elastic · jbudz · Dec 12, 2025 · Dec 5, 2025 · Dec 11, 2025 · Dec 11, 2025
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -2309,7 +2309,13 @@ x-pack/platform/plugins/private/cloud_integrations/cloud_full_story/server/confi
 # Connector Specs
 src/platform/packages/shared/kbn-connector-specs/src/all_specs.ts @kibanamachine
 src/platform/packages/shared/kbn-connector-specs/src/connector_icons_map.ts @kibanamachine
-src/platform/packages/shared/kbn-connector-specs/src/specs/** @elastic/workflows-eng
+src/platform/packages/shared/kbn-connector-specs/src/specs/abuseipdb/** @elastic/workflows-eng
+src/platform/packages/shared/kbn-connector-specs/src/specs/alienvault_otx/** @elastic/workflows-eng
+src/platform/packages/shared/kbn-connector-specs/src/specs/greynoise/** @elastic/workflows-eng
+src/platform/packages/shared/kbn-connector-specs/src/specs/notion/** @elastic/workchat-eng
+src/platform/packages/shared/kbn-connector-specs/src/specs/shodan/** @elastic/workflows-eng
+src/platform/packages/shared/kbn-connector-specs/src/specs/urlvoid/** @elastic/workflows-eng
+src/platform/packages/shared/kbn-connector-specs/src/specs/virustotal/** @elastic/workflows-eng
 
 # Gap fill feature has shared responsibility between response-ops and security-detection-engine
 /x-pack/platform/plugins/shared/alerting/common/routes/gaps @elastic/response-ops @elastic/security-detection-engine

@@ -1,4 +1,3 @@
-* [Observability AI Assistant](/reference/connectors-kibana/obs-ai-assistant-action-type.md): Send alerts to the AI Assistant.
 * [{{xsoar}}](/reference/connectors-kibana/xsoar-action-type.md): Create an incident in Cortex {{xsoar}}.
 * [CrowdStrike](/reference/connectors-kibana/crowdstrike-action-type.md): Send a request to CrowdStrike.
 * [D3 Security](/reference/connectors-kibana/d3security-action-type.md): Send a request to D3 Security.
@@ -21,4 +20,4 @@
 * [Torq](/reference/connectors-kibana/torq-action-type.md): Trigger a Torq workflow.
 * [{{webhook}}](/reference/connectors-kibana/webhook-action-type.md): Send a request to a web service.
 * [{{webhook-cm}}](/reference/connectors-kibana/cases-webhook-action-type.md): Send a request to a Case Management web service.
-* [xMatters](/reference/connectors-kibana/xmatters-action-type.md): Send actionable alerts to on-call xMatters resources.
+* [xMatters](/reference/connectors-kibana/xmatters-action-type.md): Send actionable alerts to on-call xMatters resources.
@@ -0,0 +1,10 @@
+**Third-party search**
+* [Notion](/reference/connectors-kibana/notion-action-type.md): Explore content and databases in Notion.
+
+**Threat intelligence**
+* [AbuseIPDB](/reference/connectors-kibana/abuseipdb-action-type.md): Check IP reputation and report abusive IPs.
+* [AlienVault OTX](/reference/connectors-kibana/alienvault-otx-action-type.md): Retrieve community-driven threat intelligence.
+* [GreyNoise](/reference/connectors-kibana/greynoise-action-type.md): Detect and classify Internet scanning noise.
+* [Shodan](/reference/connectors-kibana/shodan-action-type.md): Perform Internet-wide asset discovery and vulnerability scanning.
+* [URLVoid](/reference/connectors-kibana/urlvoid-action-type.md): Check domain and URL reputation using multi-engine scanning.
+* [VirusTotal](/reference/connectors-kibana/virustotal-action-type.md): Perform file scanning, URL analysis, and threat intelligence lookups.
@@ -0,0 +1,63 @@
+---
+navigation_title: "AbuseIPDB"
+mapped_pages:
+  - https://www.elastic.co/guide/en/kibana/current/abuseipdb-action-type.html
+applies_to:
+  stack: preview
+  serverless: preview
+---
+
+# AbuseIPDB connector [abuseipdb-action-type]
+
+The AbuseIPDB connector communicates with the AbuseIPDB API to check IP reputation and report abusive IPs.
