-
Notifications
You must be signed in to change notification settings - Fork 392
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CrowdStrike] Add support of REST API for Alert and Host #8790
Conversation
|
||
## Logs | ||
|
||
### Alert |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This datastream also supports events via Event Stream? If that's the case we should make this more descriptive as it currently sounds like it's limited to alerts.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR contains support for Alert and Host endpoint only.
Waiting for the Customer's feedback on the Event Stream API Data Collection then we can plan to add the support in this PR or maybe in a separate PR.
The minimum **kibana.version** required is **8.10.1**. | ||
|
||
## Setup | ||
### To collect data from CrowdStrike REST API, the following parameters from your CrowdStrike instance are required: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does a customer need to ensure the Event Stream API is enabled also? Do they have to contact CrowdStrike support in order to enable the API?
Worth noting that a user who tested the pre-release of this package had to grant “read” scope to “alerts” and “hosts” via Crowdstrike in order to get the data. Are these permissions required on our end? If so, we should be documenting it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. Customers need to add the read scopes for the endpoints using the CrowdStrike instance. As this PR only supports Alert and Host endpoint hence added details of the required scopes for the same inside the Setup section.
- `falcon` dataset: consists of endpoint data and Falcon platform audit data forwarded from [Falcon SIEM Connector](https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem/). | ||
- `fdr` dataset: consists of logs forwarded using the [Falcon Data Replicator](https://github.com/CrowdStrike/FDR). | ||
- `host` dataset: retrieves all the hosts in your environment. It is supported through the REST API. | ||
|
||
## Compatibility | ||
|
||
This integration supports CrowdStrike Falcon SIEM-Connector-v2.0. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should adjust this if we no longer require the Falcon SIEM Connector. While users can still use it, this update provides the ability to ingest data directly via the API, avoiding the need for SIEM Connector. If possible, we should also include language to explain API vs SIEM Connector to avoid any confusion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently, we have not removed the support of Falcon SIEM connector. Users will have two options -
- Collect logs via API
- Collect logs via Falcon SIEM connector
Let me know if you want me to remove the support of Falcon SIEM connector.
Agrees with you that we can include language to explain API vs SIEM connector to avoid the confusion. Will update that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mohitjha-elastic definitely don't remove the SIEM Connector support, as that's what user rely on today. But definitely some language to make it clear that we support both SIEM Connector and API, and the SIEM Connector is not required if you're ingest directly via the API.
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
/test |
Content-Type: | ||
- application/json | ||
body: |- | ||
{"resources": [{"agent_id":"2ce412d17b334ad4adc8c1c54dbfec4b","aggregate_id":"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778","alleged_filetype":"exe","cid":"92012896127c4a948236ba7601b886b0","cloud_indicator":"false","cmdline":"\"C:\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\"","composite_id":"92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","confidence":10,"context_timestamp":"2023-11-03T18:00:31Z","control_graph_id":"ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778","crawl_edge_ids":{"Sensor":["KZcZ=__;K&cmqQ]Z=W,QK4W.9(rBfs\\gfmjTblqI^F-_oNnAWQ&-o0:dR/>>2J<d2T/ji6R&RIHe-tZSkP*q?HW;:leq.:kk)>IVMD36[+=kiQDRm.bB?;d\"V0JaQlaltC59Iq6nM?6`>ZAs+LbOJ9p9A;9'WV9^H3XEMs8N","KZcZA__;?\"cmott@m_k)MSZ^+C?.cg<Lga#0@71X07*LY2teE56*16pL[=!bjF7g@0jOQE'jT6RX_F@sr#RP-U/d[#nm9A,A,W%cl/T@<W`alY1K_h%QDBBF;_e7S!!*'!","KZd)iK2;s\\ckQl_P*d=Mo?^a7/JKc\\*L48169!7I5;0\\<H^hNG\"ZQ3#U3\"eo<>92t[f!>*b9WLY@H!V0N,BJsNSTD:?/+fY';e<OHh9AmlT?5<gGqK:*L99kat+P)eZ$HR\"Ql@Q!!!$!rr","N6=Ks_B9Bncmur)?\\[fV$k/N5;:6@aB$P;R$2XAaPJ?E<G5,UfaP')8#2AY4ff+q?T?b0/RBi-YAeGmb<6Bqp[DZh#I(jObGkjJJaMf\\:#mb;BM\\L[g!\\F*M!!*'!","N6B%O`'=_7d#%u&d[+LTNDs<3307?8n=GrFI:4YYGCL,cIt-Tuj!&<6:3RbC`uNjL#gW&=)E`4^/'fp*.bFX@p_$,R6.\"=lV*T*5Vf`c.:nkd$+YD:DJ,Ls0[sArC')K%YTc$:@kUQW5s8N","N6B%s!\\k)ed$F6>a%iM\"<FTSe/eH8M:<9gf;$$.b??kpC*99aX!Lq:g6:Q3@Ga4Zrb@MaMa]L'YAt$IFBu])\"H^sF$r7gDPf6&CHpVKO3<DgK9,Y/e@V\"b&m!<<'","N6CU&`%VT\"d$=67=h\\I)/BJH:8-lS!.%\\-!$1@bAhtVO?q4]9'9'haE4N0*-0Uh'-'f',YW3]T=jL3D#N=fJi]Pp-bWej+R9q[%h[p]p26NK8q3b50k9G:.&eM<Qer>__\"59K'R?_=`'`rK/'hA\"r+L5i-*Ut5PI!!*'!","N6CUF__;K!d$:[C93.?=/5(`5KnM]!L#UbnSY5HOHc#[6A&FE;(naXB4h/OG\"%MDAR=fo41Z]rXc\"J-\\&&V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr","N6CUF__;K!d$:\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\"X'\\AtNML2_C__7ic6,8Dc[F<0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn`6I##&$^81(P+hN*-#rf/cUs)Wb\"<_/?I'[##WMh'H[Rcl+!!<<'","N6L[G__;K!d\"qhT7k?[D\"Bk:5s%+=>#DM0j$_<r/JG0TCEQ!Ug(be3)&R2JnX+RSqorgC-NCjf6XATBWX(5<L1J1DV>44ZjO9q*d!YLuHhkq!3>3tpi>OPYZp9]5f1#/AlRZL06`/I6cl\"d.&=To@9kS!prs8N"]},"crawl_vertex_ids":{"Sensor":["aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778","ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778","ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600","mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4","mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33","pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135","pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876","pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993","quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425"]},"crawled_timestamp":"2023-11-03T19:00:23.985020992Z","created_timestamp":"2023-11-03T18:01:23.995794943Z","data_domains":["Endpoint"],"description":"ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.","device":{"agent_load_flags":"0","agent_local_time":"2023-10-12T03:45:57.753Z","agent_version":"7.04.17605.0","bios_manufacturer":"ABC","bios_version":"F8CN42WW(V2.05)","cid":"92012896127c4a948236ba7601b886b0","config_id_base":"65994763","config_id_build":"17605","config_id_platform":"3","device_id":"2ce412d17b334ad4adc8c1c54dbfec4b","external_ip":"81.2.69.142","first_seen":"2023-04-07T09:36:36Z","groups":["18704e21288243b58e4c76266d38caaf"],"hostinfo":{"active_directory_dn_display":["WinComputers","WinComputers\\ABC"],"domain":"ABC.LOCAL"},"hostname":"ABC709-1175","last_seen":"2023-11-03T17:51:42Z","local_ip":"81.2.69.142","mac_address":"ab-21-48-61-05-b2","machine_domain":"ABC.LOCAL","major_version":"10","minor_version":"0","modified_timestamp":"2023-11-03T17:53:43Z","os_version":"Windows11","ou":["ABC","WinComputers"],"platform_id":"0","platform_name":"Windows","pod_labels":null,"product_type":"1","product_type_desc":"Workstation","site_name":"Default-First-Site-Name","status":"normal","system_manufacturer":"LENOVO","system_product_name":"20VE"},"falcon_host_link":"https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","filename":"openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","filepath":"\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","grandparent_details":{"cmdline":"C:\\Windows\\system32\\userinit.exe","filename":"userinit.exe","filepath":"\\Device\\HarddiskVolume3\\Windows\\System32\\userinit.exe","local_process_id":"4328","md5":"b07f77fd3f9828b2c9d61f8a36609741","process_graph_id":"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135","process_id":"392734873135","sha256":"caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33","timestamp":"2023-10-30T16:49:19Z","user_graph_id":"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425","user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425","user_name":"yuvraj.mahajan"},"has_script_or_module_ioc":"true","id":"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","indicator_id":"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","ioc_context":[{"ioc_description":"\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","ioc_source":"library_load","ioc_type":"hash_sha256","ioc_value":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","md5":"cdf9cfebb400ce89d5b6032bfcdc693b","sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","type":"module"}],"ioc_values":[],"is_synthetic_quarantine_disposition":true,"local_process_id":"17076","logon_domain":"ABSYS","md5":"cdf9cfebb400ce89d5b6032bfcdc693b","name":"PrewittPupAdwareSensorDetect-Lowest","objective":"FalconDetectionMethod","parent_details":{"cmdline":"C:\\WINDOWS\\Explorer.EXE","filename":"explorer.exe","filepath":"\\Device\\HarddiskVolume3\\Windows\\explorer.exe","local_process_id":"1040","md5":"8cc3fcdd7d52d2d5221303c213e044ae","process_graph_id":"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876","process_id":"392736520876","sha256":"0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4","timestamp":"2023-11-03T18:00:32Z","user_graph_id":"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425","user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425","user_name":"mohit.jha"},"parent_process_id":"392736520876","pattern_disposition":2176,"pattern_disposition_description":"Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.","pattern_disposition_details":{"blocking_unsupported_or_disabled":false,"bootup_safeguard_enabled":false,"critical_process_disabled":false,"detect":false,"fs_operation_blocked":false,"handle_operation_downgraded":false,"inddet_mask":false,"indicator":false,"kill_action_failed":false,"kill_parent":false,"kill_process":false,"kill_subprocess":false,"operation_blocked":false,"policy_disabled":false,"process_blocked":true,"quarantine_file":true,"quarantine_machine":false,"registry_operation_blocked":false,"rooting":false,"sensor_only":false,"suspend_parent":false,"suspend_process":false},"pattern_id":5761,"platform":"Windows","poly_id":"AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==","process_end_time":"1699034421","process_id":"399748687993","process_start_time":"1699034413","product":"epp","quarantined_files":[{"filename":"\\Device\\Volume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","id":"2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","state":"quarantined"}],"scenario":"NGAV","severity":30,"sha1":"0000000000000000000000000000000000000000","sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","show_in_ui":true,"source_products":["FalconInsight"],"source_vendors":["CrowdStrike"],"status":"new","tactic":"MachineLearning","tactic_id":"CSTA0004","technique":"Adware/PUP","technique_id":"CST0000","timestamp":"2023-11-03T18:00:22.328Z","tree_id":"1931778","tree_root":"38687993","triggering_process_graph_id":"pid:2ce4124ad4adc8c1c54dbfec4b:399748687993","type":"ldt","updated_timestamp":"2023-11-03T19:00:23.985007341Z","user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425","user_name":"mohit.jha"}]} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be reasonable to pretty format this JSON to reduce diff noise in the future? This line is almost 10kB long.
I'm wondering if an option in stream to allow minified JSON to be returned when the body is structured for readability.
packages/crowdstrike/changelog.yml
Outdated
- description: Add the Input Support of REST API (Alert, Host, and Event Streams) and update the minimum kibana version to 8.10.1. | ||
type: enhancement | ||
link: https://github.com/elastic/integrations/pull/8790 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Separate change entries?
- description: Add the Input Support of REST API (Alert, Host, and Event Streams) and update the minimum kibana version to 8.10.1. | |
type: enhancement | |
link: https://github.com/elastic/integrations/pull/8790 | |
- description: Add support for Alert, Host, and Event Streams API endpoints. | |
type: enhancement | |
link: https://github.com/elastic/integrations/pull/8790 | |
- description: Update minimum kibana version to 8.10.1. | |
type: enhancement | |
link: https://github.com/elastic/integrations/pull/8790 |
( | ||
state.with( | ||
( | ||
!state.want_more ? | ||
request("GET", state.url + "/alerts/queries/alerts/v1?sort=timestamp|asc&offset=0&limit=" | ||
+ string(state.batch_size) + "&filter=timestamp:>\"" + | ||
( | ||
has(state.cursor) && has(state.cursor.last_timestamp) && state.cursor.last_timestamp != null ? | ||
state.cursor.last_timestamp + "\"" | ||
: | ||
(now - duration(state.initial_interval)).format(time_layout.RFC3339) + "\"" | ||
) | ||
) | ||
: | ||
request("GET", state.url + "/alerts/queries/alerts/v1?sort=timestamp|asc&offset=" + string(state.offset) + | ||
"&limit=" + string(state.batch_size) + "&filter=timestamp:>\"" + | ||
( | ||
has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? | ||
state.cursor.first_timestamp + "\"" | ||
: | ||
"\"" | ||
) | ||
) | ||
).do_request().as(resp, bytes(resp.Body).decode_json().as(body, { | ||
"resources": has(body.resources) && body.resources.size() > 0 ? body.resources : "", | ||
"want_more": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total), | ||
"offset": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total) ? | ||
int(state.offset) + int(body.resources.size()) | ||
: | ||
0, | ||
"url": state.url, | ||
"batch_size": state.batch_size, | ||
})) | ||
).as(state, state.with( | ||
has (state.resources) && state.resources != "" ? | ||
post_request( | ||
state.url + "/alerts/entities/alerts/v1", | ||
"application/json", | ||
{"ids": state.resources }.encode_json() | ||
) | ||
.do_request().as(resp, bytes(resp.Body).decode_json().as(inner_body, { | ||
"events": inner_body.resources.map(e, { | ||
"message": e.encode_json(), | ||
}), | ||
"cursor": { | ||
"last_timestamp": ( | ||
has(inner_body.resources) && inner_body.resources.size() > 0 ? | ||
inner_body.resources.map(e, e.timestamp).max() | ||
: | ||
( | ||
has(state.cursor) && has(state.cursor.last_timestamp) ? | ||
state.cursor.last_timestamp | ||
: | ||
null | ||
) | ||
), | ||
"first_timestamp": ( | ||
has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? | ||
( state.want_more ? state.cursor.first_timestamp : state.cursor.last_timestamp ) | ||
: | ||
(now - duration(state.initial_interval)).format(time_layout.RFC3339) | ||
), | ||
}, | ||
})) | ||
: | ||
{} | ||
) | ||
) | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consistent indentation helps readability (untested changes)
( | |
state.with( | |
( | |
!state.want_more ? | |
request("GET", state.url + "/alerts/queries/alerts/v1?sort=timestamp|asc&offset=0&limit=" | |
+ string(state.batch_size) + "&filter=timestamp:>\"" + | |
( | |
has(state.cursor) && has(state.cursor.last_timestamp) && state.cursor.last_timestamp != null ? | |
state.cursor.last_timestamp + "\"" | |
: | |
(now - duration(state.initial_interval)).format(time_layout.RFC3339) + "\"" | |
) | |
) | |
: | |
request("GET", state.url + "/alerts/queries/alerts/v1?sort=timestamp|asc&offset=" + string(state.offset) + | |
"&limit=" + string(state.batch_size) + "&filter=timestamp:>\"" + | |
( | |
has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? | |
state.cursor.first_timestamp + "\"" | |
: | |
"\"" | |
) | |
) | |
).do_request().as(resp, bytes(resp.Body).decode_json().as(body, { | |
"resources": has(body.resources) && body.resources.size() > 0 ? body.resources : "", | |
"want_more": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total), | |
"offset": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total) ? | |
int(state.offset) + int(body.resources.size()) | |
: | |
0, | |
"url": state.url, | |
"batch_size": state.batch_size, | |
})) | |
).as(state, state.with( | |
has (state.resources) && state.resources != "" ? | |
post_request( | |
state.url + "/alerts/entities/alerts/v1", | |
"application/json", | |
{"ids": state.resources }.encode_json() | |
) | |
.do_request().as(resp, bytes(resp.Body).decode_json().as(inner_body, { | |
"events": inner_body.resources.map(e, { | |
"message": e.encode_json(), | |
}), | |
"cursor": { | |
"last_timestamp": ( | |
has(inner_body.resources) && inner_body.resources.size() > 0 ? | |
inner_body.resources.map(e, e.timestamp).max() | |
: | |
( | |
has(state.cursor) && has(state.cursor.last_timestamp) ? | |
state.cursor.last_timestamp | |
: | |
null | |
) | |
), | |
"first_timestamp": ( | |
has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? | |
( state.want_more ? state.cursor.first_timestamp : state.cursor.last_timestamp ) | |
: | |
(now - duration(state.initial_interval)).format(time_layout.RFC3339) | |
), | |
}, | |
})) | |
: | |
{} | |
) | |
) | |
) | |
( | |
state.with( | |
( | |
!state.want_more ? | |
request("GET", state.url + "/alerts/queries/alerts/v1?sort=timestamp|asc&offset=0&limit=" + string(state.batch_size) + "&filter=timestamp:>\"" + ( | |
has(state.cursor) && has(state.cursor.last_timestamp) && state.cursor.last_timestamp != null ? | |
state.cursor.last_timestamp + "\"" | |
: | |
(now - duration(state.initial_interval)).format(time_layout.RFC3339) + "\"" | |
)) | |
: | |
request("GET", state.url + "/alerts/queries/alerts/v1?sort=timestamp|asc&offset=" + string(state.offset) + "&limit=" + string(state.batch_size) + "&filter=timestamp:>\"" + ( | |
has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? | |
state.cursor.first_timestamp + "\"" | |
: | |
"\"" | |
)) | |
).do_request().as(resp, bytes(resp.Body).decode_json().as(body, { | |
"resources": has(body.resources) && body.resources.size() > 0 ? body.resources : "", | |
"want_more": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total), | |
"offset": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total) ? | |
int(state.offset) + int(body.resources.size()) | |
: | |
0, | |
"url": state.url, | |
"batch_size": state.batch_size, | |
})) | |
).as(state, state.with( | |
!has(state.resources) || state.resources == "" ? {} : | |
post_request( | |
state.url + "/alerts/entities/alerts/v1", | |
"application/json", | |
{"ids": state.resources}.encode_json() | |
).do_request().as(resp, bytes(resp.Body).decode_json().as(inner_body, { | |
"events": inner_body.resources.map(e, { | |
"message": e.encode_json(), | |
}), | |
"cursor": { | |
"last_timestamp": ( | |
has(inner_body.resources) && inner_body.resources.size() > 0 ? | |
inner_body.resources.map(e, e.timestamp).max() | |
