elastic · kcreddy · Oct 31, 2024 · Oct 31, 2024 · Oct 31, 2024 · efd6
@@ -35,6 +35,9 @@ You can run Elastic Agent inside a container, either with Fleet Server or standa
 
 There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html).
 
+### Permissions
+This integration includes assets such as latest transform which requires users installing the integration to have `kibana_system` role.
+
 This module has been tested against the **CrowdStrike Falcon Intelligence API Version v1**.
 
 ## Setup
@@ -70,7 +73,10 @@ User should either have `admin` role or `Detection Exception Manager` role to ac
 The ingested IOCs expire after a certain duration. A separate [Elastic Transform](https://www.elastic.co/guide/en/elasticsearch/reference/current/transforms.html) is created for Intel and IOC datasets to facilitate only active Indicators and IOCs, respectively, being available to the end users. Since we want to retain only valuable information and avoid duplicated data, the CrowdStrike Falcon Intelligence Elastic integration forces the intel indicators to rotate into a custom index called: `logs-ti_crowdstrike_latest.dest_intel` and forces the IOC logs to rotate into a custom index called: `logs-ti_crowdstrike_latest.dest_ioc`.
 **Please, refer to this index in order to set alerts and so on.**
 
-#### Handling Orphaned IOCs
+### Transform Permissions
+The latest transforms for both Intel and IOC datasets require users to have `kibana_system` role as noted in [permissions](https://www.elastic.co/docs/current/integrations/ti_crowdstrike#permissions).
+
+### Handling Orphaned IOCs
 
 IOC expiration is set default to false in CrowdStrike console but user can set the expiration duration in using the admin console. Some CrowdStrike IOCs may never expire and will continue to stay in the latest destination index. To avoid any false positives from such orphaned IOCs, users are allowed to configure `IOC Expiration Duration` parameter for both the dataset Intel and IOC, respectively, while setting up the integration. This parameter deletes all data inside the destination index `logs-ti_crowdstrike_latest.intel` and `logs-ti_crowdstrike_latest.ioc` after this specified duration is reached. Users must pull entire feed instead of incremental feed when this expiration happens so that the IOCs get reset.
 

@@ -1,4 +1,12 @@
 # newer versions go on top
+- version: "1.2.0"
+  changes:
+    - description: Set transform unattended to true for indefinite retries.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/11605
+    - description: Update documentation with required permissions for running transforms.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/11605
 - version: "1.1.7"
   changes:
     - description: Fix labels.is_ioc_transform_source values

@@ -35,6 +35,9 @@ You can run Elastic Agent inside a container, either with Fleet Server or standa
 
 There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html).
 
+### Permissions
+This integration includes assets such as latest transform which requires users installing the integration to have `kibana_system` role.
+
 This module has been tested against the **CrowdStrike Falcon Intelligence API Version v1**.
 
 ## Setup
@@ -70,7 +73,10 @@ User should either have `admin` role or `Detection Exception Manager` role to ac
 The ingested IOCs expire after a certain duration. A separate [Elastic Transform](https://www.elastic.co/guide/en/elasticsearch/reference/current/transforms.html) is created for Intel and IOC datasets to facilitate only active Indicators and IOCs, respectively, being available to the end users. Since we want to retain only valuable information and avoid duplicated data, the CrowdStrike Falcon Intelligence Elastic integration forces the intel indicators to rotate into a custom index called: `logs-ti_crowdstrike_latest.dest_intel` and forces the IOC logs to rotate into a custom index called: `logs-ti_crowdstrike_latest.dest_ioc`.
 **Please, refer to this index in order to set alerts and so on.**
 
-#### Handling Orphaned IOCs
+### Transform Permissions
+The latest transforms for both Intel and IOC datasets require users to have `kibana_system` role as noted in [permissions](https://www.elastic.co/docs/current/integrations/ti_crowdstrike#permissions).
+
+### Handling Orphaned IOCs
 
 IOC expiration is set default to false in CrowdStrike console but user can set the expiration duration in using the admin console. Some CrowdStrike IOCs may never expire and will continue to stay in the latest destination index. To avoid any false positives from such orphaned IOCs, users are allowed to configure `IOC Expiration Duration` parameter for both the dataset Intel and IOC, respectively, while setting up the integration. This parameter deletes all data inside the destination index `logs-ti_crowdstrike_latest.intel` and `logs-ti_crowdstrike_latest.ioc` after this specified duration is reached. Users must pull entire feed instead of incremental feed when this expiration happens so that the IOCs get reset.
 

@@ -9,7 +9,7 @@ source:
 # us that ability in order to prevent having duplicate IoC data and prevent query
 # time field type conflicts.
 dest:
-  index: "logs-ti_crowdstrike_latest.dest_intel-3"
+  index: "logs-ti_crowdstrike_latest.dest_intel-4"
   aliases:
     - alias: "logs-ti_crowdstrike_latest.intel"
       move_on_creation: true
@@ -21,6 +21,8 @@ latest:
   sort: '@timestamp'
 description: Latest Intel Indicator data retrieved from CrowdStrike Intel API.
 frequency: 30s
+settings:
+  unattended: true
 sync:
   time:
     field: event.ingested
@@ -33,4 +35,4 @@ _meta:
   managed: true
   # Bump this version to delete, reinstall, and restart the transform during package.
   # Version bump is needed if there is any code change in transform.
-  fleet_transform_version: 0.3.0
+  fleet_transform_version: 0.4.0
@@ -9,7 +9,7 @@ source:
 # us that ability in order to prevent having duplicate IoC data and prevent query
 # time field type conflicts.
 dest:
-  index: "logs-ti_crowdstrike_latest.dest_ioc-3"
+  index: "logs-ti_crowdstrike_latest.dest_ioc-4"
   aliases:
     - alias: "logs-ti_crowdstrike_latest.ioc"
       move_on_creation: true
@@ -21,6 +21,8 @@ latest:
   sort: '@timestamp'
 description: Latest IOC Indicator data retrieved from CrowdStrike IOC API.
 frequency: 30s
+settings:
+  unattended: true
 sync:
   time:
     field: event.ingested
@@ -33,4 +35,4 @@ _meta:
   managed: true
   # Bump this version to delete, reinstall, and restart the transform during package.
   # Version bump is needed if there is any code change in transform.
-  fleet_transform_version: 0.3.0
+  fleet_transform_version: 0.4.0
@@ -1,7 +1,7 @@
 format_version: 3.0.3
 name: ti_crowdstrike
 title: CrowdStrike Falcon Intelligence
-version: "1.1.7"
+version: "1.2.0"
 description: Collect logs from CrowdStrike Falcon Intelligence with Elastic Agent.
 type: integration
 categories: