[CrowdStrike] Add support of REST API for Alert and Host #8790
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jamiehynds
reviewed
Jan 15, 2024
|
|
||
| ## Logs | ||
|
|
||
| ### Alert |
There was a problem hiding this comment.
This datastream also supports events via Event Stream? If that's the case we should make this more descriptive as it currently sounds like it's limited to alerts.
There was a problem hiding this comment.
This PR contains support for Alert and Host endpoint only.
Waiting for the Customer's feedback on the Event Stream API Data Collection then we can plan to add the support in this PR or maybe in a separate PR.
jamiehynds
reviewed
Jan 15, 2024
| The minimum **kibana.version** required is **8.10.1**. | ||
|
|
||
| ## Setup | ||
| ### To collect data from CrowdStrike REST API, the following parameters from your CrowdStrike instance are required: |
There was a problem hiding this comment.
Does a customer need to ensure the Event Stream API is enabled also? Do they have to contact CrowdStrike support in order to enable the API?
Worth noting that a user who tested the pre-release of this package had to grant “read” scope to “alerts” and “hosts” via Crowdstrike in order to get the data. Are these permissions required on our end? If so, we should be documenting it.
There was a problem hiding this comment.
Yes. Customers need to add the read scopes for the endpoints using the CrowdStrike instance. As this PR only supports Alert and Host endpoint hence added details of the required scopes for the same inside the Setup section.
jamiehynds
reviewed
Jan 15, 2024
| - `falcon` dataset: consists of endpoint data and Falcon platform audit data forwarded from [Falcon SIEM Connector](https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem/). | ||
| - `fdr` dataset: consists of logs forwarded using the [Falcon Data Replicator](https://github.com/CrowdStrike/FDR). | ||
| - `host` dataset: retrieves all the hosts in your environment. It is supported through the REST API. | ||
|
|
||
| ## Compatibility | ||
|
|
||
| This integration supports CrowdStrike Falcon SIEM-Connector-v2.0. |
There was a problem hiding this comment.
We should adjust this if we no longer require the Falcon SIEM Connector. While users can still use it, this update provides the ability to ingest data directly via the API, avoiding the need for SIEM Connector. If possible, we should also include language to explain API vs SIEM Connector to avoid any confusion.
There was a problem hiding this comment.
Currently, we have not removed the support of Falcon SIEM connector. Users will have two options -
- Collect logs via API
- Collect logs via Falcon SIEM connector
Let me know if you want me to remove the support of Falcon SIEM connector.
Agrees with you that we can include language to explain API vs SIEM connector to avoid the confusion. Will update that.
There was a problem hiding this comment.
@mohitjha-elastic definitely don't remove the SIEM Connector support, as that's what user rely on today. But definitely some language to make it clear that we support both SIEM Connector and API, and the SIEM Connector is not required if you're ingest directly via the API.
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
|
/test |
efd6
reviewed
Jan 16, 2024
| Content-Type: | ||
| - application/json | ||
| body: |- | ||
| {"resources": [{"agent_id":"2ce412d17b334ad4adc8c1c54dbfec4b","aggregate_id":"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778","alleged_filetype":"exe","cid":"92012896127c4a948236ba7601b886b0","cloud_indicator":"false","cmdline":"\"C:\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\"","composite_id":"92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","confidence":10,"context_timestamp":"2023-11-03T18:00:31Z","control_graph_id":"ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778","crawl_edge_ids":{"Sensor":["KZcZ=__;K&cmqQ]Z=W,QK4W.9(rBfs\\gfmjTblqI^F-_oNnAWQ&-o0:dR/>>2J<d2T/ji6R&RIHe-tZSkP*q?HW;:leq.:kk)>IVMD36[+=kiQDRm.bB?;d\"V0JaQlaltC59Iq6nM?6`>ZAs+LbOJ9p9A;9'WV9^H3XEMs8N","KZcZA__;?\"cmott@m_k)MSZ^+C?.cg<Lga#0@71X07*LY2teE56*16pL[=!bjF7g@0jOQE'jT6RX_F@sr#RP-U/d[#nm9A,A,W%cl/T@<W`alY1K_h%QDBBF;_e7S!!*'!","KZd)iK2;s\\ckQl_P*d=Mo?^a7/JKc\\*L48169!7I5;0\\<H^hNG\"ZQ3#U3\"eo<>92t[f!>*b9WLY@H!V0N,BJsNSTD:?/+fY';e<OHh9AmlT?5<gGqK:*L99kat+P)eZ$HR\"Ql@Q!!!$!rr","N6=Ks_B9Bncmur)?\\[fV$k/N5;:6@aB$P;R$2XAaPJ?E<G5,UfaP')8#2AY4ff+q?T?b0/RBi-YAeGmb<6Bqp[DZh#I(jObGkjJJaMf\\:#mb;BM\\L[g!\\F*M!!*'!","N6B%O`'=_7d#%u&d[+LTNDs<3307?8n=GrFI:4YYGCL,cIt-Tuj!&<6:3RbC`uNjL#gW&=)E`4^/'fp*.bFX@p_$,R6.\"=lV*T*5Vf`c.:nkd$+YD:DJ,Ls0[sArC')K%YTc$:@kUQW5s8N","N6B%s!\\k)ed$F6>a%iM\"<FTSe/eH8M:<9gf;$$.b??kpC*99aX!Lq:g6:Q3@Ga4Zrb@MaMa]L'YAt$IFBu])\"H^sF$r7gDPf6&CHpVKO3<DgK9,Y/e@V\"b&m!<<'","N6CU&`%VT\"d$=67=h\\I)/BJH:8-lS!.%\\-!$1@bAhtVO?q4]9'9'haE4N0*-0Uh'-'f',YW3]T=jL3D#N=fJi]Pp-bWej+R9q[%h[p]p26NK8q3b50k9G:.&eM<Qer>__\"59K'R?_=`'`rK/'hA\"r+L5i-*Ut5PI!!*'!","N6CUF__;K!d$:[C93.?=/5(`5KnM]!L#UbnSY5HOHc#[6A&FE;(naXB4h/OG\"%MDAR=fo41Z]rXc\"J-\\&&V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr","N6CUF__;K!d$:\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\"X'\\AtNML2_C__7ic6,8Dc[F<0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn`6I##&$^81(P+hN*-#rf/cUs)Wb\"<_/?I'[##WMh'H[Rcl+!!<<'","N6L[G__;K!d\"qhT7k?[D\"Bk:5s%+=>#DM0j$_<r/JG0TCEQ!Ug(be3)&R2JnX+RSqorgC-NCjf6XATBWX(5<L1J1DV>44ZjO9q*d!YLuHhkq!3>3tpi>OPYZp9]5f1#/AlRZL06`/I6cl\"d.&=To@9kS!prs8N"]},"crawl_vertex_ids":{"Sensor":["aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778","ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778","ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600","mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4","mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33","pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135","pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876","pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993","quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425"]},"crawled_timestamp":"2023-11-03T19:00:23.985020992Z","created_timestamp":"2023-11-03T18:01:23.995794943Z","data_domains":["Endpoint"],"description":"ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.","device":{"agent_load_flags":"0","agent_local_time":"2023-10-12T03:45:57.753Z","agent_version":"7.04.17605.0","bios_manufacturer":"ABC","bios_version":"F8CN42WW(V2.05)","cid":"92012896127c4a948236ba7601b886b0","config_id_base":"65994763","config_id_build":"17605","config_id_platform":"3","device_id":"2ce412d17b334ad4adc8c1c54dbfec4b","external_ip":"81.2.69.142","first_seen":"2023-04-07T09:36:36Z","groups":["18704e21288243b58e4c76266d38caaf"],"hostinfo":{"active_directory_dn_display":["WinComputers","WinComputers\\ABC"],"domain":"ABC.LOCAL"},"hostname":"ABC709-1175","last_seen":"2023-11-03T17:51:42Z","local_ip":"81.2.69.142","mac_address":"ab-21-48-61-05-b2","machine_domain":"ABC.LOCAL","major_version":"10","minor_version":"0","modified_timestamp":"2023-11-03T17:53:43Z","os_version":"Windows11","ou":["ABC","WinComputers"],"platform_id":"0","platform_name":"Windows","pod_labels":null,"product_type":"1","product_type_desc":"Workstation","site_name":"Default-First-Site-Name","status":"normal","system_manufacturer":"LENOVO","system_product_name":"20VE"},"falcon_host_link":"https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","filename":"openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","filepath":"\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","grandparent_details":{"cmdline":"C:\\Windows\\system32\\userinit.exe","filename":"userinit.exe","filepath":"\\Device\\HarddiskVolume3\\Windows\\System32\\userinit.exe","local_process_id":"4328","md5":"b07f77fd3f9828b2c9d61f8a36609741","process_graph_id":"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135","process_id":"392734873135","sha256":"caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33","timestamp":"2023-10-30T16:49:19Z","user_graph_id":"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425","user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425","user_name":"yuvraj.mahajan"},"has_script_or_module_ioc":"true","id":"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","indicator_id":"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","ioc_context":[{"ioc_description":"\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","ioc_source":"library_load","ioc_type":"hash_sha256","ioc_value":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","md5":"cdf9cfebb400ce89d5b6032bfcdc693b","sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","type":"module"}],"ioc_values":[],"is_synthetic_quarantine_disposition":true,"local_process_id":"17076","logon_domain":"ABSYS","md5":"cdf9cfebb400ce89d5b6032bfcdc693b","name":"PrewittPupAdwareSensorDetect-Lowest","objective":"FalconDetectionMethod","parent_details":{"cmdline":"C:\\WINDOWS\\Explorer.EXE","filename":"explorer.exe","filepath":"\\Device\\HarddiskVolume3\\Windows\\explorer.exe","local_process_id":"1040","md5":"8cc3fcdd7d52d2d5221303c213e044ae","process_graph_id":"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876","process_id":"392736520876","sha256":"0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4","timestamp":"2023-11-03T18:00:32Z","user_graph_id":"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425","user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425","user_name":"mohit.jha"},"parent_process_id":"392736520876","pattern_disposition":2176,"pattern_disposition_description":"Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.","pattern_disposition_details":{"blocking_unsupported_or_disabled":false,"bootup_safeguard_enabled":false,"critical_process_disabled":false,"detect":false,"fs_operation_blocked":false,"handle_operation_downgraded":false,"inddet_mask":false,"indicator":false,"kill_action_failed":false,"kill_parent":false,"kill_process":false,"kill_subprocess":false,"operation_blocked":false,"policy_disabled":false,"process_blocked":true,"quarantine_file":true,"quarantine_machine":false,"registry_operation_blocked":false,"rooting":false,"sensor_only":false,"suspend_parent":false,"suspend_process":false},"pattern_id":5761,"platform":"Windows","poly_id":"AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==","process_end_time":"1699034421","process_id":"399748687993","process_start_time":"1699034413","product":"epp","quarantined_files":[{"filename":"\\Device\\Volume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","id":"2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","state":"quarantined"}],"scenario":"NGAV","severity":30,"sha1":"0000000000000000000000000000000000000000","sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","show_in_ui":true,"source_products":["FalconInsight"],"source_vendors":["CrowdStrike"],"status":"new","tactic":"MachineLearning","tactic_id":"CSTA0004","technique":"Adware/PUP","technique_id":"CST0000","timestamp":"2023-11-03T18:00:22.328Z","tree_id":"1931778","tree_root":"38687993","triggering_process_graph_id":"pid:2ce4124ad4adc8c1c54dbfec4b:399748687993","type":"ldt","updated_timestamp":"2023-11-03T19:00:23.985007341Z","user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425","user_name":"mohit.jha"}]} |
There was a problem hiding this comment.
Would it be reasonable to pretty format this JSON to reduce diff noise in the future? This line is almost 10kB long.
I'm wondering if an option in stream to allow minified JSON to be returned when the body is structured for readability.
packages/crowdstrike/changelog.yml
Outdated
Comment on lines
4
to
6
| - description: Add the Input Support of REST API (Alert, Host, and Event Streams) and update the minimum kibana version to 8.10.1. | ||
| type: enhancement | ||
| link: https://github.com/elastic/integrations/pull/8790 |
There was a problem hiding this comment.
Separate change entries?
Suggested change
| - description: Add the Input Support of REST API (Alert, Host, and Event Streams) and update the minimum kibana version to 8.10.1. | |
| type: enhancement | |
| link: https://github.com/elastic/integrations/pull/8790 | |
| - description: Add support for Alert, Host, and Event Streams API endpoints. | |
| type: enhancement | |
| link: https://github.com/elastic/integrations/pull/8790 | |
| - description: Update minimum kibana version to 8.10.1. | |
| type: enhancement | |
| link: https://github.com/elastic/integrations/pull/8790 |
Comment on lines
27
to
95
| ( | ||
| state.with( | ||
| ( | ||
| !state.want_more ? | ||
| request("GET", state.url + "/alerts/queries/alerts/v1?sort=timestamp|asc&offset=0&limit=" | ||
| + string(state.batch_size) + "&filter=timestamp:>\"" + | ||
| ( | ||
| has(state.cursor) && has(state.cursor.last_timestamp) && state.cursor.last_timestamp != null ? | ||
| state.cursor.last_timestamp + "\"" | ||
| : | ||
| (now - duration(state.initial_interval)).format(time_layout.RFC3339) + "\"" | ||
| ) | ||
| ) | ||
| : | ||
| request("GET", state.url + "/alerts/queries/alerts/v1?sort=timestamp|asc&offset=" + string(state.offset) + | ||
| "&limit=" + string(state.batch_size) + "&filter=timestamp:>\"" + | ||
| ( | ||
| has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? | ||
| state.cursor.first_timestamp + "\"" | ||
| : | ||
| "\"" | ||
| ) | ||
| ) | ||
| ).do_request().as(resp, bytes(resp.Body).decode_json().as(body, { | ||
| "resources": has(body.resources) && body.resources.size() > 0 ? body.resources : "", | ||
| "want_more": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total), | ||
| "offset": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total) ? | ||
| int(state.offset) + int(body.resources.size()) | ||
| : | ||
| 0, | ||
| "url": state.url, | ||
| "batch_size": state.batch_size, | ||
| })) | ||
| ).as(state, state.with( | ||
| has (state.resources) && state.resources != "" ? | ||
| post_request( | ||
| state.url + "/alerts/entities/alerts/v1", | ||
| "application/json", | ||
| {"ids": state.resources }.encode_json() | ||
| ) | ||
| .do_request().as(resp, bytes(resp.Body).decode_json().as(inner_body, { | ||
| "events": inner_body.resources.map(e, { | ||
| "message": e.encode_json(), | ||
| }), | ||
| "cursor": { | ||
| "last_timestamp": ( | ||
| has(inner_body.resources) && inner_body.resources.size() > 0 ? | ||
| inner_body.resources.map(e, e.timestamp).max() | ||
| : | ||
| ( | ||
| has(state.cursor) && has(state.cursor.last_timestamp) ? | ||
| state.cursor.last_timestamp | ||
| : | ||
| null | ||
| ) | ||
| ), | ||
| "first_timestamp": ( | ||
| has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? | ||
| ( state.want_more ? state.cursor.first_timestamp : state.cursor.last_timestamp ) | ||
| : | ||
| (now - duration(state.initial_interval)).format(time_layout.RFC3339) | ||
| ), | ||
| }, | ||
| })) | ||
| : | ||
| {} | ||
| ) | ||
| ) | ||
| ) |
There was a problem hiding this comment.
Consistent indentation helps readability (untested changes)
Suggested change
| ( | |
| state.with( | |
| ( | |
| !state.want_more ? | |
| request("GET", state.url + "/alerts/queries/alerts/v1?sort=timestamp|asc&offset=0&limit=" | |
| + string(state.batch_size) + "&filter=timestamp:>\"" + | |
| ( | |
| has(state.cursor) && has(state.cursor.last_timestamp) && state.cursor.last_timestamp != null ? | |
| state.cursor.last_timestamp + "\"" | |
| : | |
| (now - duration(state.initial_interval)).format(time_layout.RFC3339) + "\"" | |
| ) | |
| ) | |
| : | |
| request("GET", state.url + "/alerts/queries/alerts/v1?sort=timestamp|asc&offset=" + string(state.offset) + | |
| "&limit=" + string(state.batch_size) + "&filter=timestamp:>\"" + | |
| ( | |
| has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? | |
| state.cursor.first_timestamp + "\"" | |
| : | |
| "\"" | |
| ) | |
| ) | |
| ).do_request().as(resp, bytes(resp.Body).decode_json().as(body, { | |
| "resources": has(body.resources) && body.resources.size() > 0 ? body.resources : "", | |
| "want_more": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total), | |
| "offset": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total) ? | |
| int(state.offset) + int(body.resources.size()) | |
| : | |
| 0, | |
| "url": state.url, | |
| "batch_size": state.batch_size, | |
| })) | |
| ).as(state, state.with( | |
| has (state.resources) && state.resources != "" ? | |
| post_request( | |
| state.url + "/alerts/entities/alerts/v1", | |
| "application/json", | |
| {"ids": state.resources }.encode_json() | |
| ) | |
| .do_request().as(resp, bytes(resp.Body).decode_json().as(inner_body, { | |
| "events": inner_body.resources.map(e, { | |
| "message": e.encode_json(), | |
| }), | |
| "cursor": { | |
| "last_timestamp": ( | |
| has(inner_body.resources) && inner_body.resources.size() > 0 ? | |
| inner_body.resources.map(e, e.timestamp).max() | |
| : | |
| ( | |
| has(state.cursor) && has(state.cursor.last_timestamp) ? | |
| state.cursor.last_timestamp | |
| : | |
| null | |
| ) | |
| ), | |
| "first_timestamp": ( | |
| has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? | |
| ( state.want_more ? state.cursor.first_timestamp : state.cursor.last_timestamp ) | |
| : | |
| (now - duration(state.initial_interval)).format(time_layout.RFC3339) | |
| ), | |
| }, | |
| })) | |
| : | |
| {} | |
| ) | |
| ) | |
| ) | |
| ( | |
| state.with( | |
| ( | |
| !state.want_more ? | |
| request("GET", state.url + "/alerts/queries/alerts/v1?sort=timestamp|asc&offset=0&limit=" + string(state.batch_size) + "&filter=timestamp:>\"" + ( | |
| has(state.cursor) && has(state.cursor.last_timestamp) && state.cursor.last_timestamp != null ? | |
| state.cursor.last_timestamp + "\"" | |
| : | |
| (now - duration(state.initial_interval)).format(time_layout.RFC3339) + "\"" | |
| )) | |
| : | |
| request("GET", state.url + "/alerts/queries/alerts/v1?sort=timestamp|asc&offset=" + string(state.offset) + "&limit=" + string(state.batch_size) + "&filter=timestamp:>\"" + ( | |
| has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? | |
| state.cursor.first_timestamp + "\"" | |
| : | |
| "\"" | |
| )) | |
| ).do_request().as(resp, bytes(resp.Body).decode_json().as(body, { | |
| "resources": has(body.resources) && body.resources.size() > 0 ? body.resources : "", | |
| "want_more": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total), | |
| "offset": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total) ? | |
| int(state.offset) + int(body.resources.size()) | |
| : | |
| 0, | |
| "url": state.url, | |
| "batch_size": state.batch_size, | |
| })) | |
| ).as(state, state.with( | |
| !has(state.resources) || state.resources == "" ? {} : | |
| post_request( | |
| state.url + "/alerts/entities/alerts/v1", | |
| "application/json", | |
| {"ids": state.resources}.encode_json() | |
| ).do_request().as(resp, bytes(resp.Body).decode_json().as(inner_body, { | |
| "events": inner_body.resources.map(e, { | |
| "message": e.encode_json(), | |
| }), | |
| "cursor": { | |
| "last_timestamp": ( | |
| has(inner_body.resources) && inner_body.resources.size() > 0 ? | |
| inner_body.resources.map(e, e.timestamp).max() | |
| : has(state.cursor) && has(state.cursor.last_timestamp) ? | |
| state.cursor.last_timestamp | |
| : | |
| null | |
| ), | |
| "first_timestamp": ( | |
| has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? | |
| (state.want_more ? state.cursor.first_timestamp : state.cursor.last_timestamp) | |
| : | |
| (now - duration(state.initial_interval)).format(time_layout.RFC3339) | |
| ), | |
| }, | |
| })) | |
| ) | |
| ) | |
| ) |
| Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" | ||
| - set: | ||
| field: event.kind | ||
| value: pipeline_error |
Comment on lines
27
to
94
| ( | ||
| state.with( | ||
| ( | ||
| !state.want_more ? | ||
| request("GET", state.url + "/devices/queries/devices/v1?sort=modified_timestamp.asc&offset=0&limit=" + string(state.batch_size) + "&filter=modified_timestamp:>\"" + | ||
| ( | ||
| has(state.cursor) && has(state.cursor.last_timestamp) && state.cursor.last_timestamp != null ? | ||
| state.cursor.last_timestamp + "\"" | ||
| : | ||
| (now - duration(state.initial_interval)).format(time_layout.RFC3339) + "\"" | ||
| ) | ||
| ) | ||
| : | ||
| request("GET", state.url + "/devices/queries/devices/v1?sort=modified_timestamp.asc&offset=" + string(state.offset) + | ||
| "&limit=" + string(state.batch_size) + "&filter=modified_timestamp:>\"" + | ||
| ( | ||
| has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? | ||
| state.cursor.first_timestamp + "\"" | ||
| : | ||
| "\"" | ||
| ) | ||
| ) | ||
| ).do_request().as(resp, bytes(resp.Body).decode_json().as(body, { | ||
| "resources": has(body.resources) && body.resources.size() > 0 ? body.resources : "", | ||
| "want_more": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total), | ||
| "offset": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total) ? | ||
| int(state.offset) + int(body.resources.size()) | ||
| : | ||
| 0, | ||
| "url": state.url, | ||
| "batch_size": state.batch_size, | ||
| })) | ||
| ).as(state, state.with( | ||
| has (state.resources) && state.resources != "" ? | ||
| post_request( | ||
| state.url + "/devices/entities/devices/v2", | ||
| "application/json", | ||
| {"ids": state.resources }.encode_json() | ||
| ) | ||
| .do_request().as(resp, bytes(resp.Body).decode_json().as(inner_body, { | ||
| "events": inner_body.resources.map(e, { | ||
| "message": e.encode_json(), | ||
| }), | ||
| "cursor": { | ||
| "last_timestamp": ( | ||
| has(inner_body.resources) && inner_body.resources.size() > 0 ? | ||
| inner_body.resources.map(e, e.modified_timestamp).max() | ||
| : | ||
| ( | ||
| has(state.cursor) && has(state.cursor.last_timestamp) ? | ||
| state.cursor.last_timestamp | ||
| : | ||
| null | ||
| ) | ||
| ), | ||
| "first_timestamp": ( | ||
| has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? | ||
| ( state.want_more ? state.cursor.first_timestamp : state.cursor.last_timestamp ) | ||
| : | ||
| (now - duration(state.initial_interval)).format(time_layout.RFC3339) | ||
| ), | ||
| }, | ||
| })) | ||
| : | ||
| {} | ||
| ) | ||
| ) | ||
| ) |
There was a problem hiding this comment.
Suggested change
| ( | |
| state.with( | |
| ( | |
| !state.want_more ? | |
| request("GET", state.url + "/devices/queries/devices/v1?sort=modified_timestamp.asc&offset=0&limit=" + string(state.batch_size) + "&filter=modified_timestamp:>\"" + | |
| ( | |
| has(state.cursor) && has(state.cursor.last_timestamp) && state.cursor.last_timestamp != null ? | |
| state.cursor.last_timestamp + "\"" | |
| : | |
| (now - duration(state.initial_interval)).format(time_layout.RFC3339) + "\"" | |
| ) | |
| ) | |
| : | |
| request("GET", state.url + "/devices/queries/devices/v1?sort=modified_timestamp.asc&offset=" + string(state.offset) + | |
| "&limit=" + string(state.batch_size) + "&filter=modified_timestamp:>\"" + | |
| ( | |
| has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? | |
| state.cursor.first_timestamp + "\"" | |
| : | |
| "\"" | |
| ) | |
| ) | |
| ).do_request().as(resp, bytes(resp.Body).decode_json().as(body, { | |
| "resources": has(body.resources) && body.resources.size() > 0 ? body.resources : "", | |
| "want_more": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total), | |
| "offset": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total) ? | |
| int(state.offset) + int(body.resources.size()) | |
| : | |
| 0, | |
| "url": state.url, | |
| "batch_size": state.batch_size, | |
| })) | |
| ).as(state, state.with( | |
| has (state.resources) && state.resources != "" ? | |
| post_request( | |
| state.url + "/devices/entities/devices/v2", | |
| "application/json", | |
| {"ids": state.resources }.encode_json() | |
| ) | |
| .do_request().as(resp, bytes(resp.Body).decode_json().as(inner_body, { | |
| "events": inner_body.resources.map(e, { | |
| "message": e.encode_json(), | |
| }), | |
| "cursor": { | |
| "last_timestamp": ( | |
| has(inner_body.resources) && inner_body.resources.size() > 0 ? | |
| inner_body.resources.map(e, e.modified_timestamp).max() | |
| : | |
| ( | |
| has(state.cursor) && has(state.cursor.last_timestamp) ? | |
| state.cursor.last_timestamp | |
| : | |
| null | |
| ) | |
| ), | |
| "first_timestamp": ( | |
| has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? | |
| ( state.want_more ? state.cursor.first_timestamp : state.cursor.last_timestamp ) | |
| : | |
| (now - duration(state.initial_interval)).format(time_layout.RFC3339) | |
| ), | |
| }, | |
| })) | |
| : | |
| {} | |
| ) | |
| ) | |
| ) | |
| ( | |
| state.with( | |
| ( | |
| !state.want_more ? | |
| request("GET", state.url + "/devices/queries/devices/v1?sort=modified_timestamp.asc&offset=0&limit=" + string(state.batch_size) + "&filter=modified_timestamp:>\"" + ( | |
| has(state.cursor) && has(state.cursor.last_timestamp) && state.cursor.last_timestamp != null ? | |
| state.cursor.last_timestamp + "\"" | |
| : | |
| (now - duration(state.initial_interval)).format(time_layout.RFC3339) + "\"" | |
| )) | |
| : | |
| request("GET", state.url + "/devices/queries/devices/v1?sort=modified_timestamp.asc&offset=" + string(state.offset) + "&limit=" + string(state.batch_size) + "&filter=modified_timestamp:>\"" + ( | |
| has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? | |
| state.cursor.first_timestamp + "\"" | |
| : | |
| "\"" | |
| )) | |
| ).do_request().as(resp, bytes(resp.Body).decode_json().as(body, { | |
| "resources": has(body.resources) && body.resources.size() > 0 ? body.resources : "", | |
| "want_more": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total), | |
| "offset": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total) ? | |
| int(state.offset) + int(body.resources.size()) | |
| : | |
| 0, | |
| "url": state.url, | |
| "batch_size": state.batch_size, | |
| })) | |
| ).as(state, state.with( | |
| !has(state.resources) || state.resources == "" ? {} : | |
| post_request( | |
| state.url + "/devices/entities/devices/v2", | |
| "application/json", | |
| {"ids": state.resources }.encode_json() | |
| ).do_request().as(resp, bytes(resp.Body).decode_json().as(inner_body, { | |
| "events": inner_body.resources.map(e, { | |
| "message": e.encode_json(), | |
| }), | |
| "cursor": { | |
| "last_timestamp": ( | |
| has(inner_body.resources) && inner_body.resources.size() > 0 ? | |
| inner_body.resources.map(e, e.modified_timestamp).max() | |
| : has(state.cursor) && has(state.cursor.last_timestamp) ? | |
| state.cursor.last_timestamp | |
| : | |
| null | |
| ), | |
| "first_timestamp": ( | |
| has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? | |
| ( state.want_more ? state.cursor.first_timestamp : state.cursor.last_timestamp ) | |
| : | |
| (now - duration(state.initial_interval)).format(time_layout.RFC3339) | |
| ), | |
| }, | |
| })) | |
| ) | |
| ) | |
| ) |
| want_more: false | ||
| offset: 0 | ||
| batch_size: {{batch_size}} | ||
| program: | |
There was a problem hiding this comment.
Please add a redact field. docs.
kcreddy
reviewed
Jan 16, 2024
| field: message | ||
| tag: rename_message_to_event_original | ||
| target_field: event.original | ||
| ignore_missing: true |
There was a problem hiding this comment.
Add if: ctx.event?.original == null
| field: event.original | ||
| tag: json_event_original | ||
| target_field: json | ||
| ignore_failure: true |
There was a problem hiding this comment.
Can you remove ignore_failure: true wherever its not needed? We shouldn't be hiding any errors. Applies to rest of the datastreams as well.
| "preserve_original_event" | ||
| ], | ||
| "user": { | ||
| "name": "NA.NET.ABC.com\\abc.service" |
There was a problem hiding this comment.
This should be split into user.domain\\user.name
| "host": { | ||
| "hostname": "CLM101-131.local", | ||
| "ip": [ | ||
| "81.2.69.192" |
There was a problem hiding this comment.
Can you apply geoip processor on this IP?
| field: message | ||
| tag: rename_message_to_event_original | ||
| target_field: event.original | ||
| ignore_missing: true |
There was a problem hiding this comment.
Add if: ctx.event?.original == null
jamiehynds
reviewed
Jan 17, 2024
| @@ -3,15 +3,44 @@ | |||
| This integration is for [CrowdStrike](https://www.crowdstrike.com/resources/?cs_query=type=5) products. It includes the | |||
There was a problem hiding this comment.
Can we adjust the introduction to read: The CrowdStrike Falcon integration allows you to easily connect your CrowdStrike Falcon platform to Elastic for seamless onboarding of alerts and telemetry from CrowdStrike Falcon and Falcon Data Replicator. Elastic Security can leverage this data for security analytics including correlation, visualisation and incident response.
narph
added
Team:Security-Service Integrations
efd6
reviewed
Jan 30, 2024
...rowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/identity_protection_incident.yml
Show resolved
Hide resolved
| state.with( | ||
| ( | ||
| !state.want_more ? | ||
| request("GET", state.url + "/alerts/queries/alerts/v1?sort=timestamp|asc&offset=0&limit=" + string(state.batch_size) + "&filter=timestamp:>\"" + ( |
There was a problem hiding this comment.
Suggested change
| request("GET", state.url + "/alerts/queries/alerts/v1?sort=timestamp|asc&offset=0&limit=" + string(state.batch_size) + "&filter=timestamp:>\"" + ( | |
| request("GET", state.url + "/alerts/queries/alerts/v1?sort=timestamp|asc&offset=0&limit=" + string(state.batch_size) + '&filter=timestamp:>"' + ( |
| !state.want_more ? | ||
| request("GET", state.url + "/alerts/queries/alerts/v1?sort=timestamp|asc&offset=0&limit=" + string(state.batch_size) + "&filter=timestamp:>\"" + ( | ||
| has(state.cursor) && has(state.cursor.last_timestamp) && state.cursor.last_timestamp != null ? | ||
| state.cursor.last_timestamp + "\"" |
There was a problem hiding this comment.