+
+## Create connectors in {{kib}} [define-abuseipdb-ui]
+
+You can create connectors in **{{stack-manage-app}} > {{connectors-ui}}**. For example:
+
+### Connector configuration [abuseipdb-connector-configuration]
+
+AbuseIPDB connectors have the following configuration properties:
+
+API Key
+:   The AbuseIPDB API key for authentication.
+
+## Test connectors [abuseipdb-action-configuration]
+
+You can test connectors as you're creating or editing the connector in {{kib}}.
+
+The AbuseIPDB connector has the following actions:
+
+Check IP
+:   Get details about an IP address including abuse confidence score, usage type, ISP, and country code.  
+    - **IP Address** (required): The IPv4 address to check.  
+    - **Max Age in Days** (optional): Maximum age of reports in days (1-365, default 90).
+
+Report IP
+:   Report an abusive IP address to AbuseIPDB.  
+    - **IP** (required): The IPv4 address to report.  
+    - **Categories** (required): Array of abuse category IDs.  
+    - **Comment** (optional): Additional details about the abuse.  
+
+Get IP Info
+:   Get detailed information about an IP address including geolocation and domain.  
+    - **IP Address** (required): The IPv4 address to lookup.  
+
+Bulk Check
+:   Check multiple IPs in a network range using CIDR notation.  
+    - **Network** (required): Network in CIDR notation.  
+    - **Max Age in Days** (optional): Maximum age of reports in days (1-365, default 30).  
+
+## Connector networking configuration [abuseipdb-connector-networking-configuration]
+
+Use the [Action configuration settings](/reference/configuration-reference/alerting-settings.md#action-settings) to customize connector networking configurations, such as proxies, certificates, or TLS settings. You can set configurations that apply to all your connectors or use `xpack.actions.customHostSettings` to set per-host configurations.
+
+## Get API credentials [abuseipdb-api-credentials]
+
+To use the AbuseIPDB connector, you need an API key:
+
+1. Go to [AbuseIPDB](https://www.abuseipdb.com/).
+2. Sign up for an account or log in.
+3. Navigate to your [API page](https://www.abuseipdb.com/api) in your account settings.
+4. Generate an API key with appropriate permissions.
+5. Copy the API key to configure the connector.
@@ -0,0 +1,64 @@
+---
+navigation_title: "AlienVault OTX"
+mapped_pages:
+  - https://www.elastic.co/guide/en/kibana/current/alienvault-otx-action-type.html
+applies_to:
+  stack: preview
+  serverless: preview
+---
+
+# AlienVault OTX connector [alienvault-otx-action-type]
+
+The AlienVault OTX (Open Threat Exchange) connector communicates with the AlienVault OTX API to retrieve community-driven threat intelligence.
+
+## Create connectors in {{kib}} [define-alienvault-otx-ui]
+
+You can create connectors in **{{stack-manage-app}} > {{connectors-ui}}**. For example:
+
+### Connector configuration [alienvault-otx-connector-configuration]
+
+AlienVault OTX connectors have the following configuration properties:
+
+API Key
+:   The AlienVault OTX API key for authentication.
+
+## Test connectors [alienvault-otx-action-configuration]
+
+You can test connectors as you're creating or editing the connector in {{kib}}.
+
+The AlienVault OTX connector has the following actions:
+
+Get Indicator
+:   Retrieve information about a specific indicator (IP, domain, hash, URL).  
+    - **Indicator Type** (required): Type of indicator (IPv4, IPv6, domain, hostname, url, FileHash-MD5, FileHash-SHA1, FileHash-SHA256).  
+    - **Indicator** (required): The indicator value to look up.  
+    - **Section** (optional): Specific section to retrieve.
+
+Search Pulses
+:   Search for threat pulses (threat intelligence reports).  
+    - **Query** (optional): Search query string.  
+    - **Page** (optional): Page number (default 1).  
+    - **Limit** (optional): Results per page (1-100, default 20).
+
+Get Pulse
+:   Retrieve detailed information about a specific pulse by ID.  
+    - **Pulse ID** (required): The pulse identifier.  
+
+Get Related Pulses
+:   Find pulses related to a specific indicator.  
