From f1076e102f2e417489ce27dafcb2960fc25867ee Mon Sep 17 00:00:00 2001 From: Krishna Chaitanya Reddy Burri Date: Fri, 1 Nov 2024 12:41:45 +0530 Subject: [PATCH] ti_crowdstrike: Set transforms unattended setting to true. (#11605) Set `intel` and `ioc` latest transforms' `unattended` setting to `true`. This allow for transforms to retry indefinitely and recover from failed state. --- packages/ti_crowdstrike/_dev/build/docs/README.md | 8 +++++++- packages/ti_crowdstrike/changelog.yml | 8 ++++++++ packages/ti_crowdstrike/docs/README.md | 8 +++++++- .../elasticsearch/transform/latest_intel/transform.yml | 6 ++++-- .../elasticsearch/transform/latest_ioc/transform.yml | 6 ++++-- packages/ti_crowdstrike/manifest.yml | 2 +- 6 files changed, 31 insertions(+), 7 deletions(-) diff --git a/packages/ti_crowdstrike/_dev/build/docs/README.md b/packages/ti_crowdstrike/_dev/build/docs/README.md index a173ce7188f..2b91fd9585c 100644 --- a/packages/ti_crowdstrike/_dev/build/docs/README.md +++ b/packages/ti_crowdstrike/_dev/build/docs/README.md @@ -35,6 +35,9 @@ You can run Elastic Agent inside a container, either with Fleet Server or standa There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). +### Permissions +This integration includes assets such as latest transform which requires users installing the integration to have `kibana_system` built-in role. Follow the [documentation](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html) for information on `kibana_system` built-in role. + This module has been tested against the **CrowdStrike Falcon Intelligence API Version v1**. ## Setup @@ -70,7 +73,10 @@ User should either have `admin` role or `Detection Exception Manager` role to ac The ingested IOCs expire after a certain duration. A separate [Elastic Transform](https://www.elastic.co/guide/en/elasticsearch/reference/current/transforms.html) is created for Intel and IOC datasets to facilitate only active Indicators and IOCs, respectively, being available to the end users. Since we want to retain only valuable information and avoid duplicated data, the CrowdStrike Falcon Intelligence Elastic integration forces the intel indicators to rotate into a custom index called: `logs-ti_crowdstrike_latest.dest_intel` and forces the IOC logs to rotate into a custom index called: `logs-ti_crowdstrike_latest.dest_ioc`. **Please, refer to this index in order to set alerts and so on.** -#### Handling Orphaned IOCs +### Transform Permissions +The latest transforms for both Intel and IOC datasets require users to have `kibana_system` role as noted in [permissions](https://www.elastic.co/docs/current/integrations/ti_crowdstrike#permissions). + +### Handling Orphaned IOCs IOC expiration is set default to false in CrowdStrike console but user can set the expiration duration in using the admin console. Some CrowdStrike IOCs may never expire and will continue to stay in the latest destination index. To avoid any false positives from such orphaned IOCs, users are allowed to configure `IOC Expiration Duration` parameter for both the dataset Intel and IOC, respectively, while setting up the integration. This parameter deletes all data inside the destination index `logs-ti_crowdstrike_latest.intel` and `logs-ti_crowdstrike_latest.ioc` after this specified duration is reached. Users must pull entire feed instead of incremental feed when this expiration happens so that the IOCs get reset. diff --git a/packages/ti_crowdstrike/changelog.yml b/packages/ti_crowdstrike/changelog.yml index edab1efeb6b..124089e4e01 100644 --- a/packages/ti_crowdstrike/changelog.yml +++ b/packages/ti_crowdstrike/changelog.yml @@ -1,4 +1,12 @@ # newer versions go on top +- version: "1.2.0" + changes: + - description: Set transform unattended to true for indefinite retries. + type: enhancement + link: https://github.com/elastic/integrations/pull/11605 + - description: Update documentation with required permissions for running transforms. + type: enhancement + link: https://github.com/elastic/integrations/pull/11605 - version: "1.1.7" changes: - description: Fix labels.is_ioc_transform_source values diff --git a/packages/ti_crowdstrike/docs/README.md b/packages/ti_crowdstrike/docs/README.md index 59efee47ef9..0ef3e3cc721 100644 --- a/packages/ti_crowdstrike/docs/README.md +++ b/packages/ti_crowdstrike/docs/README.md @@ -35,6 +35,9 @@ You can run Elastic Agent inside a container, either with Fleet Server or standa There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). +### Permissions +This integration includes assets such as latest transform which requires users installing the integration to have `kibana_system` built-in role. Follow the [documentation](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html) for