diff --git a/packages/ti_crowdstrike/_dev/build/docs/README.md b/packages/ti_crowdstrike/_dev/build/docs/README.md index 72921a69a77..7027e31b390 100644 --- a/packages/ti_crowdstrike/_dev/build/docs/README.md +++ b/packages/ti_crowdstrike/_dev/build/docs/README.md @@ -2,6 +2,11 @@ CrowdStrike Falcon Intelligence is a threat intelligence product that provides advanced cybersecurity insights to organizations. Leveraging machine learning and behavioural analytics, Falcon Intelligence delivers real-time threat data, enabling proactive threat detection and response. With a focus on actionable intelligence, it empowers businesses to stay ahead of cyber adversaries and enhance their overall security posture. This [CrowdStrike Falcon Intelligence](https://www.crowdstrike.com/en-us/) integration enables you to consume and analyze CrowdStrike Falcon Intelligence data within Elastic Security, including Intel Indicator and IOCs, providing you with visibility and context for your cloud environments within Elastic Security. +## Agentless Enabled Integration + +Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. + ## Data streams The CrowdStrike Falcon Intelligence integration collects two types of data: IOC and Intel Indicator. diff --git a/packages/ti_crowdstrike/changelog.yml b/packages/ti_crowdstrike/changelog.yml index ef3854ed3d1..f2ffdaddd5b 100644 --- a/packages/ti_crowdstrike/changelog.yml +++ b/packages/ti_crowdstrike/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.6.0" + changes: + - description: Enable Agentless deployment. + type: enhancement + link: https://github.com/elastic/integrations/pull/15249 - version: "2.5.0" changes: - description: Remove duplicated installation instructions from the documentation diff --git a/packages/ti_crowdstrike/data_stream/intel/elasticsearch/ingest_pipeline/default.yml b/packages/ti_crowdstrike/data_stream/intel/elasticsearch/ingest_pipeline/default.yml index 6e1575b3ba5..21b8b821793 100644 --- a/packages/ti_crowdstrike/data_stream/intel/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_crowdstrike/data_stream/intel/elasticsearch/ingest_pipeline/default.yml @@ -5,6 +5,17 @@ processors: field: ecs.version tag: set_ecs_version value: 8.11.0 + - remove: + field: + - organization + - division + - team + ignore_missing: true + if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String + tag: remove_agentless_tags + description: >- + Removes the fields added by Agentless as metadata, + as they can collide with ECS fields. - set: field: event.kind tag: set_event_kind @@ -29,6 +40,11 @@ processors: target_field: event.original ignore_missing: true if: ctx.event?.original == null + - remove: + field: message + ignore_missing: true + if: ctx.event?.original != null + description: 'The `message` field is no longer required if the document has an `event.original` field.' - json: field: event.original tag: json_event_original diff --git a/packages/ti_crowdstrike/data_stream/ioc/elasticsearch/ingest_pipeline/default.yml b/packages/ti_crowdstrike/data_stream/ioc/elasticsearch/ingest_pipeline/default.yml index 23334c12547..bb2321b30a3 100644 --- a/packages/ti_crowdstrike/data_stream/ioc/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_crowdstrike/data_stream/ioc/elasticsearch/ingest_pipeline/default.yml @@ -5,6 +5,17 @@ processors: field: ecs.version tag: set_ecs_version value: 8.11.0 + - remove: + field: + - organization + - division + - team + ignore_missing: true + if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String + tag: remove_agentless_tags + description: >- + Removes the fields added by Agentless as metadata, + as they can collide with ECS fields. - set: field: event.kind tag: set_event_kind @@ -29,6 +40,11 @@ processors: target_field: event.original ignore_missing: true if: ctx.event?.original == null + - remove: + field: message + ignore_missing: true + if: ctx.event?.original != null + description: 'The `message` field is no longer required if the document has an `event.original` field.' - json: field: event.original tag: json_event_original diff --git a/packages/ti_crowdstrike/docs/README.md b/packages/ti_crowdstrike/docs/README.md index f692039ee5c..2d8c7587707 100644 --- a/packages/ti_crowdstrike/docs/README.md +++ b/packages/ti_crowdstrike/docs/README.md @@ -2,6 +2,11 @@ CrowdStrike Falcon Intelligence is a threat intelligence product that provides advanced cybersecurity insights to organizations. Leveraging machine learning and behavioural analytics, Falcon Intelligence delivers real-time threat data, enabling proactive threat detection and response. With a focus on actionable intelligence, it empowers businesses to stay ahead of cyber adversaries and enhance their overall security posture. This [CrowdStrike Falcon Intelligence](https://www.crowdstrike.com/en-us/) integration enables you to consume and analyze CrowdStrike Falcon Intelligence data within Elastic Security, including Intel Indicator and IOCs, providing you with visibility and context for your cloud environments within Elastic Security. +## Agentless Enabled Integration + +Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. + ## Data streams The CrowdStrike Falcon Intelligence integration collects two types of data: IOC and Intel Indicator. diff --git a/packages/ti_crowdstrike/manifest.yml b/packages/ti_crowdstrike/manifest.yml index 69815bff55c..4585da0d6c7 100644 --- a/packages/ti_crowdstrike/manifest.yml +++ b/packages/ti_crowdstrike/manifest.yml @@ -1,7 +1,7 @@ -format_version: 3.0.3 +format_version: 3.3.2 name: ti_crowdstrike title: CrowdStrike Falcon Intelligence -version: "2.5.0" +version: "2.6.0" description: Collect logs from CrowdStrike Falcon Intelligence with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - threat_intel conditions: kibana: - version: "^8.13.0 || ^9.0.0" + version: "^8.18.0 || ^9.0.0" elastic: subscription: basic screenshots: @@ -30,6 +30,17 @@ policy_templates: - name: ti_crowdstrike title: CrowdStrike Falcon Intelligence logs description: Collect CrowdStrike Falcon Intelligence logs. + deployment_modes: + default: + enabled: true + agentless: + enabled: true + organization: security + division: engineering + team: security-service-integrations + resources: + requests: + memory: 4Gi inputs: - type: cel title: Collect CrowdStrike Falcon Intelligence logs via API