard provides centralized visibility into vulnerability intelligence from Flashpoint, helping teams quickly assess risk and exposure.\n\nIt features tables for Top Classifications, Top Vulnerability Names, Top Products, and Top Vendors, along with a metric showing Total Vulnerabilities and Total Exploits. Pie charts visualize Vulnerabilities by Ransomware Scores, Severities, and Status, while a area chart tracks Vulnerabilities by Severity over Time.\n\nA control panel for Status, Severity and Ransomware Score enables focused analysis, and saved searches for Essential CVSS v2, v3, and v4 Details provide deeper scoring insights. Together, these visuals support effective vulnerability prioritization and trend analysis.\n\n**[Integration Page](/app/integrations/detail/ti_flashpoint)**",
+ "openLinksInNewTab": false
+ },
+ "title": "",
+ "type": "markdown",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 24,
+ "i": "ec44a7f5-552e-457f-8fd0-e9d1376ba274",
+ "w": 17,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "ec44a7f5-552e-457f-8fd0-e9d1376ba274",
+ "title": "Overview",
+ "type": "visualization"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-4390dcb5-59f3-4f72-b3a2-641ca179e15f",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "4390dcb5-59f3-4f72-b3a2-641ca179e15f": {
+ "columnOrder": [
+ "affb22fa-d223-4345-9b65-ac47c332ba8d",
+ "8a9a33b1-1634-4b23-ab09-4193f4d68016",
+ "b0aa67cd-9725-4795-a9d2-5d041520ae89"
+ ],
+ "columns": {
+ "8a9a33b1-1634-4b23-ab09-4193f4d68016": {
+ "customLabel": true,
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "Timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "affb22fa-d223-4345-9b65-ac47c332ba8d": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Severity",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "b0aa67cd-9725-4795-a9d2-5d041520ae89",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "vulnerability.severity"
+ },
+ "b0aa67cd-9725-4795-a9d2-5d041520ae89": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "curveType": "LINEAR",
+ "fittingFunction": "Linear",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "b0aa67cd-9725-4795-a9d2-5d041520ae89"
+ ],
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "4390dcb5-59f3-4f72-b3a2-641ca179e15f",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "area",
+ "showGridlines": false,
+ "splitAccessor": "affb22fa-d223-4345-9b65-ac47c332ba8d",
+ "xAccessor": "8a9a33b1-1634-4b23-ab09-4193f4d68016"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "shouldTruncate": false,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "area",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 12,
+ "i": "65508593-d0fc-4176-bdcd-b65a245a2d95",
+ "w": 31,
+ "x": 17,
+ "y": 12
+ },
+ "panelIndex": "65508593-d0fc-4176-bdcd-b65a245a2d95",
+ "title": "Vulnerabilities by Severity over Time",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-81a74d0b-7d32-49a4-ac8d-43d302add67e",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "81a74d0b-7d32-49a4-ac8d-43d302add67e": {
+ "columnOrder": [
+ "97fe9c01-619a-4475-8a6e-aca257aac4d4",
+ "7a3cadb5-ef0b-4a82-987a-2c38b585a91f"
+ ],
+ "columns": {
+ "7a3cadb5-ef0b-4a82-987a-2c38b585a91f": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "97fe9c01-619a-4475-8a6e-aca257aac4d4": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Classification",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "7a3cadb5-ef0b-4a82-987a-2c38b585a91f",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "ti_flashpoint.vulnerability.classifications.longname"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "97fe9c01-619a-4475-8a6e-aca257aac4d4",
+ "isTransposed": false
+ },
+ {
+ "columnId": "7a3cadb5-ef0b-4a82-987a-2c38b585a91f",
+ "isTransposed": false
+ }
+ ],
+ "layerId": "81a74d0b-7d32-49a4-ac8d-43d302add67e",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "691b9ee9-775c-46d9-9299-51739c40d987",
+ "w": 24,
+ "x": 0,
+ "y": 39
+ },
+ "panelIndex": "691b9ee9-775c-46d9-9299-51739c40d987",
+ "title": "Top Classifications",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-d775d293-a043-4ce9-92fa-50ab1d9b0a18",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "d775d293-a043-4ce9-92fa-50ab1d9b0a18": {
+ "columnOrder": [
+ "543a777b-250d-4316-91f1-c42a66f50830",