information on `kibana_system` built-in role. + This module has been tested against the **CrowdStrike Falcon Intelligence API Version v1**. ## Setup @@ -70,7 +73,10 @@ User should either have `admin` role or `Detection Exception Manager` role to ac The ingested IOCs expire after a certain duration. A separate [Elastic Transform](https://www.elastic.co/guide/en/elasticsearch/reference/current/transforms.html) is created for Intel and IOC datasets to facilitate only active Indicators and IOCs, respectively, being available to the end users. Since we want to retain only valuable information and avoid duplicated data, the CrowdStrike Falcon Intelligence Elastic integration forces the intel indicators to rotate into a custom index called: `logs-ti_crowdstrike_latest.dest_intel` and forces the IOC logs to rotate into a custom index called: `logs-ti_crowdstrike_latest.dest_ioc`. **Please, refer to this index in order to set alerts and so on.** -#### Handling Orphaned IOCs +### Transform Permissions +The latest transforms for both Intel and IOC datasets require users to have `kibana_system` role as noted in [permissions](https://www.elastic.co/docs/current/integrations/ti_crowdstrike#permissions). + +### Handling Orphaned IOCs IOC expiration is set default to false in CrowdStrike console but user can set the expiration duration in using the admin console. Some CrowdStrike IOCs may never expire and will continue to stay in the latest destination index. To avoid any false positives from such orphaned IOCs, users are allowed to configure `IOC Expiration Duration` parameter for both the dataset Intel and IOC, respectively, while setting up the integration. This parameter deletes all data inside the destination index `logs-ti_crowdstrike_latest.intel` and `logs-ti_crowdstrike_latest.ioc` after this specified duration is reached. Users must pull entire feed instead of incremental feed when this expiration happens so that the IOCs get reset. diff --git a/packages/ti_crowdstrike/elasticsearch/transform/latest_intel/transform.yml b/packages/ti_crowdstrike/elasticsearch/transform/latest_intel/transform.yml index f37cd1a4bc1..d58e5ce991d 100644 --- a/packages/ti_crowdstrike/elasticsearch/transform/latest_intel/transform.yml +++ b/packages/ti_crowdstrike/elasticsearch/transform/latest_intel/transform.yml @@ -9,7 +9,7 @@ source: # us that ability in order to prevent having duplicate IoC data and prevent query # time field type conflicts. dest: - index: "logs-ti_crowdstrike_latest.dest_intel-3" + index: "logs-ti_crowdstrike_latest.dest_intel-4" aliases: - alias: "logs-ti_crowdstrike_latest.intel" move_on_creation: true @@ -21,6 +21,8 @@ latest: sort: '@timestamp' description: Latest Intel Indicator data retrieved from CrowdStrike Intel API. frequency: 30s +settings: + unattended: true sync: time: field: event.ingested @@ -33,4 +35,4 @@ _meta: managed: true # Bump this version to delete, reinstall, and restart the transform during package. # Version bump is needed if there is any code change in transform. - fleet_transform_version: 0.3.0 + fleet_transform_version: 0.4.0 diff --git a/packages/ti_crowdstrike/elasticsearch/transform/latest_ioc/transform.yml b/packages/ti_crowdstrike/elasticsearch/transform/latest_ioc/transform.yml index 08fbf413da9..79c858a6720 100644 --- a/packages/ti_crowdstrike/elasticsearch/transform/latest_ioc/transform.yml +++ b/packages/ti_crowdstrike/elasticsearch/transform/latest_ioc/transform.yml @@ -9,7 +9,7 @@ source: # us that ability in order to prevent having duplicate IoC data and prevent query # time field type conflicts. dest: - index: "logs-ti_crowdstrike_latest.dest_ioc-3" + index: "logs-ti_crowdstrike_latest.dest_ioc-4" aliases: - alias: "logs-ti_crowdstrike_latest.ioc" move_on_creation: true @@ -21,6 +21,8 @@ latest: sort: '@timestamp' description: Latest IOC Indicator data retrieved from CrowdStrike IOC API. frequency: 30s +settings: + unattended: true sync: time: field: event.ingested @@ -33,4 +35,4 @@ _meta: managed: true # Bump this version to delete, reinstall, and restart the transform during package. # Version bump is needed if there is any code change in transform. - fleet_transform_version: 0.3.0 + fleet_transform_version: 0.4.0 diff --git a/packages/ti_crowdstrike/manifest.yml b/packages/ti_crowdstrike/manifest.yml index 32a7e159221..740c91f50b6 100644 --- a/packages/ti_crowdstrike/manifest.yml +++ b/packages/ti_crowdstrike/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: ti_crowdstrike title: CrowdStrike Falcon Intelligence -version: "1.1.7" +version: "1.2.0" description: Collect logs from CrowdStrike Falcon Intelligence with Elastic Agent. type: integration categories: