From 97254997f7188fe47a3ea9f48405a2ea011a969e Mon Sep 17 00:00:00 2001
From: Greg Shepherd <Gshepherd@threatconnect.com>
Date: Fri, 3 Jan 2025 18:46:57 -0500
Subject: [PATCH] ti_threatconnect: add query to dashboard to avoid duplicates
 (#12106)

Updated the base query to only use the latest index so indicators are not
counted twice for all the panels in the dashboard. Updated one visualization
label to show its unique indicators being counted.
---
 packages/ti_threatconnect/changelog.yml                      | 5 +++++
 ...i_threatconnect-2d465f90-973d-11ee-839e-ef65b7014120.json | 4 ++--
 packages/ti_threatconnect/manifest.yml                       | 2 +-
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/packages/ti_threatconnect/changelog.yml b/packages/ti_threatconnect/changelog.yml
index 3ab3a223fb0..e42410b67c7 100644
--- a/packages/ti_threatconnect/changelog.yml
+++ b/packages/ti_threatconnect/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.7.0"
+  changes:
+    - description: Add in filter for dashboard to only show latest indicators.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/12106
 - version: "1.6.0"
   changes:
     - description: Add "preserve_original_event" tag to documents with `event.kind` manually set to "pipeline_error".
diff --git a/packages/ti_threatconnect/kibana/dashboard/ti_threatconnect-2d465f90-973d-11ee-839e-ef65b7014120.json b/packages/ti_threatconnect/kibana/dashboard/ti_threatconnect-2d465f90-973d-11ee-839e-ef65b7014120.json
index 8e53b1343b6..fd802625bbd 100644
--- a/packages/ti_threatconnect/kibana/dashboard/ti_threatconnect-2d465f90-973d-11ee-839e-ef65b7014120.json
+++ b/packages/ti_threatconnect/kibana/dashboard/ti_threatconnect-2d465f90-973d-11ee-839e-ef65b7014120.json
@@ -61,7 +61,7 @@
                 ],
                 "query": {
                     "language": "kuery",
-                    "query": ""
+                    "query": "_index : logs-ti_threatconnect_latest.indicator"
                 }
             }
         },
@@ -136,7 +136,7 @@
                                                     "customLabel": true,
                                                     "dataType": "number",
                                                     "isBucketed": false,
-                                                    "label": "Total Indicators",
+                                                    "label": "Total Unique Indicators",
                                                     "operationType": "count",
                                                     "params": {
                                                         "emptyAsNull": false
diff --git a/packages/ti_threatconnect/manifest.yml b/packages/ti_threatconnect/manifest.yml
index b65d47baf54..49999ae737a 100644
--- a/packages/ti_threatconnect/manifest.yml
+++ b/packages/ti_threatconnect/manifest.yml
@@ -2,7 +2,7 @@
 format_version: 3.0.3
 name: ti_threatconnect
 title: ThreatConnect
-version: "1.6.0"
+version: "1.7.0"
 description: Collects Indicators from ThreatConnect using the Elastic Agent and saves them as logs inside Elastic
 type: integration
 categories: