Skip to content

Add Speculus Threat Intelligence integration#19912

Open
SpeculusDevelopers wants to merge 3 commits into
elastic:mainfrom
SpeculusDevelopers:add-speculus-taxii-integration
Open

Add Speculus Threat Intelligence integration#19912
SpeculusDevelopers wants to merge 3 commits into
elastic:mainfrom
SpeculusDevelopers:add-speculus-taxii-integration

Conversation

@SpeculusDevelopers

Copy link
Copy Markdown

Summary

Adds ti_speculus_taxii, a CEL-input integration that collects STIX 2.1 threat intelligence indicators from the Speculus TAXII 2.1 server and maps them to ECS threat.indicator.* fields.

  • Single-collection CEL poller with Bearer-token auth and added_after/next-cursor incremental sync
  • Ingest pipeline maps STIX fields to ECS, with the remaining STIX and x_speculus_* extension properties (geo, ASN/ISP, risk score, activity, attribution, proxy/Tor/datacenter/blacklist classification) namespaced under ti_speculus_taxii.stix.*
  • Kibana dashboard: indicator KPIs, risk/activity/country breakdowns, a choropleth world map, an indicators-over-time chart, and top-organizations/classifications tables
  • Speculus is an Elastic Technology Partner; owner.type: partner

Test plan

  • elastic-package check (lint + build) passes
  • elastic-package test pipeline passes against representative Speculus indicator fixtures
  • elastic-package test static / test asset pass
  • elastic-package test system passes against a self-contained mocked TAXII server fixture (_dev/deploy/docker/) — no live-server dependency, so CI doesn't depend on Speculus's production infrastructure
  • Manually validated end-to-end against the real production feed (370K+ real indicators ingested via a live Fleet policy during development)

Adds ti_speculus_taxii, a CEL-input TAXII 2.1 integration that collects
STIX 2.1 threat intelligence indicators from the Speculus feed, maps
them to ECS threat.indicator.* fields, and namespaces the remaining
STIX and Speculus extension properties under ti_speculus_taxii.stix.*.

Validated end-to-end: pipeline, static, asset, and system tests pass
against a self-contained mocked TAXII fixture (no live-server
dependency in CI), plus manual confirmation against the real production
feed. Includes a Kibana dashboard with indicator KPIs, risk/activity
breakdowns, a geo/country view, and an indicators-over-time chart.
Replaces the hand-authored dashboard with one built and verified
through the Kibana UI, including a choropleth world map (EMS World
Countries, joined on threat.indicator.geo.country_iso_code). The
map's data-view join was retargeted from a local-only data view to
the shared logs-* pattern so it resolves in any environment.
@SpeculusDevelopers SpeculusDevelopers requested a review from a team as a code owner July 1, 2026 14:53
@elastic-vault-github-plugin-prod

Copy link
Copy Markdown

Reviewers

Buildkite won't run for external contributors automatically; you need to add a comment:

  • /test : will kick off a build in Buildkite.

NOTE: https://github.com/elastic/integrations/blob/main/.buildkite/pull-requests.json contains all those details.

@andrewkroh andrewkroh added New Integration Issue or pull request for creating a new integration package. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. labels Jul 1, 2026
Speculus is not currently a formal Elastic Technology Partner, so the
owner.type should be community rather than partner. Also aligns
owner.github with the GitHub account actually maintaining this PR.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. New Integration Issue or pull request for creating a new integration package.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants