[New Integration] Strider Shield

[vargas-francisco]

Strider Shield Integration

Proposed commit message

ti_strider: add Strider Shield threat intelligence integration

Add a new partner integration that connects to the Strider Shield API to
collect threat intelligence indicators (email addresses, domains, and
terms) associated with state-sponsored actors. Data is ingested via CEL
input using OAuth2 client credentials and processed into ECS format.

A latest transform deduplicates indicators by primary name and type,
with automatic expiration: archived indicators expire immediately, active
ones expire after 90 days. Source indices are retained for 7 days via
ILM.

API reference documentation is not publicly available; access is
restricted to paying clients.

Test data provenance: pipeline test inputs use synthetic minimal-value
placeholders to validate transformation logic. The sample event and
system test mock use representative data matching the production API
response format. All test data was authored by the integration developer.

Overview

This is an Elastic integration that ingests threat intelligence indicators from Strider Shield into Elasticsearch. It's designed to run on Elastic Agent (Fleet) and uses the CEL (Common Expression Language) input to poll the Strider Shield REST API.

Strider: Add shield threat intelligence integration

This integration connects to the Strider Shield API to collect threat
intelligence indicators including email addresses, domains, and terms
related to state-sponsored actors. The data is processed into ECS format
for use in SIEM and security analysis workflows.

API documentation

The API Docs are not publicly available. The documentation is only available for paying clients.

Test Data Files

./data_stream/indicator/sample_event.json — Sample event with:
Agent metadata
IOC data (email address: abagautdinova@itmo.ru)
Timestamps and metadata

./data_stream/indicator/_dev/test/pipeline/test-default-event.json — Pipeline test input with:
Two test events (isNew: 0 and 1)
Simple test values ("1", "2", etc.)

./data_stream/indicator/_dev/test/pipeline/test-default-event.json-expected.json — Expected output for the pipeline test:
Transformed IOC data matching the input structure

./data_stream/indicator/_dev/test/system/test-default-config.yml — System test configuration
These files are used for:
Pipeline testing (transformation logic)
Sample event documentation
System integration testing

Testing Instructions

Here's some (brief) written instructions on testing the integration.

• Check out and install elastic-package, https://github.com/elastic/elastic-package, the Elastic CLI tool for developing integrations

• Once installed, navigate to the ti_strider directory and run elastic-package stack up -d to spin up a local elastic stack with all the bells and whistles already preconfigured. 

• Once the stack is up and running, run elastic-package build to build the package. 

• Then run elastic-package install to add the integration to the package registry of your local elastic stack.

• Navigate to https://localhost:5601/app/integrations/browse and enter login credentials:
  username: elastic
  password: changeme

• Search for "Strider Shield", select it and then select "Add Strider Shield".

• Enter your Shield API ID and Secret.

• In the "Where to add this integration?" section, select Existing hosts, and in the dropdown menu select Elastic-Agent (elastic-package). 

• Press Save and Continue, and the integration should start up.

• To tear everything down, run elastic-package stack down.

We cannot schedule syncs to run at specific times, we can only sync on an interval basis (e.g. every 30 minutes, every 24 hours). We are currently using 24 hours.

Source indices will be found in indices named logs-ti_strider.indicator-*, and will contain duplicate data and archived IOCs.
The destination index, which contains the deduped data, and no archived IOCs, will be found in the index logs-ti_strider_latest.indicator-1.

It takes a little bit of time, maybe up to 5 minutes for the destination index to populate after each sync.

Data in source indices will be deleted after a week.

Architecture

1. Data Collection (data_stream/indicator/)

CEL Input (agent/stream/cel.yml.hbs):

• Authenticates with Strider using OAuth2 (client credentials flow)
• Polls the API at a configurable interval (default: 24 hours)
• Fetches three types of indicators:
  • emailAddresses
  • emailDomains
  • terms
• Handles authentication and API errors gracefully

2. Data Processing

Ingest Pipeline (elasticsearch/ingest_pipeline/default.yml):

• Renames fields to ECS-compatible names (e.g., itemNamePrimary → ioc.name_primary)
• Parses JSON for secondary names
• Sets expires_at field:
  • Archived indicators: expires immediately
  • Active indicators: expires 90 days from ingestion date

3. Data Lifecycle Management

Source Indices (logs-ti_strider.indicator-*):

• ILM policy deletes data after 7 days
• Allows duplicates (same indicator can appear multiple times as it's updated)

Transform (elasticsearch/transform/latest_item/):

• Creates a deduplicated destination index (logs-ti_strider_latest.indicator-1)
• Keeps only the latest version per unique (ioc.name_primary, ioc.type) combination
• Automatically removes expired indicators based on ioc.expires_at
• Runs every 30 seconds with a 120s sync delay

Key Features

1. IOC Expiration: Archived indicators expire immediately; active ones expire after 90 days
2. Deduplication: Transform ensures only the latest version of each indicator is available
3. Short Retention: Source data is deleted after 7 days to prevent unbounded growth
4. Long-term View: Destination index maintains active, deduplicated indicators

Configuration

The integration requires:

• api_url: Strider Shield API endpoint
• auth_url: OAuth2 authentication endpoint
• strider_id: Client ID
• strider_secret: Client Secret
• polling_interval: How often to poll (e.g., "24h")

Data Structure

Each indicator includes:

• ioc.type: Type of indicator (emailAddress, emailDomain, term)
• ioc.name_primary: Primary identifier
• ioc.name_secondary: Secondary names with language codes
• ioc.risk_signal: Risk classification
• ioc.md5: MD5 hash
• ioc.expires_at: Expiration timestamp
• ioc.dates_added: Original date when added to source

Index Structure

• Source indices: logs-ti_strider.indicator-* (contains duplicates, deleted after 7 days)
• Destination index: logs-ti_strider_latest.indicator-1 (deduplicated, active IOCs only)
• Alias: logs-ti_strider_latest.indicator (points to destination index)

---

This architecture provides a clean, deduplicated view of active threat intelligence indicators while managing storage costs through short source retention.

[cla-checker-service]

💚 CLA has been signed

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[efd6]

@vargas-francisco Please sign the CLA so that we can take a look at this.

[vargas-francisco]

I did. On Friday

[efd6]

Thanks. Page reloads are a wonderful thing.

[efd6]

This looks like a ti package, should it be renamed ti_strider?

Suggest the following for the proposed commit message:

strider: add shield threat intelligence integration

This integration connects to the Strider Shield API to collect threat
intelligence indicators including email addresses, domains, and terms
related to state-sponsored actors. The data is processed into ECS format
for use in SIEM and security analysis workflows.

API documentation: [AUTHOR: Add Strider Shield API documentation URL, or explain why unavailable]

Test data: [AUTHOR: Please add test data provenance - how was the test input created?]

with relevant parts added.

[vargas-francisco]

Thanks! Will do the changes

[vargas-francisco]

All changes suggested where done.
Let me know if I need to do something else.

[efd6]

Please delete the build directory that you have committed and the zip file.

There are unresolved concerns that need to be addressed:

• [New Integration] Strider Shield #17025 (comment)
• [New Integration] Strider Shield #17025 (comment)
• [New Integration] Strider Shield #17025 (comment)
• [New Integration] Strider Shield #17025 (comment)
• [New Integration] Strider Shield #17025 (comment)
• [New Integration] Strider Shield #17025 (comment)
• [New Integration] Strider Shield #17025 (comment)
• [New Integration] Strider Shield #17025 (comment)
• [New Integration] Strider Shield #17025 (comment)
• [New Integration] Strider Shield #17025 (comment)

[vargas-francisco]

Fixed most of the comments of the PR.

[efd6]

/test

[efd6]

Can you address #17025 (comment) and #17025 (comment)?

[efd6]

/test

[sethBStrider]

@efd6 Sorry for the silly question- do you have an ETA on when this should be done? no committments, just finger to the wind best guess of how close we are?

[efd6]

@sethBStrider There are outstanding questions that have not been addressed.

[vargas-francisco]

Oh, my bad. I must have overlooked them.
Which ones?
Can you please point me to them.
I thought I made all the changes needed.

[sethBStrider]

Please retag @vargas-francisco or myself directly in those questions if you can! thankyou

[efd6]

The comments below and also please answer #17025 (comment).

[sethBStrider]

@efd6 Can you review again! thanks

[efd6]

/test

[vargas-francisco]

All suggestions, fixed. I'm going to mark them as resolved.

manifest.yml — Fixed capitalization: Api url → API URL and The url → The URL.

test-common-config.yml — Simplified as suggested: removed dynamic_fields and the hard-coded @timestamp, keeping only tags: [preserve_original_event].

default.yml (ingest pipeline) — Added if: ctx['@timestamp'] != null guard on the expires_at script, so events without @timestamp skip the expiration calculation gracefully.

test-default-event.json — Duplicated all 3 test events with explicit @timestamp: "2021-11-11T01:02:03.123Z". Also added non-empty itemNameSecondary and changes values to the first event (and its duplicate) to exercise the JSON parsing logic on those fields.

test-default-event.json-expected.json — Regenerated with elastic-package test pipeline -g so it's canonically formatted and ordered. The output correctly shows:

Events without @timestamp: no expires_at (script skipped)
Events with @timestamp: correct expires_at (+90 days for active, immediate for archived)
Non-empty name_secondary array properly parsed

[efd6]

Please leave comment resolution to me; I need to check each one.

[vargas-francisco]

Please leave comment resolution to me; I need to check each one.

Resolved each suggestion.

[efd6]

/test

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: d8edf1c

History

• 💚 Build #39982 succeeded 3b5b7a3
• 💔 Build #39836 failed e0b380d
• 💔 Build #39751 failed e87c6e4
• 💚 Build #39747 succeeded 70b6aa4
• 💔 Build #39500 failed 4fbea7e
• 💚 Build #39152 succeeded 4d1d7b0

[efd6]

Thanks

[elastic-vault-github-plugin-prod]

Package ti_strider - 0.0.1 containing this change is available at https://epr.elastic.co/package/ti_strider/0.0.1/

[sethBStrider]

thankyou for your help @efd6 !!