[ti_recordedfuture] Add Support for Playbook and Triggered Alerts

[mohitjha-elastic]

Proposed Commit Message

ti_recordedfuture: add support for playbook and triggered alerts as two new data streams

This adds support for the Playbook and Triggered Alerts event type as two new data streams to
enhance the overall visibility of threat data in the Recorded Future integration.

This changes also includes updating ecs version to 8.17.0 in all existing data streams.

Sanitized test case inputs were obtained from the Recorded Future API for Playbook Alerts[1]
and from the Recorded Future Connect API for Triggered Alerts[2].

[1] https://api.recordedfuture.com/playbook-alert
[2] https://api.recordedfuture.com/v2/#!/Alerts/Alert_Notification_Search

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

Clone integrations repo.
Install the elastic package locally.
Start the elastic stack using the elastic package.
Move to integrations/packages/ti_recordedfuture directory.
Run the following command to run tests.
elastic-package test -v

Related issues

• Closes [recorded_future] Add 2 alerts datastreams #13146

Screenshots

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[kcreddy]

Because we are coupling agentless update with the new datastreams, users before 8.18.0 wont be able to use these new datastreams. Is that fine @jamiehynds / @cpascale43 ?

[cpascale43]

@kcreddy I think that's ok, should we document it somewhere though?

[efd6]

Is there a reason this could not be broken into two changes, one for the new data streams and one for the agentless update?

[kcreddy]

Same being done here #13680 (comment). Same clarification also applies there. cc: @janvi-elastic

I think we should decouple the agentless update and new datastream enhancements unless there is any strong reason not to.

[mohitjha-elastic]

@efd6 @kcreddy
The new data streams and dashboards have been implemented and tested on version 8.18. While downgrading to an earlier version is possible, it would require significant effort. Is there any key reason why we cannot proceed with the current implementation without decoupling?

Going forward, we will ensure that enhancement changes and agentless implementations are decoupled to avoid similar challenges.

Please let me know your thoughts.

[kcreddy]

Is there any key reason why we cannot proceed with the current implementation without decoupling?

More users can benefit from the enhancement. Example

Going forward, we will ensure that enhancement changes and agentless implementations are decoupled to avoid similar challenges.

I'm okay with this, but please make sure to de-couple agentless update for future enhancement tasks.

cc: @piyush-elastic

[kcreddy]

What was the reason for calling them Legacy Alerts? I don't see them as deprecated in the API doc (/v3).

[mohitjha-elastic]

In their Recorded Future APIs doc, under the description of connect api, its being written that this is the legacy alert. The same has been mentioned in the issue requirement.

[kcreddy]

@cpascale43 can you confirm if the alerts retrieved from Connect API should be called Legacy Alerts?
For example, the Microsoft connector for recorded future calls them Triggered Alerts just like the Connect API doc.

[cpascale43]

@kcreddy good catch, let's go with Triggered Alerts then

[kcreddy]

Thanks Carrie.
@mohitjha-elastic, please update the data_stream name.

[mohitjha-elastic]

@kcreddy Updated the PR with the changes. Can you please take a look?

[kcreddy]

#13494 (review)

[efd6]

Suggested change

	"triggered": "2026-03-31T04:03:56.425Z",
	"triggered": "2500-03-31T04:03:56.425Z",

[efd6]

Suggested change

	"triggered": "2027-03-31T04:03:56.425Z",
	"triggered": "3000-03-31T04:03:56.425Z",

[efd6]

Is there a reason this could not be broken into two changes, one for the new data streams and one for the agentless update?

[kcreddy]

@mohitjha-elastic, can you change legacy to triggered in following places as well?

1. PR title
2. commit message
3. pipeline test file names

[kcreddy]

LGTM for my comments

[efd6]

Suggested change

	"message": "POST " + state.url.trim_right("/") + "/playbook-alert/search" +
	"message": "POST " + state.url.trim_right("/") + "/playbook-alert/search: " +

[efd6]

I'm not sure we need this much detail here; this is just to allow the user to see which part of the program the request failed in, not the exact request.

Suggested change

	"message": "POST " + state.url.trim_right("/") + "/playbook-alert/" +
	(string(state.worklist.data[state.next].category) == "cyber_vulnerability" ?
	"vulnerability"
	:
	string(state.worklist.data[state.next].category))
	+ "/" + string(state.worklist.data[state.next].playbook_alert_id) +
	(
	"message": "POST " + state.url.trim_right("/") + "/playbook-alert/:" + (

[efd6]

Suggested change

	"message": "GET "+ state.url.trim_right("/") + "/v3/alerts:" + (
	"message": "GET "+ state.url.trim_right("/") + "/v3/alerts: " + (

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
98.1% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 26be05e

History

• 💚 Build #25717 succeeded 20f54a9
• 💚 Build #25714 succeeded 9a6e680
• 💚 Build #25266 succeeded 666267b
• 💚 Build #24659 succeeded 5d0f50c
• 💔 Build #24656 failed 66eef07

cc @mohitjha-elastic

[elastic-vault-github-plugin-prod]

Package ti_recordedfuture - 1.30.0 containing this change is available at https://epr.elastic.co/package/ti_recordedfuture/1.30.0/