Skip to content

ti_threatconnect: update pipeline to lowercase all hashes#17455

Open
GShepherdTC wants to merge 3 commits intoelastic:mainfrom
GShepherdTC:main
Open

ti_threatconnect: update pipeline to lowercase all hashes#17455
GShepherdTC wants to merge 3 commits intoelastic:mainfrom
GShepherdTC:main

Conversation

@GShepherdTC
Copy link
Contributor

@GShepherdTC GShepherdTC commented Feb 18, 2026
edited by andrewkroh
Loading

Proposed commit message

Updated pipeline to lowercase all hashes

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • Check code changes. Should be pretty straight forward.

How to test this PR locally

Run the pipeline test. I updated the response data to match.

Related issues

Screenshots

No changes to UI.

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Feb 18, 2026

Reviewers

Buildkite won't run for external contributors automatically; you need to add a comment:

  • /test : will kick off a build in Buildkite.

NOTE: https://github.com/elastic/integrations/blob/main/.buildkite/pull-requests.json contains all those details.

@GShepherdTC GShepherdTC marked this pull request as ready for review February 18, 2026 21:38
@GShepherdTC GShepherdTC requested a review from a team as a code owner February 18, 2026 21:38
@efd6 efd6 changed the title Breaking change: Updated pipeline to lowercase all hashes ti_threatconnect: update pipeline to lowercase all hashes Feb 18, 2026
efd6
efd6 reviewed Feb 18, 2026
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested commit message:

ti_threatconnect: lowercase all hash values in indicator processing

Hash values should be normalized to lowercase for consistent matching
and deduplication across threat intelligence sources.

though this probably needs expansion. I think we want to know what visualisation and saved search impacts this will have.

andrewkroh
andrewkroh reviewed Feb 18, 2026
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I opened a ECS issue to advise using lowercase for the hashes.

While reviewing I noticed that ECS threat.indicator.file.size and threat.indicator.geo.location were present in the TC data but completely missing from the ECS mapping. Can you please map those as well to improve ECS coverage?

packages/ti_threatconnect/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml
copy_from: threat_connect.indicator.md5
ignore_empty_value: true
if: ctx.threat_connect?.indicator?.type instanceof String && ctx.threat_connect.indicator.type.contains('File')
- lowercase:
Copy link
Member

@andrewkroh andrewkroh Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs to occur before the value is copied into the ECS threat.indicator.file.hash.md5 field.

Please check the sha1 and sha256 get the same treatment if they need it.

Copy link
Contributor Author

@GShepherdTC GShepherdTC Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. Will look at incorporating file size as that makes sense and its not specific to hash type so I believe I just have to add the mapping once. Seems they didn't map it originally.

But geo location is another story. Thats not a first party attribute in our system but keyed to attributes and I see they didn't map any attributes over from what I can tell. So I'm not going to touch that one.

@andrewkroh andrewkroh added Integration:ti_threatconnect ThreatConnect (Partner supported) Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Feb 18, 2026
@elasticmachine
Copy link

elasticmachine commented Feb 18, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@GShepherdTC @efd6
Update packages/ti_threatconnect/changelog.yml
6ea3d1c 
ti_threatconnect: lowercase all hash values in indicator processing

Hash values should be normalized to lowercase for consistent matching
and deduplication across threat intelligence sources.

Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrewkroh andrewkroh andrewkroh left review comments

@efd6 efd6 efd6 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

breaking change Integration:ti_threatconnect ThreatConnect (Partner supported) Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@GShepherdTC @elasticmachine @andrewkroh @efd6

Comments