+    - **Indicator Type** (required): Type of indicator (IPv4, IPv6, domain, hostname, url, FileHash-MD5, FileHash-SHA1, FileHash-SHA256).  
+    - **Indicator** (required): The indicator value.  
+
+## Connector networking configuration [alienvault-otx-connector-networking-configuration]
+
+Use the [Action configuration settings](/reference/configuration-reference/alerting-settings.md#action-settings) to customize connector networking configurations, such as proxies, certificates, or TLS settings. You can set configurations that apply to all your connectors or use `xpack.actions.customHostSettings` to set per-host configurations.
+
+## Get API credentials [alienvault-otx-api-credentials]
+
+To use the AlienVault OTX connector, you need an API key:
+
+1. Go to [AlienVault OTX](https://otx.alienvault.com/).
+2. Sign up for an account or log in.
+3. Navigate to your account settings.
+4. Find your OTX API Key in the API Integration section.
+5. Copy the API key to configure the connector.
@@ -0,0 +1,11 @@
+---
+navigation_title: Data and context sources
+---
+# Data and context sources connectors
+
+Use these connectors to retrieve additional data from third-party tools for your {{elastic-sec}} and agentic workflows.
+
+## Available connectors
+
+:::{include} _snippets/data-context-sources-connectors-list.md
+:::
@@ -0,0 +1,59 @@
+---
+navigation_title: "GreyNoise"
+mapped_pages:
+  - https://www.elastic.co/guide/en/kibana/current/greynoise-action-type.html
+applies_to:
+  stack: preview
+  serverless: preview
+---
+
+# GreyNoise connector [greynoise-action-type]
+
+The GreyNoise connector communicates with the GreyNoise API to detect and classify Internet scanning noise.
+
+## Create connectors in {{kib}} [define-greynoise-ui]
+
+You can create connectors in **{{stack-manage-app}} > {{connectors-ui}}**. For example:
+
+### Connector configuration [greynoise-connector-configuration]
+
+GreyNoise connectors have the following configuration properties:
+
+API Key
+:   The GreyNoise API key for authentication.
+
+## Test connectors [greynoise-action-configuration]
+
+You can test connectors as you're creating or editing the connector in {{kib}}.
+
+The GreyNoise connector has the following actions:
+
+Get IP Context
+:   Get detailed context and classification information about an IP address.  
+    - **IP** (required): The IPv4 address to look up.  
+
+Quick Lookup
+:   Quickly check if an IP is classified as noise.  
+    - **IP** (required): The IPv4 address to check.  
+
+Get Metadata
+:   Retrieve metadata about an IP address including geolocation and ASN.  
+    - **IP** (required): The IPv4 address.  
+
+RIOT Lookup
+:   Check if an IP belongs to a known benign service (Rule It Out).  
+    - **IP** (required): The IPv4 address.  
+
+## Connector networking configuration [greynoise-connector-networking-configuration]
+
+Use the [Action configuration settings](/reference/configuration-reference/alerting-settings.md#action-settings) to customize connector networking configurations, such as proxies, certificates, or TLS settings. You can set configurations that apply to all your connectors or use `xpack.actions.customHostSettings` to set per-host configurations.
+
+## Get API credentials [greynoise-api-credentials]
+
+To use the GreyNoise connector, you need an API key:
+
+1. Go to [GreyNoise](https://www.greynoise.io/).
+2. Sign up for an account or log in.
+3. Navigate to your [Account Settings](https://viz.greynoise.io/account).
+4. Find your API Key in the API section.
+5. Copy the API key to configure the connector.
@@ -0,0 +1,70 @@
+---
+navigation_title: "Notion"
+mapped_pages:
+  - https://www.elastic.co/guide/en/kibana/current/notion-action-type.html
+applies_to:
+  stack: preview
+  serverless: preview
+---
+
+# Notion connector [notion-action-type]
+
+The Notion connector communicates with the Notion API to explore content and databases in your Notion workspace.
+
+## Create connectors in {{kib}} [define-notion-ui]
+
+You can create connectors in **{{stack-manage-app}} > {{connectors-ui}}**. For example:
+
+### Connector configuration [notion-connector-configuration]
+
+Notion connectors have the following configuration properties:
+
+API Token
+:   The Notion API token (bearer token) for authentication.
