Skip to content

ThreatQ Integration | Fixes Issue Pulling Sources & Attributes#20042

Open
zach-threatq wants to merge 6 commits into
elastic:mainfrom
zach-threatq:main
Open

ThreatQ Integration | Fixes Issue Pulling Sources & Attributes#20042
zach-threatq wants to merge 6 commits into
elastic:mainfrom
zach-threatq:main

Conversation

@zach-threatq

Copy link
Copy Markdown

Bug Fix

Proposed commit message

fix: issue returning sources & attributes from ThreatQ

ThreatQ recently updated the default API response from the Threat Library to exclude attributes and sources by default. The original API response can be maintained by adding the fields URL parameter. In addition to the default fields (*), we can ask for the attributes and sources fields, which will restore full functionality of the integration & mappings. This commit also specifically asks for attribute names and values to de-clutter the API response.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

N/A

How to test this PR locally

Using a ThreatQ instance on the latest version, ensure that the list of sources and attributes properly get parsed into an Elastic index record with the default integration configuration.

Related issues

N/A

Screenshots

N/A

@zach-threatq zach-threatq requested review from a team as code owners July 8, 2026 14:36
@cla-checker-service

cla-checker-service Bot commented Jul 8, 2026

Copy link
Copy Markdown

💚 CLA has been signed

@elastic-vault-github-plugin-prod

Copy link
Copy Markdown
Contributor

Reviewers

Buildkite won't run for external contributors automatically; you need to add a comment:

  • /test : will kick off a build in Buildkite.

NOTE: https://github.com/elastic/integrations/blob/main/.buildkite/pull-requests.json contains all those details.

Updated the changelog to reflect the correct pull request link for version 1.39.2.
@andrewkroh andrewkroh added Integration:ti_threatq ThreatQuotient (Partner supported) Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Jul 8, 2026
@infra-vault-gh-plugin-prod

Copy link
Copy Markdown

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

value: {{page_size}}
- set:
target: url.params.fields
value: {{threat_library_fields}}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severity: 🟠 High confidence: high path: packages/ti_threatq/data_stream/threat/agent/stream/httpjson.yml.hbs:35

The new url.params.fields value is rendered unquoted; the default begins with *, which YAML parses as an alias node, so the agent config fails to parse. Single-quote the value.

Details

The added set transform renders value: {{threat_library_fields}} without quotes. The threat_library_fields var defaults to *,sources,attributes,attributes.name,attributes.value, so the rendered agent config line becomes value: *,sources,attributes,attributes.name,attributes.value. In YAML an unquoted scalar that begins with * is interpreted as an alias node reference (the * sigil), not a plain string — the parser looks for an anchor name and fails on the immediately following ,, producing a config parse error. With the default configuration the httpjson input cannot start. Every other value in this template that can contain special characters is single-quoted (e.g. value: '[[.cursor.cursor_mark]]'); page_size is safe unquoted only because it is an integer. The tenable_sc url.params.fields precedent renders unquoted only because its value starts with a letter.

Recommendation:

Single-quote the rendered value so a leading * (or commas) is treated as a plain string:

- set:
    target: url.params.fields
    value: '{{threat_library_fields}}'

🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills

⚠️ Automated review — verify suggestions before applying.

@vera-review-bot

Copy link
Copy Markdown

No issues across the latest commits 0123fc5, 6280f3e.

Review summary

Issues found across earlier commits aa6759b — 1 high
  • 🟠 The new url.params.fields value is rendered unquoted (link) (Unresolved)

Since this is a community PR, a new commit triggers another review — at most once every 30 minutes. I skip the PR while it's approved or has merge conflicts.

🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills

⚠️ Automated review — verify suggestions before applying.

@andrewkroh

Copy link
Copy Markdown
Member

Is this change backward compatible with earlier versions of ThreatQ? Let's say a user is connected to an earlier version, then will the new query param on the GET request work the same?

The original API response can be maintained by adding the fields URL parameter.

Can you point me at the documentation for the API that this integration is using? I was looking at https://helpcenter.threatq.com/assets/HTML/api/ThreatQ_REST_API_Reference_v6.16.0.html and didn't see the API endpoint.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

✅ Elastic Docs Style Checker (Vale)

No issues found on modified lines!


The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale.

@zach-threatq

Copy link
Copy Markdown
Author

Is this change backward compatible with earlier versions of ThreatQ? Let's say a user is connected to an earlier version, then will the new query param on the GET request work the same?

The original API response can be maintained by adding the fields URL parameter.

Can you point me at the documentation for the API that this integration is using? I was looking at https://helpcenter.threatq.com/assets/HTML/api/ThreatQ_REST_API_Reference_v6.16.0.html and didn't see the API endpoint.

The fields parameter has existed in the Threat Library API for quite some time, dating back to 2023 (ThreatQ v5.23.0). So this should be backwards compatible with most current versions of ThreatQ. I made the fields list configurable just in case there needs to be some tweaks to it for older versions or newer versions, but from what I understand, it should be compatible with any ThreatQ version >= v5.23.0.

As far as documentation goes, I don't believe there are public docs outlining the endpoints in full detail, just high level.

@andrewkroh

Copy link
Copy Markdown
Member

As far as documentation goes, I don't believe there are public docs outlining the endpoints in full detail, just high level.

Even if it's high level info, can you point me toward where I would find a doc for /api/indicators/query/hash/{{data_collection_id}} if any exists. Thanks.

description: >-
Comma-separated list of fields to retrieve from the Threat Library.
An asterisk (*) can be used to retrieve all default fields. In ThreatQ v6.12 and later,
sources & attributes are no longer part of the default fields and must be explicitly requested.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
sources & attributes are no longer part of the default fields and must be explicitly requested.
sources and attributes are no longer part of the default fields and must be explicitly requested.

# newer versions go on top
- version: "1.39.2"
changes:
- description: Restores `sources` & `attributes` fields after recent updates to the ThreatQ Platform's API.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- description: Restores `sources` & `attributes` fields after recent updates to the ThreatQ Platform's API.
- description: Restores `sources` and `attributes` fields after recent updates to the ThreatQ Platform's API.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Integration:ti_threatq ThreatQuotient (Partner supported) Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants