From 2cb142849d870144cedcb1f782352f631a315121 Mon Sep 17 00:00:00 2001
From: Krishna Chaitanya Reddy Burri <krishnachaitanyareddy.burri@elastic.co>
Date: Fri, 29 Aug 2025 15:21:41 +0530
Subject: [PATCH] Add Defender for Cloud to 3rd party integrations permissions
 required for transform (#133623)

Add logs-microsoft_defender_cloud.assessment data stream indices to the kibana_system's read privileges. This is required for the latest transform for 3rd party integrations CDR workflows (vulnerability and misconfigurations findings) to work.

Also adds delete_index on logs-microsoft_defender_cloud.assessment-* to facilitate index removal through ILM policies.
Related: For elastic/integrations#14785

Similar to #132445

(cherry picked from commit eb005b07080a7bd72a1ed4100165630b24f93ba3)
---
 .../authz/store/KibanaOwnedReservedRoleDescriptors.java     | 6 +++++-
 .../core/security/authz/store/ReservedRolesStoreTests.java  | 3 ++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
index 8e398feb9799c..563ae58a7e40a 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
@@ -484,7 +484,11 @@ static RoleDescriptor kibanaSystem(String name) {
                 // For source indices of the Cloud Detection & Response (CDR) packages
                 // that ships a transform and has ILM policy
                 RoleDescriptor.IndicesPrivileges.builder()
-                    .indices("logs-m365_defender.vulnerability-*", "logs-microsoft_defender_endpoint.vulnerability-*")
+                    .indices(
+                        "logs-m365_defender.vulnerability-*",
+                        "logs-microsoft_defender_endpoint.vulnerability-*",
+                        "logs-microsoft_defender_cloud.assessment-*"
+                    )
                     .privileges(
                         "read",
                         "view_index_metadata",
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
index a7488a88a77a5..654dde4eaee5a 100644
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
@@ -1684,7 +1684,8 @@ public void testKibanaSystemRole() {
 
         Arrays.asList(
             "logs-m365_defender.vulnerability-" + randomAlphaOfLength(randomIntBetween(0, 13)),
-            "logs-microsoft_defender_endpoint.vulnerability-" + randomAlphaOfLength(randomIntBetween(0, 13))
+            "logs-microsoft_defender_endpoint.vulnerability-" + randomAlphaOfLength(randomIntBetween(0, 13)),
+            "logs-microsoft_defender_cloud.assessment-" + randomAlphaOfLength(randomIntBetween(0, 13))
         ).forEach(indexName -> {
             final IndexAbstraction indexAbstraction = mockIndexAbstraction(indexName);
             assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(indexAbstraction), is(false));