: has(state.cursor) && has(state.cursor.last_timestamp) ? | |
state.cursor.last_timestamp | |
: | |
null | |
), | |
"first_timestamp": ( | |
has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? | |
(state.want_more ? state.cursor.first_timestamp : state.cursor.last_timestamp) | |
: | |
(now - duration(state.initial_interval)).format(time_layout.RFC3339) | |
), | |
}, | |
})) | |
) | |
) | |
) |
Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" | ||
- set: | ||
field: event.kind | ||
value: pipeline_error |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Final new line
( | ||
state.with( | ||
( | ||
!state.want_more ? | ||
request("GET", state.url + "/devices/queries/devices/v1?sort=modified_timestamp.asc&offset=0&limit=" + string(state.batch_size) + "&filter=modified_timestamp:>\"" + | ||
( | ||
has(state.cursor) && has(state.cursor.last_timestamp) && state.cursor.last_timestamp != null ? | ||
state.cursor.last_timestamp + "\"" | ||
: | ||
(now - duration(state.initial_interval)).format(time_layout.RFC3339) + "\"" | ||
) | ||
) | ||
: | ||
request("GET", state.url + "/devices/queries/devices/v1?sort=modified_timestamp.asc&offset=" + string(state.offset) + | ||
"&limit=" + string(state.batch_size) + "&filter=modified_timestamp:>\"" + | ||
( | ||
has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? | ||
state.cursor.first_timestamp + "\"" | ||
: | ||
"\"" | ||
) | ||
) | ||
).do_request().as(resp, bytes(resp.Body).decode_json().as(body, { | ||
"resources": has(body.resources) && body.resources.size() > 0 ? body.resources : "", | ||
"want_more": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total), | ||
"offset": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total) ? | ||
int(state.offset) + int(body.resources.size()) | ||
: | ||
0, | ||
"url": state.url, | ||
"batch_size": state.batch_size, | ||
})) | ||
).as(state, state.with( | ||
has (state.resources) && state.resources != "" ? | ||
post_request( | ||
state.url + "/devices/entities/devices/v2", | ||
"application/json", | ||
{"ids": state.resources }.encode_json() | ||
) | ||
.do_request().as(resp, bytes(resp.Body).decode_json().as(inner_body, { | ||
"events": inner_body.resources.map(e, { | ||
"message": e.encode_json(), | ||
}), | ||
"cursor": { | ||
"last_timestamp": ( | ||
has(inner_body.resources) && inner_body.resources.size() > 0 ? | ||
inner_body.resources.map(e, e.modified_timestamp).max() | ||
: | ||
( | ||
has(state.cursor) && has(state.cursor.last_timestamp) ? | ||
state.cursor.last_timestamp | ||
: | ||
null | ||
) | ||
), | ||
"first_timestamp": ( | ||
has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? | ||
( state.want_more ? state.cursor.first_timestamp : state.cursor.last_timestamp ) | ||
: | ||
(now - duration(state.initial_interval)).format(time_layout.RFC3339) | ||
), | ||
}, | ||
})) | ||
: | ||
{} | ||
) | ||
) | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
( | |
state.with( | |
( | |
!state.want_more ? | |
request("GET", state.url + "/devices/queries/devices/v1?sort=modified_timestamp.asc&offset=0&limit=" + string(state.batch_size) + "&filter=modified_timestamp:>\"" + | |
( | |
has(state.cursor) && has(state.cursor.last_timestamp) && state.cursor.last_timestamp != null ? | |
state.cursor.last_timestamp + "\"" | |
: | |
(now - duration(state.initial_interval)).format(time_layout.RFC3339) + "\"" | |
) | |
) | |
: | |
request("GET", state.url + "/devices/queries/devices/v1?sort=modified_timestamp.asc&offset=" + string(state.offset) + | |
"&limit=" + string(state.batch_size) + "&filter=modified_timestamp:>\"" + | |
( | |
has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? | |
state.cursor.first_timestamp + "\"" | |
: | |
"\"" | |
) | |
) | |
).do_request().as(resp, bytes(resp.Body).decode_json().as(body, { | |
"resources": has(body.resources) && body.resources.size() > 0 ? body.resources : "", | |
"want_more": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total), | |
"offset": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total) ? | |
int(state.offset) + int(body.resources.size()) | |
: | |
0, | |
"url": state.url, | |
"batch_size": state.batch_size, | |
})) | |
).as(state, state.with( | |
has (state.resources) && state.resources != "" ? | |
post_request( | |
state.url + "/devices/entities/devices/v2", | |
"application/json", | |
{"ids": state.resources }.encode_json() | |
) | |
.do_request().as(resp, bytes(resp.Body).decode_json().as(inner_body, { | |
"events": inner_body.resources.map(e, { | |
"message": e.encode_json(), | |
}), | |
"cursor": { | |
"last_timestamp": ( | |
has(inner_body.resources) && inner_body.resources.size() > 0 ? | |
inner_body.resources.map(e, e.modified_timestamp).max() | |
: | |
( | |
has(state.cursor) && has(state.cursor.last_timestamp) ? | |
state.cursor.last_timestamp | |
: | |
null | |
) | |
), | |
"first_timestamp": ( | |
has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? | |
( state.want_more ? state.cursor.first_timestamp : state.cursor.last_timestamp ) | |
: | |
(now - duration(state.initial_interval)).format(time_layout.RFC3339) | |
), | |
}, | |
})) | |
: | |
{} | |
) | |
) | |
) | |
( | |
state.with( | |
( | |
!state.want_more ? | |
request("GET", state.url + "/devices/queries/devices/v1?sort=modified_timestamp.asc&offset=0&limit=" + string(state.batch_size) + "&filter=modified_timestamp:>\"" + ( | |
has(state.cursor) && has(state.cursor.last_timestamp) && state.cursor.last_timestamp != null ? | |
state.cursor.last_timestamp + "\"" | |
: | |
(now - duration(state.initial_interval)).format(time_layout.RFC3339) + "\"" | |
)) | |
: | |
request("GET", state.url + "/devices/queries/devices/v1?sort=modified_timestamp.asc&offset=" + string(state.offset) + "&limit=" + string(state.batch_size) + "&filter=modified_timestamp:>\"" + ( | |
has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? | |
state.cursor.first_timestamp + "\"" | |
: | |
"\"" | |
)) | |
).do_request().as(resp, bytes(resp.Body).decode_json().as(body, { | |
"resources": has(body.resources) && body.resources.size() > 0 ? body.resources : "", | |
"want_more": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total), | |
"offset": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total) ? | |
int(state.offset) + int(body.resources.size()) | |
: | |
0, | |
"url": state.url, | |
"batch_size": state.batch_size, | |
})) | |
).as(state, state.with( | |
!has(state.resources) || state.resources == "" ? {} : | |
post_request( | |
state.url + "/devices/entities/devices/v2", | |
"application/json", | |
{"ids": state.resources }.encode_json() | |
).do_request().as(resp, bytes(resp.Body).decode_json().as(inner_body, { | |
"events": inner_body.resources.map(e, { | |
"message": e.encode_json(), | |
}), | |
"cursor": { | |
"last_timestamp": ( | |
has(inner_body.resources) && inner_body.resources.size() > 0 ? | |
inner_body.resources.map(e, e.modified_timestamp).max() | |
: has(state.cursor) && has(state.cursor.last_timestamp) ? | |
state.cursor.last_timestamp | |
: | |
null | |
), | |
"first_timestamp": ( | |
has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? | |
( state.want_more ? state.cursor.first_timestamp : state.cursor.last_timestamp ) | |
: | |
(now - duration(state.initial_interval)).format(time_layout.RFC3339) | |
), | |
}, | |
})) | |
) | |
) | |
) |
want_more: false | ||
offset: 0 | ||
batch_size: {{batch_size}} | ||
program: | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add a redact field. docs.
field: message | ||
tag: rename_message_to_event_original | ||
target_field: event.original | ||
ignore_missing: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add if: ctx.event?.original == null
field: event.original | ||
tag: json_event_original | ||
target_field: json | ||
ignore_failure: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you remove ignore_failure: true
wherever its not needed? We shouldn't be hiding any errors. Applies to rest of the datastreams as well.
"preserve_original_event" | ||
], | ||
"user": { | ||
"name": "NA.NET.ABC.com\\abc.service" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be split into user.domain\\user.name
"host": { | ||
"hostname": "CLM101-131.local", | ||
"ip": [ | ||
"81.2.69.192" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you apply geoip
processor on this IP?
field: message | ||
tag: rename_message_to_event_original | ||
target_field: event.original | ||
ignore_missing: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add if: ctx.event?.original == null
@@ -3,15 +3,44 @@ | |||
This integration is for [CrowdStrike](https://www.crowdstrike.com/resources/?cs_query=type=5) products. It includes the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we adjust the introduction to read: The CrowdStrike Falcon integration allows you to easily connect your CrowdStrike Falcon platform to Elastic for seamless onboarding of alerts and telemetry from CrowdStrike Falcon and Falcon Data Replicator. Elastic Security can leverage this data for security analytics including correlation, visualisation and incident response.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry I missed some issues with the CEL code in the previous review (nits only). I think there is an issue with the user name splitting condition.
...rowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/identity_protection_incident.yml
Show resolved
Hide resolved
state.with( | ||
( | ||
!state.want_more ? | ||
request("GET", state.url + "/alerts/queries/alerts/v1?sort=timestamp|asc&offset=0&limit=" + string(state.batch_size) + "&filter=timestamp:>\"" + ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
request("GET", state.url + "/alerts/queries/alerts/v1?sort=timestamp|asc&offset=0&limit=" + string(state.batch_size) + "&filter=timestamp:>\"" + ( | |
request("GET", state.url + "/alerts/queries/alerts/v1?sort=timestamp|asc&offset=0&limit=" + string(state.batch_size) + '&filter=timestamp:>"' + ( |
!state.want_more ? | ||
request("GET", state.url + "/alerts/queries/alerts/v1?sort=timestamp|asc&offset=0&limit=" + string(state.batch_size) + "&filter=timestamp:>\"" + ( | ||
has(state.cursor) && has(state.cursor.last_timestamp) && state.cursor.last_timestamp != null ? | ||
state.cursor.last_timestamp + "\"" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
state.cursor.last_timestamp + "\"" | |
state.cursor.last_timestamp + '"' |
(now - duration(state.initial_interval)).format(time_layout.RFC3339) + "\"" | ||
)) | ||
: | ||
request("GET", state.url + "/alerts/queries/alerts/v1?sort=timestamp|asc&offset=" + string(state.offset) + "&limit=" + string(state.batch_size) + "&filter=timestamp:>\"" + ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
request("GET", state.url + "/alerts/queries/alerts/v1?sort=timestamp|asc&offset=" + string(state.offset) + "&limit=" + string(state.batch_size) + "&filter=timestamp:>\"" + ( | |
request("GET", state.url + "/alerts/queries/alerts/v1?sort=timestamp|asc&offset=" + string(state.offset) + "&limit=" + string(state.batch_size) + '&filter=timestamp:>"' + ( |
: | ||
request("GET", state.url + "/alerts/queries/alerts/v1?sort=timestamp|asc&offset=" + string(state.offset) + "&limit=" + string(state.batch_size) + "&filter=timestamp:>\"" + ( | ||
has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? | ||
state.cursor.first_timestamp + "\"" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
state.cursor.first_timestamp + "\"" | |
state.cursor.first_timestamp + '"' |
/test |
🚀 Benchmarks reportTo see the full report comment with |
Replace the occurence of double quotes inside double quotes with the double quotes inside single quotes for all the cel.yml.hbs files.
following datasets for receiving logs: | ||
The [CrowdStrike](https://www.crowdstrike.com/) Falcon integration allows you to easily connect your CrowdStrike Falcon platform to Elastic for seamless onboarding of alerts and telemetry from CrowdStrike Falcon and Falcon Data Replicator. Elastic Security can leverage this data for security analytics including correlation, visualisation and incident response. It provides support using two different modes for integrating CrowdStrike to the Elastic: | ||
|
||
1. Falcon SIEM Connector: This is a pre-built integration designed to connect CrowdStrike Falcon with Security Information and Event Management (SIEM) systems. It streamlines the flow of security data from CrowdStrike Falcon to the SIEM, providing a standardized and structured way of feeding information into the SIEM platform. It includes the following datasets for receiving logs: | ||
|
||
- `falcon` dataset: consists of endpoint data and Falcon platform audit data forwarded from [Falcon SIEM Connector](https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem/). | ||
- `fdr` dataset: consists of logs forwarded using the [Falcon Data Replicator](https://github.com/CrowdStrike/FDR). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mohitjha-elastic Falcon Data Replicator (FDR) is a separate product from CrowdStrike and it doesn't rely on the SIEM Connector. Can we ensure FDR has it's own section. It's currently under our SIEM Connector section, which implies that SIEM Connector is required.
}, | ||
"event": { | ||
"id": "ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", | ||
"kind": "alert", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mohitjha-elastic is it possible to also populate event.category:malware
for alerts that relate to malware?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are not getting any specific fields from which we can categorize it if it's related to malware.
"alert": { | ||
"agent_id": "2ce412d17b334ad4adc8c1c54dbfec4b", | ||
"aggregate_id": "aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778", | ||
"alleged_filetype": "exe", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
map to file.extension?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it,thanks @mohitjha-elastic. I was going on the assumption that the filetype is always an extension.
"poly_id": "AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==", | ||
"process_end_time": "2023-11-03T18:00:21.000Z", | ||
"process_id": "399748687993", | ||
"process_start_time": "2023-11-03T18:00:13.000Z", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
map to process.start?
"pattern_id": "5761", | ||
"platform": "Windows", | ||
"poly_id": "AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==", | ||
"process_end_time": "2023-11-03T18:00:21.000Z", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
map to process.end?
], | ||
"status": "new", | ||
"tactic": "MachineLearning", | ||
"tactic_id": "CSTA0004", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mohitjha-elastic map to threat.tactic.id? https://www.elastic.co/guide/en/ecs/current/ecs-threat.html#field-threat-tactic-id
"CrowdStrike" | ||
], | ||
"status": "new", | ||
"tactic": "MachineLearning", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"status": "new", | ||
"tactic": "MachineLearning", | ||
"tactic_id": "CSTA0004", | ||
"technique": "Adware/PUP", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"tactic": "MachineLearning", | ||
"tactic_id": "CSTA0004", | ||
"technique": "Adware/PUP", | ||
"technique_id": "CST0000", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -0,0 +1,295 @@ | |||
{ | |||
"expected": [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tomsonpl we're about to add support for CrowdStrike unified alerts, which pull alerts directly from their API and provides more information than the DetectionSummary events. Can you take a quick look at the mappings in this sample log and assess if any tweaks are required in order to populate Analyzer?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM once merge conflicts are fixed. Lets wait for Jamie's review comments to be answered.
@kcreddy LGTM to me - ok to merge. |
@mohitjha-elastic we can merge once you remove remove merge conflicts and after Jamie's suggestions are implemented. |
…crowdstrike-1.29.0
@kcreddy Removed the merge conflicts and implemented the changed suggested by Jamie. You can take a final look then we are good to go. |
cdcf7b4
to
a4d5535
Compare
Resolve conflicts by updating the changelog version. Change the alert endpoint from v1 to v2 as the v2 version has rolled out. Added some ecs mapping as per the suggestion. Change the Readme as per the suggestion in review comments.
a4d5535
to
abfe8a2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mohitjha-elastic Just finished with final review, apologise for the delay.
I verified all of Jamie's comments are either included or answered in the comments.
packages/crowdstrike/changelog.yml
Outdated
- description: Add support for Alert and Host API endpoints. | ||
type: enhancement | ||
link: https://github.com/elastic/integrations/pull/8790 | ||
- description: Update minimum kibana version to 8.11.0. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- description: Update minimum kibana version to 8.11.0. | |
- description: Update minimum kibana version to 8.12.0. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"threat": { | ||
"tactic": { | ||
"id": [ | ||
"CSTA0004" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The tactic.id
and technique.id
doesn't seem to be prefixed with CS
as per https://www.elastic.co/guide/en/ecs/current/ecs-threat.html#field-threat-tactic-id. May I know where these values are derived from?
- append: | ||
field: threat.tactic.id | ||
tag: append_threat_tactic_id | ||
value: '{{{crowdstrike.alert.tactic_id}}}' | ||
allow_duplicates: false | ||
if: ctx.crowdstrike?.alert?.tactic_id != null |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When assigning threat.tactic.id
, we could remove CS
prefix to match it with ECS standards https://attack.mitre.org/tactics/. Same for techniques
@@ -1,17 +1,54 @@ | |||
# CrowdStrike Integration | |||
|
|||
This integration is for [CrowdStrike](https://www.crowdstrike.com/resources/?cs_query=type=5) products. It includes the | |||
following datasets for receiving logs: | |||
The [CrowdStrike](https://www.crowdstrike.com/) Falcon integration allows you to easily connect your CrowdStrike Falcon platform to Elastic for seamless onboarding of alerts and telemetry from CrowdStrike Falcon and Falcon Data Replicator. Elastic Security can leverage this data for security analytics including correlation, visualisation and incident response. It provides support using three different modes for integrating CrowdStrike to the Elastic: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The [CrowdStrike](https://www.crowdstrike.com/) Falcon integration allows you to easily connect your CrowdStrike Falcon platform to Elastic for seamless onboarding of alerts and telemetry from CrowdStrike Falcon and Falcon Data Replicator. Elastic Security can leverage this data for security analytics including correlation, visualisation and incident response. It provides support using three different modes for integrating CrowdStrike to the Elastic: | |
The [CrowdStrike](https://www.crowdstrike.com/) Falcon integration allows you to easily connect your CrowdStrike Falcon platform to Elastic for seamless onboarding of alerts and telemetry from CrowdStrike Falcon and Falcon Data Replicator. Elastic Security can leverage this data for security analytics including correlation, visualization and incident response. It provides support using three different modes for integrating CrowdStrike to the Elastic: |
Just to have conformity with our docs.
1. Remove the update min kibana version from changelog. 2. Add script to remove CS from threat.tactic.id and threat.technique.id. 3. Update the readme.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍🏼
Will merge once CI finishes successfully.
/test |
💚 Build Succeeded
History
|
|
Package crowdstrike - 1.31.0 containing this change is available at https://epr.elastic.co/search?package=crowdstrike |
* Add support of REST API for Alert and Host.
Type of change
What does this PR do?
event.id
tostring
in Mobile Detection Summary Pipeline.Checklist
changelog.yml
file.All changes
How to test this PR locally
Clone integrations repo.
Install the elastic package locally.
Start the elastic stack using the elastic package.
Move to integrations/packages/crowdstrike directory.
Run the following command to run tests.
elastic-package test -v
Automated Test
verbose_crowdstrike.txt
Related issues
Screenshots