+ "944bbdb2-74ed-4768-89a0-86da76eaf3c5"
+ ],
+ "columns": {
+ "543a777b-250d-4316-91f1-c42a66f50830": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Vulnerability Name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "944bbdb2-74ed-4768-89a0-86da76eaf3c5",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "ti_flashpoint.vulnerability.name"
+ },
+ "944bbdb2-74ed-4768-89a0-86da76eaf3c5": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "543a777b-250d-4316-91f1-c42a66f50830"
+ },
+ {
+ "columnId": "944bbdb2-74ed-4768-89a0-86da76eaf3c5"
+ }
+ ],
+ "layerId": "d775d293-a043-4ce9-92fa-50ab1d9b0a18",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "b7a17eec-86d8-4cb1-9edd-244414e3aab0",
+ "w": 24,
+ "x": 24,
+ "y": 39
+ },
+ "panelIndex": "b7a17eec-86d8-4cb1-9edd-244414e3aab0",
+ "title": "Top Vulnerability Names",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-bc84eb23-bf2f-4ca6-850d-185b9483a628",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "bc84eb23-bf2f-4ca6-850d-185b9483a628": {
+ "columnOrder": [
+ "0f9c2d2f-7393-4f29-8026-540a82f028c3",
+ "9b7c0c86-384f-4eab-aeed-b6b5ac7b5ac1"
+ ],
+ "columns": {
+ "0f9c2d2f-7393-4f29-8026-540a82f028c3": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Product",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "9b7c0c86-384f-4eab-aeed-b6b5ac7b5ac1",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "ti_flashpoint.vulnerability.products.name"
+ },
+ "9b7c0c86-384f-4eab-aeed-b6b5ac7b5ac1": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "0f9c2d2f-7393-4f29-8026-540a82f028c3"
+ },
+ {
+ "columnId": "9b7c0c86-384f-4eab-aeed-b6b5ac7b5ac1"
+ }
+ ],
+ "layerId": "bc84eb23-bf2f-4ca6-850d-185b9483a628",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "6e3e5ed6-96be-41b4-becf-df4dea86a142",
+ "w": 24,
+ "x": 0,
+ "y": 55
+ },
+ "panelIndex": "6e3e5ed6-96be-41b4-becf-df4dea86a142",
+ "title": "Top Products",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-3ee4aaa6-6b55-4af8-8850-9ca72d4bd07d",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "3ee4aaa6-6b55-4af8-8850-9ca72d4bd07d": {
+ "columnOrder": [
+ "7a0719d8-9019-4b38-bd6b-bfdd6c5a0cd7",
+ "4c24eec7-5b2c-4205-9614-59b27ae5a5ef"
+ ],
+ "columns": {
+ "4c24eec7-5b2c-4205-9614-59b27ae5a5ef": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "7a0719d8-9019-4b38-bd6b-bfdd6c5a0cd7": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Vendor",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "4c24eec7-5b2c-4205-9614-59b27ae5a5ef",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "ti_flashpoint.vulnerability.vendors.name"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "7a0719d8-9019-4b38-bd6b-bfdd6c5a0cd7"
+ },
+ {
+ "columnId": "4c24eec7-5b2c-4205-9614-59b27ae5a5ef"
+ }
+ ],
+ "layerId": "3ee4aaa6-6b55-4af8-8850-9ca72d4bd07d",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "86a9b583-bbd7-4228-9b53-b1f6dbbe2fa7",
+ "w": 24,
+ "x": 24,
+ "y": 55
+ },
+ "panelIndex": "86a9b583-bbd7-4228-9b53-b1f6dbbe2fa7",
+ "title": "Top Vendors",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 15,
+ "i": "d2488715-e661-4ea4-8d62-5fcb4acbdaf2",
+ "w": 48,
+ "x": 0,
+ "y": 100
+ },
+ "panelIndex": "d2488715-e661-4ea4-8d62-5fcb4acbdaf2",
+ "panelRefName": "panel_d2488715-e661-4ea4-8d62-5fcb4acbdaf2",
+ "title": "[Logs Flashpoint] Essential CVSS V4 Details",
+ "type": "search"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Logs Flashpoint] Vulnerabilities",
+ "version": 3
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-12-30T11:29:21.196Z",
+ "id": "ti_flashpoint-cfe7739d-dce8-46e0-9f7e-4d077bc5c7bc",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "ti_flashpoint-279eadc8-e6f2-4a00-a5cf-f01bd434eb6e",
+ "name": "9c6f56ea-7794-4915-95b5-dde2a962047e:panel_9c6f56ea-7794-4915-95b5-dde2a962047e",
+ "type": "search"
+ },
+ {
+ "id": "ti_flashpoint-78e2de59-5a14-4a7b-9328-69b9b310c0b7",
+ "name": "a8361af6-9134-427d-af7c-a094a8cf4ed6:panel_a8361af6-9134-427d-af7c-a094a8cf4ed6",
+ "type": "search"
+ },
+ {
+ "id": "ti_flashpoint-02229216-8fcd-4a07-8c65-782f455fcfab",
+ "name": "d2488715-e661-4ea4-8d62-5fcb4acbdaf2:panel_d2488715-e661-4ea4-8d62-5fcb4acbdaf2",
+ "type": "search"
+ },
+ {
+ "id": "logs-*",
