[ti_*] IOC transform destinations incorrectly marked as sources

[chrisberkhout]

In https://github.com/elastic/integrations/pull/11008, a field that was present in transform sources was added to transform destinations, from which it had previously been absent. This was to fix a test that failed when logsdb (or synthetic source) was enabled.

The field in question was defined as:

- name: labels.is_ioc_transform_source
  type: constant_keyword
  value: "true"
  description: In the source index it indicates if the document is a source for the transform.

It was absent from the transform destination to differentiate it from the source, which may contain duplicate and expired IOCs.

There ~were two~ was a problem~s~ with the change:

• It was added to the destination with the value "true", so filters could no longer identify any destination records.
• ~It was added without transform version and destination version bumps (described here)~ (wasn't necessary for the original change, but will be for the fix)

To fix these problems, the field should be set to "false" in the destination, and the version numbers incremented.

Defining this field in a separate file from those shared between source and destination, wherever that is not already done will help to keep destination field definitions in sync with source field definitions.

Releated issues

• Related #11008
• Related https://github.com/elastic/security-team/issues/6114

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)