Suggested change
| state.cursor.last_timestamp + "\"" | |
| state.cursor.last_timestamp + '"' |
| (now - duration(state.initial_interval)).format(time_layout.RFC3339) + "\"" | ||
| )) | ||
| : | ||
| request("GET", state.url + "/alerts/queries/alerts/v1?sort=timestamp|asc&offset=" + string(state.offset) + "&limit=" + string(state.batch_size) + "&filter=timestamp:>\"" + ( |
There was a problem hiding this comment.
Suggested change
| request("GET", state.url + "/alerts/queries/alerts/v1?sort=timestamp|asc&offset=" + string(state.offset) + "&limit=" + string(state.batch_size) + "&filter=timestamp:>\"" + ( | |
| request("GET", state.url + "/alerts/queries/alerts/v1?sort=timestamp|asc&offset=" + string(state.offset) + "&limit=" + string(state.batch_size) + '&filter=timestamp:>"' + ( |
| : | ||
| request("GET", state.url + "/alerts/queries/alerts/v1?sort=timestamp|asc&offset=" + string(state.offset) + "&limit=" + string(state.batch_size) + "&filter=timestamp:>\"" + ( | ||
| has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? | ||
| state.cursor.first_timestamp + "\"" |
There was a problem hiding this comment.
Suggested change
| state.cursor.first_timestamp + "\"" | |
| state.cursor.first_timestamp + '"' |
|
/test |
🚀 Benchmarks reportTo see the full report comment with |
Replace the occurence of double quotes inside double quotes with the double quotes inside single quotes for all the cel.yml.hbs files.
jamiehynds
reviewed
Feb 6, 2024
| following datasets for receiving logs: | ||
| The [CrowdStrike](https://www.crowdstrike.com/) Falcon integration allows you to easily connect your CrowdStrike Falcon platform to Elastic for seamless onboarding of alerts and telemetry from CrowdStrike Falcon and Falcon Data Replicator. Elastic Security can leverage this data for security analytics including correlation, visualisation and incident response. It provides support using two different modes for integrating CrowdStrike to the Elastic: | ||
|
|
||
| 1. Falcon SIEM Connector: This is a pre-built integration designed to connect CrowdStrike Falcon with Security Information and Event Management (SIEM) systems. It streamlines the flow of security data from CrowdStrike Falcon to the SIEM, providing a standardized and structured way of feeding information into the SIEM platform. It includes the following datasets for receiving logs: | ||
|
|
||
| - `falcon` dataset: consists of endpoint data and Falcon platform audit data forwarded from [Falcon SIEM Connector](https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem/). | ||
| - `fdr` dataset: consists of logs forwarded using the [Falcon Data Replicator](https://github.com/CrowdStrike/FDR). |
There was a problem hiding this comment.
@mohitjha-elastic Falcon Data Replicator (FDR) is a separate product from CrowdStrike and it doesn't rely on the SIEM Connector. Can we ensure FDR has it's own section. It's currently under our SIEM Connector section, which implies that SIEM Connector is required.
jamiehynds
reviewed
Feb 8, 2024
| }, | ||
| "event": { | ||
| "id": "ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", | ||
| "kind": "alert", |
There was a problem hiding this comment.
@mohitjha-elastic is it possible to also populate event.category:malware for alerts that relate to malware?
There was a problem hiding this comment.
We are not getting any specific fields from which we can categorize it if it's related to malware.
jamiehynds
reviewed
Feb 8, 2024
| "alert": { | ||
| "agent_id": "2ce412d17b334ad4adc8c1c54dbfec4b", | ||
| "aggregate_id": "aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778", | ||
| "alleged_filetype": "exe", |
There was a problem hiding this comment.
I guess we can not because looking at the responses it's not giving file extensions everytime.
There was a problem hiding this comment.
Got it,thanks @mohitjha-elastic. I was going on the assumption that the filetype is always an extension.
jamiehynds
reviewed
Feb 8, 2024
| "poly_id": "AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==", | ||
| "process_end_time": "2023-11-03T18:00:21.000Z", | ||
| "process_id": "399748687993", | ||
| "process_start_time": "2023-11-03T18:00:13.000Z", |
jamiehynds
reviewed
Feb 8, 2024
| "pattern_id": "5761", | ||
| "platform": "Windows", | ||
| "poly_id": "AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==", | ||
| "process_end_time": "2023-11-03T18:00:21.000Z", |
jamiehynds
reviewed
Feb 8, 2024
| ], | ||
| "status": "new", | ||
| "tactic": "MachineLearning", | ||
| "tactic_id": "CSTA0004", |
There was a problem hiding this comment.
@mohitjha-elastic map to threat.tactic.id? https://www.elastic.co/guide/en/ecs/current/ecs-threat.html#field-threat-tactic-id
jamiehynds
reviewed
Feb 8, 2024
| "CrowdStrike" | ||
| ], | ||
| "status": "new", | ||
| "tactic": "MachineLearning", |
There was a problem hiding this comment.
jamiehynds
reviewed
Feb 8, 2024
| "status": "new", | ||
| "tactic": "MachineLearning", | ||
| "tactic_id": "CSTA0004", | ||
| "technique": "Adware/PUP", |
There was a problem hiding this comment.
jamiehynds
reviewed
Feb 8, 2024
| "tactic": "MachineLearning", | ||
| "tactic_id": "CSTA0004", | ||
| "technique": "Adware/PUP", | ||
| "technique_id": "CST0000", |
There was a problem hiding this comment.
jamiehynds
reviewed
Feb 9, 2024
| @@ -0,0 +1,295 @@ | |||
| { | |||
| "expected": [ | |||
There was a problem hiding this comment.
@tomsonpl we're about to add support for CrowdStrike unified alerts, which pull alerts directly from their API and provides more information than the DetectionSummary events. Can you take a quick look at the mappings in this sample log and assess if any tweaks are required in order to populate Analyzer?
kcreddy
approved these changes
Feb 13, 2024
|
@kcreddy LGTM to me - ok to merge. |
|
@mohitjha-elastic we can merge once you remove remove merge conflicts and after Jamie's suggestions are implemented. |
…crowdstrike-1.29.0
@kcreddy Removed the merge conflicts and implemented the changed suggested by Jamie. You can take a final look then we are good to go. |
mohitjha-elastic
force-pushed
the
crowdstrike-1.29.0
branch
from
cdcf7b4
to
a4d5535
Compare
Resolve conflicts by updating the changelog version. Change the alert endpoint from v1 to v2 as the v2 version has rolled out. Added some ecs mapping as per the suggestion. Change the Readme as per the suggestion in review comments.
mohitjha-elastic
force-pushed
the
crowdstrike-1.29.0
branch
from
a4d5535
to
abfe8a2
Compare
kcreddy
reviewed
Feb 20, 2024
There was a problem hiding this comment.
@mohitjha-elastic Just finished with final review, apologise for the delay.
I verified all of Jamie's comments are either included or answered in the comments.
packages/crowdstrike/changelog.yml
Outdated
| - description: Add support for Alert and Host API endpoints. | ||
| type: enhancement | ||
| link: https://github.com/elastic/integrations/pull/8790 | ||
| - description: Update minimum kibana version to 8.11.0. |
There was a problem hiding this comment.
Suggested change
| - description: Update minimum kibana version to 8.11.0. | |
| - description: Update minimum kibana version to 8.12.0. |
| "threat": { | ||
| "tactic": { | ||
| "id": [ | ||
| "CSTA0004" |
There was a problem hiding this comment.
The tactic.id and technique.id doesn't seem to be prefixed with CS as per https://www.elastic.co/guide/en/ecs/current/ecs-threat.html#field-threat-tactic-id. May I know where these values are derived from?
Comment on lines
1182
to
1187
| - append: | ||
| field: threat.tactic.id | ||
| tag: append_threat_tactic_id | ||
| value: '{{{crowdstrike.alert.tactic_id}}}' | ||
| allow_duplicates: false | ||
| if: ctx.crowdstrike?.alert?.tactic_id != null |
There was a problem hiding this comment.
When assigning threat.tactic.id, we could remove CS prefix to match it with ECS standards https://attack.mitre.org/tactics/. Same for techniques
kcreddy
reviewed
Feb 20, 2024
| @@ -1,17 +1,54 @@ | |||
| # CrowdStrike Integration | |||
|
|
|||
| This integration is for [CrowdStrike](https://www.crowdstrike.com/resources/?cs_query=type=5) products. It includes the | |||
| following datasets for receiving logs: | |||
| The [CrowdStrike](https://www.crowdstrike.com/) Falcon integration allows you to easily connect your CrowdStrike Falcon platform to Elastic for seamless onboarding of alerts and telemetry from CrowdStrike Falcon and Falcon Data Replicator. Elastic Security can leverage this data for security analytics including correlation, visualisation and incident response. It provides support using three different modes for integrating CrowdStrike to the Elastic: | |||
There was a problem hiding this comment.
Suggested change
| The [CrowdStrike](https://www.crowdstrike.com/) Falcon integration allows you to easily connect your CrowdStrike Falcon platform to Elastic for seamless onboarding of alerts and telemetry from CrowdStrike Falcon and Falcon Data Replicator. Elastic Security can leverage this data for security analytics including correlation, visualisation and incident response. It provides support using three different modes for integrating CrowdStrike to the Elastic: | |
| The [CrowdStrike](https://www.crowdstrike.com/) Falcon integration allows you to easily connect your CrowdStrike Falcon platform to Elastic for seamless onboarding of alerts and telemetry from CrowdStrike Falcon and Falcon Data Replicator. Elastic Security can leverage this data for security analytics including correlation, visualization and incident response. It provides support using three different modes for integrating CrowdStrike to the Elastic: |
Just to have conformity with our docs.
jamiehynds
approved these changes
Feb 21, 2024
1. Remove the update min kibana version from changelog. 2. Add script to remove CS from threat.tactic.id and threat.technique.id. 3. Update the readme.
kcreddy
approved these changes
Feb 21, 2024
|
/test |
💚 Build Succeeded
History
|
|
97.0% Coverage on New Code
0.0% Duplication on New Code
|
Package crowdstrike - 1.31.0 containing this change is available at https://epr.elastic.co/search?package=crowdstrike |
gizas
pushed a commit
that referenced
this pull request
Mar 13, 2024
* Add support of REST API for Alert and Host.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Type of change
What does this PR do?
event.idtostringin Mobile Detection Summary Pipeline.Checklist
changelog.ymlfile.All changes
How to test this PR locally
Clone integrations repo.
Install the elastic package locally.
Start the elastic stack using the elastic package.
Move to integrations/packages/crowdstrike directory.
Run the following command to run tests.
elastic-package test -vAutomated Test
verbose_crowdstrike.txt
Related issues
Screenshots