+ "name": "a42c4c77-255a-4d45-b449-77577a053bf5:indexpattern-datasource-layer-58327a25-364a-4792-a34e-df00bfea8fcb",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "dd6b074c-eca8-4781-8ee0-9d913e8f9468:indexpattern-datasource-layer-01a8ee92-2836-4a8f-9e0d-f2dddc8ad100",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "7847ab78-8266-4f54-8de0-34048ca5232c:indexpattern-datasource-layer-ca85adb2-fd4c-452e-a4b7-79962f41429f",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "78ff4a48-7768-4eb4-8890-9dbd116f94d1:indexpattern-datasource-layer-77ad2fd5-90ba-409a-816e-52e59ddf74cf",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "65508593-d0fc-4176-bdcd-b65a245a2d95:indexpattern-datasource-layer-4390dcb5-59f3-4f72-b3a2-641ca179e15f",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "691b9ee9-775c-46d9-9299-51739c40d987:indexpattern-datasource-layer-81a74d0b-7d32-49a4-ac8d-43d302add67e",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b7a17eec-86d8-4cb1-9edd-244414e3aab0:indexpattern-datasource-layer-d775d293-a043-4ce9-92fa-50ab1d9b0a18",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6e3e5ed6-96be-41b4-becf-df4dea86a142:indexpattern-datasource-layer-bc84eb23-bf2f-4ca6-850d-185b9483a628",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "86a9b583-bbd7-4228-9b53-b1f6dbbe2fa7:indexpattern-datasource-layer-3ee4aaa6-6b55-4af8-8850-9ca72d4bd07d",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_7ef4c8d7-5d8f-457f-8cb0-1d3367c9e454:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_75cccfa5-ddb9-401a-9b05-f17f16c24b69:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_db5f26d1-1435-4870-b416-f2a03997b49a:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard",
+ "typeMigrationVersion": "10.2.0",
+ "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
+}
\ No newline at end of file
diff --git a/packages/ti_flashpoint/kibana/search/ti_flashpoint-02229216-8fcd-4a07-8c65-782f455fcfab.json b/packages/ti_flashpoint/kibana/search/ti_flashpoint-02229216-8fcd-4a07-8c65-782f455fcfab.json
new file mode 100644
index 00000000000..2154b9522d0
--- /dev/null
+++ b/packages/ti_flashpoint/kibana/search/ti_flashpoint-02229216-8fcd-4a07-8c65-782f455fcfab.json
@@ -0,0 +1,75 @@
+{
+ "attributes": {
+ "columns": [
+ "event.id",
+ "ti_flashpoint.vulnerability.cvss_v4s.attack_complexity",
+ "ti_flashpoint.vulnerability.cvss_v4s.privileges_required",
+ "ti_flashpoint.vulnerability.cvss_v4s.threat_score",
+ "ti_flashpoint.vulnerability.cvss_v4s.vulnerable_system_availability_impact",
+ "ti_flashpoint.vulnerability.cvss_v4s.vulnerable_system_confidentiality_impact",
+ "ti_flashpoint.vulnerability.cvss_v4s.vulnerable_system_integrity_impact"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "ti_flashpoint.vulnerability"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "ti_flashpoint.vulnerability"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "[Logs Flashpoint] Essential CVSS V4 Details"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-12-30T11:25:39.694Z",
+ "id": "ti_flashpoint-02229216-8fcd-4a07-8c65-782f455fcfab",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/ti_flashpoint/kibana/search/ti_flashpoint-279eadc8-e6f2-4a00-a5cf-f01bd434eb6e.json b/packages/ti_flashpoint/kibana/search/ti_flashpoint-279eadc8-e6f2-4a00-a5cf-f01bd434eb6e.json
new file mode 100644
index 00000000000..c141b2beb41
--- /dev/null
+++ b/packages/ti_flashpoint/kibana/search/ti_flashpoint-279eadc8-e6f2-4a00-a5cf-f01bd434eb6e.json
@@ -0,0 +1,73 @@
+{
+ "attributes": {
+ "columns": [
+ "event.id",
+ "ti_flashpoint.vulnerability.cvss_v2s.access_complexity",
+ "ti_flashpoint.vulnerability.cvss_v2s.availability_impact",
+ "ti_flashpoint.vulnerability.cvss_v2s.cve_id",
+ "ti_flashpoint.vulnerability.cvss_v2s.source"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "ti_flashpoint.vulnerability"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "ti_flashpoint.vulnerability"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "[Logs Flashpoint] Essential CVSS V2 Details"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-12-30T11:25:39.694Z",
+ "id": "ti_flashpoint-279eadc8-e6f2-4a00-a5cf-f01bd434eb6e",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/ti_flashpoint/kibana/search/ti_flashpoint-78e2de59-5a14-4a7b-9328-69b9b310c0b7.json b/packages/ti_flashpoint/kibana/search/ti_flashpoint-78e2de59-5a14-4a7b-9328-69b9b310c0b7.json
new file mode 100644
index 00000000000..43a8008cb25
--- /dev/null
+++ b/packages/ti_flashpoint/kibana/search/ti_flashpoint-78e2de59-5a14-4a7b-9328-69b9b310c0b7.json
@@ -0,0 +1,75 @@
+{
+ "attributes": {
+ "columns": [
+ "event.id",
+ "ti_flashpoint.vulnerability.cvss_v3s.attack_complexity",
+ "ti_flashpoint.vulnerability.cvss_v3s.availability_impact",
+ "ti_flashpoint.vulnerability.cvss_v3s.cve_id",
+ "ti_flashpoint.vulnerability.cvss_v3s.privileges_required",
+ "ti_flashpoint.vulnerability.cvss_v3s.source",
+ "ti_flashpoint.vulnerability.cvss_v3s.version"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "ti_flashpoint.vulnerability"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "ti_flashpoint.vulnerability"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "[Logs Flashpoint] Essential CVSS V3 Details"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-12-30T11:25:39.694Z",
+ "id": "ti_flashpoint-78e2de59-5a14-4a7b-9328-69b9b310c0b7",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/ti_flashpoint/manifest.yml b/packages/ti_flashpoint/manifest.yml
new file mode 100644
index 00000000000..f867972791c
--- /dev/null
+++ b/packages/ti_flashpoint/manifest.yml
@@ -0,0 +1,95 @@
+format_version: 3.3.2
+name: ti_flashpoint
+title: Flashpoint
+version: 0.1.0
+description: Collect logs from Flashpoint with Elastic Agent.
+type: integration
+categories:
+ - security
+conditions:
+ kibana:
+ version: ^8.18.0 || ^9.0.0
+ elastic:
+ subscription: basic
+screenshots:
+ - src: /img/ti_flashpoint-vulnerabilities_dashboard.png
+ title: Vulnerabilities Dashboard
+ size: 600x600
+ type: image/png
+icons:
+ - src: /img/ti_flashpoint-logo.svg
+ title: Flashpoint logo
+ size: 32x32
+ type: image/svg+xml
+policy_templates:
+ - name: ti_flashpoint
+ title: Flashpoint
+ description: Collect logs from Flashpoint.
+ deployment_modes:
+ default:
+ enabled: true
+ agentless:
+ enabled: true
+ organization: security
+ division: engineering
+ team: security-service-integrations
+ inputs:
+ - type: cel
+ title: Collect logs from Flashpoint API
+ description: Collecting logs via Flashpoint API.
+ vars:
+ - name: url
+ type: url
+ title: URL
+ description: Base URL of the Flashpoint Instance.
+ multi: false
+ required: true
+ show_user: false
+ default: https://api.flashpoint.io
+ - name: api_token
+ type: password
+ title: API Token
+ secret: true
+ description: API Token to authenticate with Flashpoint API.
+ multi: false
+ required: true
+ show_user: true
+ - name: proxy_url
+ type: text
+ title: Proxy URL
+ description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.
+ multi: false
+ required: false
+ show_user: false
+ - name: ssl
+ type: yaml
+ title: SSL Configuration
+ description: SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.
+ multi: false
+ required: false
+ show_user: false
+ default: |
+ #certificate_authorities:
+ # - |
+ # -----BEGIN CERTIFICATE-----
+ # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+ # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+ # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+ # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+ # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+ # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+ # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+ # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+ # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+ # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+ # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+ # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+ # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+ # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+ # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+ # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+ # sxSmbIUfc2SGJGCJD4I=
+ # -----END CERTIFICATE-----
+owner:
+ github: elastic/security-service-integrations
+ type: elastic
diff --git a/packages/ti_flashpoint/validation.yml b/packages/ti_flashpoint/validation.yml
new file mode 100644
index 00000000000..1189aa63c89
--- /dev/null
+++ b/packages/ti_flashpoint/validation.yml
@@ -0,0 +1,3 @@
+errors:
+ exclude_checks:
+ - SVR00004 # References in dashboards.