+
+## Test connectors [notion-action-configuration]
+
+You can test connectors as you're creating or editing the connector in {{kib}}.
+
+The Notion connector has the following actions:
+
+Search Page or Data Source by Title
+:   Search for pages or databases by title.
+    - **Query** (required): The search query string.
+    - **Query Object Type** (required): Type of object to search for (`page` or `data_source`).
+    - **Start Cursor** (optional): Cursor for pagination.
+    - **Page Size** (optional): Number of results per page.
+
+Get Page
+:   Retrieve a page by its ID.
+    - **Page ID** (required): The unique identifier of the page.
+
+Get Data Source
+:   Retrieve a database by its ID.
+    - **Data Source ID** (required): The unique identifier of the database.
+
+Query Data Source
+:   Query a database with optional filters.
+    - **Data Source ID** (required): The unique identifier of the database to query.
+    - **Filter** (optional): JSON string representing the filter object.
+    - **Start Cursor** (optional): Cursor for pagination.
+    - **Page Size** (optional): Number of results per page.
+
+## Connector networking configuration [notion-connector-networking-configuration]
+
+Use the [Action configuration settings](/reference/configuration-reference/alerting-settings.md#action-settings) to customize connector networking configurations, such as proxies, certificates, or TLS settings. You can set configurations that apply to all your connectors or use `xpack.actions.customHostSettings` to set per-host configurations.
+
+## Get API credentials [notion-api-credentials]
+
+To use the Notion connector, you need to create an internal integration:
+
+1. Go to [Notion](https://www.notion.so/).
+2. Navigate to [My integrations](https://www.notion.so/my-integrations).
+3. Click **+ New integration**.
+4. Configure your integration:
+   - Set a name for your integration.
+   - Select the workspace where you want to use the integration.
+   - Configure the capabilities (content, comment, and user capabilities as needed).
+5. Click **Submit** to create the integration.
+6. Copy the **Internal Integration Token** (this is your bearer token).
+7. Share the pages and databases you want to access with your integration by clicking **Share** on the page or database and inviting your integration.
@@ -0,0 +1,62 @@
+---
+navigation_title: "Shodan"
+mapped_pages:
+  - https://www.elastic.co/guide/en/kibana/current/shodan-action-type.html
+applies_to:
+  stack: preview
+  serverless: preview
+---
+
+# Shodan connector [shodan-action-type]
+
+The Shodan connector communicates with the Shodan API for Internet-wide asset discovery and vulnerability scanning.
+
+## Create connectors in {{kib}} [define-shodan-ui]
+
+You can create connectors in **{{stack-manage-app}} > {{connectors-ui}}**. For example:
+
+### Connector configuration [shodan-connector-configuration]
+
+Shodan connectors have the following configuration properties:
+
+API Key
+:   The Shodan API key for authentication.
+
+## Test connectors [shodan-action-configuration]
+
+You can test connectors as you're creating or editing the connector in {{kib}}.
+
+The Shodan connector has the following actions:
+
+Search Hosts
+:   Search for hosts and services using Shodan's search engine.  
+    - **Query** (required): Search query string.  
+    - **Page** (optional): Page number (default 1).
+
+Get Host Info
+:   Retrieve detailed information about a specific IP address.  
+    - **IP** (required): The IPv4 address to look up.  
+
+Count Results
+:   Get the count of results for a search query without retrieving the actual results.  
+    - **Query** (required): Search query string.  
+    - **Facets** (optional): Facets to include in the results.  
+
+Get Services
+:   Retrieve the list of services that Shodan crawls.
+
+## Connector networking configuration [shodan-connector-networking-configuration]
+
+Use the [Action configuration settings](/reference/configuration-reference/alerting-settings.md#action-settings) to customize connector networking configurations, such as proxies, certificates, or TLS settings. You can set configurations that apply to all your connectors or use `xpack.actions.customHostSettings` to set per-host configurations.
+
+## Get API credentials [shodan-api-credentials]
+
+To use the Shodan connector, you need an API key:
+
+1. Go to [Shodan](https://www.shodan.io/).
+2. Sign up for an account or log in.
+3. Navigate to your [Account page](https://account.shodan.io/).
+4. Find your API Key in the account overview.
+5. Copy the API key to configure the connector.
+
+Note: Some features require a paid Shodan membership for full access.