robester0403
diff --git a/‎packages/ti_abusech/_dev/build/docs/README.md‎
Lines changed: 168 additions & 45 deletions b/‎packages/ti_abusech/_dev/build/docs/README.md‎
Lines changed: 168 additions & 45 deletions
diff --git a/‎packages/ti_abusech/changelog.yml‎
Lines changed: 5 additions & 0 deletions b/‎packages/ti_abusech/changelog.yml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎packages/ti_abusech/data_stream/ja3_fingerprints/manifest.yml‎
Lines changed: 6 additions & 6 deletions b/‎packages/ti_abusech/data_stream/ja3_fingerprints/manifest.yml‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎packages/ti_abusech/data_stream/malware/manifest.yml‎
Lines changed: 7 additions & 6 deletions b/‎packages/ti_abusech/data_stream/malware/manifest.yml‎
Lines changed: 7 additions & 6 deletions
diff --git a/‎packages/ti_abusech/data_stream/malwarebazaar/manifest.yml‎
Lines changed: 7 additions & 6 deletions b/‎packages/ti_abusech/data_stream/malwarebazaar/manifest.yml‎
Lines changed: 7 additions & 6 deletions
diff --git a/‎packages/ti_abusech/data_stream/sslblacklist/manifest.yml‎
Lines changed: 6 additions & 6 deletions b/‎packages/ti_abusech/data_stream/sslblacklist/manifest.yml‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎packages/ti_abusech/data_stream/threatfox/manifest.yml‎
Lines changed: 8 additions & 7 deletions b/‎packages/ti_abusech/data_stream/threatfox/manifest.yml‎
Lines changed: 8 additions & 7 deletions
diff --git a/‎packages/ti_abusech/data_stream/url/manifest.yml‎
Lines changed: 6 additions & 6 deletions b/‎packages/ti_abusech/data_stream/url/manifest.yml‎
Lines changed: 6 additions & 6 deletions
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "3.3.0"
+  changes:
+    - description: Update documentation.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/14774
 - version: "3.2.0"
   changes:
     - description: Add `ja3_fingerprints` and `sslblacklist` data streams.
 
@@ -1,14 +1,14 @@
 type: logs
-title: AbuseCH JA3 Fingerprint logs
+title: JA3 Fingerprints
 ilm_policy: logs-ti_abusech.ja3_fingerprints-default_policy
 streams:
   - input: cel
     enabled: true
     vars:
       - name: url
         type: text
-        title: AbuseCH JA3 Fingerprint API
-        description: Active JA3 Fingerprint API fetches malicious JA3 fingerprints identified by SSLBL.
+        title: URL
+        description: Base URL of the abuse.ch SSLBL API to collect active malicious JA3 fingerprints identified by SSLBL.
         multi: false
         required: true
         show_user: false
@@ -35,7 +35,7 @@ streams:
         required: true
         show_user: true
         default: 1h
-        description: Interval for polling threat indicators from AbuseCH data dump. As data dump is generated every 5 minutes, it should be greater than 5 minutes. Default `1h`.
+        description: Duration between requests to the SSLBL API. Supported units for this parameter are h/m/s. Example `24h`. As data dump is generated every 5 minutes, it should be greater than 5 minutes.
       - name: ssl
         type: yaml
         title: SSL Configuration
@@ -70,5 +70,5 @@ streams:
           Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
 
     template_path: cel.yml.hbs
-    title: AbuseCH JA3 Fingerprint logs using Elastic Agent
-    description: Collect AbuseCH JA3 Fingerprint logs using Elastic Agent
+    title: JA3 Fingerprints
+    description: Collect malicious JA3 fingerprints from abuse.ch SSLBL.
@@ -1,13 +1,14 @@
 type: logs
-title: AbuseCH Malware payloads
+title: Malware payloads
 ilm_policy: logs-ti_abusech.malware-default_policy
 streams:
   - input: cel
     enabled: true
     vars:
       - name: url
         type: text
-        title: AbuseCH Malware API endpoint
+        title: URL
+        description: Base URL of the abuse.ch URLhaus API to collect malware payloads.
         multi: false
         required: true
         show_user: false
@@ -30,7 +31,7 @@ streams:
       - name: interval
         type: text
         title: Interval
-        description: Interval at which the malware payloads will be pulled. Supported units for this parameter are h/m/s.
+        description: Duration between requests to the URLhaus API. Supported units for this parameter are h/m/s. Example `24h`.
         multi: false
         required: true
         show_user: true
@@ -42,7 +43,7 @@ streams:
         required: true
         show_user: true
         default: "90d"
-        description: "Indicator is expired after this duration since its last seen timestamp. Use [Elasticsearch time units](https://www.elastic.co/guide/en/elasticsearch/reference/current/api-conventions.html#time-units) in days, hours, or minutes (e.g 10d). Default `90d`."
+        description: Indicator is expired after this duration since its last seen timestamp. Supported units for this parameter are d/h/m. Example `10d`. Default value is `90d` i.e., 90 days.
       - name: ssl
         type: yaml
         title: SSL Configuration
@@ -77,5 +78,5 @@ streams:
           Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
 
     template_path: cel.yml.hbs
-    title: AbuseCH Malware payloads using Elastic Agent
-    description: Collect AbuseCH Malware payloads using Elastic Agent
+    title: Malware payloads
+    description: Collect malware payloads from abuse.ch URLhaus.
@@ -1,13 +1,14 @@
 type: logs
-title: AbuseCH MalwareBazaar payloads
+title: MalwareBazaar payloads
 ilm_policy: logs-ti_abusech.malwarebazaar-default_policy
 streams:
   - input: cel
     enabled: true
     vars:
       - name: url
         type: text
-        title: AbuseCH MalwareBazaar API endpoint
+        title: URL
+        description: Base URL of the abuse.ch MalwareBazaar API to collect malware payloads.
         multi: false
         required: true
         show_user: false
@@ -30,7 +31,7 @@ streams:
       - name: interval
         type: text
         title: Interval
-        description: Interval at which the payloads from MalwareBazaar will be pulled. Supported units for this parameter are h/m/s.
+        description: Duration between requests to the MalwareBazaar API. Supported units for this parameter are h/m/s. Example `24h`.
         multi: false
         required: true
         show_user: true
@@ -43,7 +44,7 @@ streams:
         show_user: true
         default: "90d"
         description: >-
-          Indicator is expired after this duration since its last seen timestamp. Use [Elasticsearch time units](https://www.elastic.co/guide/en/elasticsearch/reference/current/api-conventions.html#time-units) in days, hours, or minutes (e.g 10d). Default `90d`.
+          Indicator is expired after this duration since its last seen timestamp. Supported units for this parameter are d/h/m. Example `10d`. Default value is `90d` i.e., 90 days.
       - name: ssl
         type: yaml
         title: SSL Configuration
@@ -78,5 +79,5 @@ streams:
           Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
 
     template_path: cel.yml.hbs
-    title: AbuseCH MalwareBazaar payloads using Elastic Agent
-    description: Collect AbuseCH MalwareBazaar payloads using Elastic Agent
+    title: MalwareBazaar payloads
+    description: Collect malware payloads from abuse.ch MalwareBazaar.
@@ -1,14 +1,14 @@
 type: logs
-title: AbuseCH SSL Blacklist logs
+title: SSL Blacklisted Certificates
 ilm_policy: logs-ti_abusech.sslblacklist-default_policy
 streams:
   - input: cel
     enabled: true
     vars:
       - name: url
         type: text
-        title: AbuseCH SSL Blacklist API
-        description: Active SSL Blacklist API fetches malicious SSL certificates identified by SSLBL.
+        title: URL
+        description: Base URL of the abuse.ch SSLBL API to collect malicious SSL blacklisted certificates identified by SSLBL.
         multi: false
         required: true
         show_user: false
@@ -35,7 +35,7 @@ streams:
         required: true
         show_user: true
         default: 1h
-        description: Interval for polling threat indicators from AbuseCH data dump. As data dump is generated every 5 minutes, it should be greater than 5 minutes. Default `1h`.
+        description: Duration between requests to the SSLBL API. Supported units for this parameter are h/m/s. Example `24h`. As data dump is generated every 5 minutes, it should be greater than 5 minutes.
       - name: ssl
         type: yaml
         title: SSL Configuration
@@ -70,5 +70,5 @@ streams:
           Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
 
     template_path: cel.yml.hbs
-    title: AbuseCH SSL Blacklist logs using Elastic Agent
-    description: Collect AbuseCH SSL Blacklist logs using Elastic Agent
+    title: SSL Blacklisted Certificates
+    description: Collect malicious SSL blacklisted certificates from abuse.ch SSLBL.
@@ -1,13 +1,14 @@
 type: logs
-title: AbuseCH Threat Fox indicators
+title: ThreatFox threat indicators
 ilm_policy: logs-ti_abusech.threatfox-default_policy
 streams:
   - input: cel
     enabled: true
     vars:
       - name: url
         type: text
-        title: AbuseCH Threat Fox API endpoint
+        title: URL
+        description: Base URL of the abuse.ch ThreatFox API to collect threat indicators.
         multi: false
         required: true
         show_user: false
@@ -30,7 +31,7 @@ streams:
       - name: interval
         type: text
         title: Interval
-        description: Interval for polling indicators from AbuseCH Threat Fox API. Supported units for this parameter are h/m/s.
+        description: Duration between requests to the ThreatFox API. Supported units for this parameter are h/m/s. Example `24h`.
         multi: false
         required: true
         show_user: true
@@ -42,7 +43,7 @@ streams:
         required: true
         show_user: true
         default: 7
-        description: How far back to look for indicators the first time the agent is started. Defaults to 7 days, can be any number between 1-7.
+        description: How far back to pull the threat indicators from ThreatFox in days. Can be any number between `1` to `7`. Example `5`. Default value is `7` i.e., 7 days.
       - name: ioc_expiration_duration
         type: text
         title: IOC Expiration Duration
@@ -51,7 +52,7 @@ streams:
         show_user: true
         default: "90d"
         description: >-
-          Indicator is expired after this duration since its last seen timestamp. Use [Elasticsearch time units](https://www.elastic.co/guide/en/elasticsearch/reference/current/api-conventions.html#time-units) in days, hours, or minutes (e.g 10d). Default `90d`.
+          Indicator is expired after this duration since its last seen timestamp. Supported units for this parameter are d/h/m. Example `10d`. Default value is `90d` i.e., 90 days.
       - name: ssl
         type: yaml
         title: SSL Configuration
@@ -86,5 +87,5 @@ streams:
           Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
 
     template_path: cel.yml.hbs
-    title: AbuseCH Threat Fox indicators using Elastic Agent
-    description: Collect AbuseCH Threat Fox indicators using Elastic Agent
+    title: ThreatFox threat indicators
+    description: Collect threat indicators from abuse.ch ThreatFox.
@@ -1,14 +1,14 @@
 type: logs
-title: AbuseCH URL logs
+title: Malware URLs
 ilm_policy: logs-ti_abusech.url-default_policy
 streams:
   - input: cel
     enabled: true
     vars:
       - name: url
         type: text
-        title: AbuseCH Active URL API
-        description: Active URL API fetches URLs that are either actively distributing malware or that have been added to URLhaus within the past 90 days.
+        title: URL
+        description: Base URL of the abuse.ch URLhaus API to collect actively distributing malware URLs.
         multi: false
         required: true
         show_user: false
@@ -35,7 +35,7 @@ streams:
         required: true
         show_user: true
         default: 1h
-        description: Interval for polling indicators from AbuseCH data dump. As data dump is generated every 5 minutes, it should be greater than 5 minutes. Default `1h`.
+        description: Duration between requests to the URLhaus API. Supported units for this parameter are h/m/s. Example `24h`. As data dump is generated every 5 minutes, it should be greater than 5 minutes.
       - name: ssl
         type: yaml
         title: SSL Configuration
@@ -70,5 +70,5 @@ streams:
           Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
 
     template_path: cel.yml.hbs
-    title: AbuseCH URL logs using Elastic Agent
-    description: Collect AbuseCH URL logs using Elastic Agent
+    title: Malware URLs
+    description: Collect malware URLs from abuse.ch URLhaus.