Skip to content

[crowdstrike] Add Support of IDP and EPP Alert Fields #11135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Sep 20, 2024
Merged

[crowdstrike] Add Support of IDP and EPP Alert Fields #11135

merged 6 commits into from
Sep 20, 2024

Conversation

@mohitjha-elastic
Copy link
Collaborator

@mohitjha-elastic mohitjha-elastic commented Sep 16, 2024
edited
Loading

Type

  • Enhancement

Proposed Commit Message

Enhance the existing pipeline by adding new IDP and EPP Alert Fields.
Add some visualizations related to IDP and EPP Alert.
Add support of some new Alert fields coming through v2 API endpoint.
Added test data for the supported fields.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

Clone integrations repo.
Install the elastic package locally.
Start the elastic stack using the elastic package.
Move to integrations/packages/crowdstrike directory.
Run the following command to run tests.
elastic-package test -v

Automated Test

crowdstrike_alert.log
@mohitjha-elastic
Add support of IDP and EPP alert fields.
7439b31 
1. Add some visualizations. 2. Add pipeline for the new alert fields. 3. Change device.id to device.device_id to preserve its raw name.
@mohitjha-elastic mohitjha-elastic requested a review from a team as a code owner September 16, 2024 11:35
@kcreddy kcreddy added enhancement New feature or request Integration:crowdstrike CrowdStrike Crest Contributions from Crest developement team. Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Sep 16, 2024
@elasticmachine
Copy link

elasticmachine commented Sep 16, 2024

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)
@kcreddy
Copy link
Contributor

kcreddy commented Sep 16, 2024

/test
@elasticmachine
Copy link

elasticmachine commented Sep 16, 2024
edited by elastic-vault-github-plugin-prod bot
Loading

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport
@andrewkroh andrewkroh added the dashboard Relates to a Kibana dashboard bug, enhancement, or modification. label Sep 16, 2024
kcreddy
kcreddy reviewed Sep 16, 2024
View reviewed changes
packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml Outdated
Comment on lines 377 to 380
- rename:
field: json.device.device_id
tag: rename_device_device_id
target_field: crowdstrike.alert.device.id
target_field: crowdstrike.alert.device.device_id
Copy link
Contributor

@kcreddy kcreddy Sep 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this change essential?
Because renaming this field leads to breaking change for users who have already been using the field crowdstrike.alert.device.id
Copy link
Collaborator Author

@mohitjha-elastic mohitjha-elastic Sep 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kcreddy We got this requirement from their side. Actually, user is trying to search device_id inside the device object as it comes in that way in the raw log itself hence this was the actual reason to do this change.
As this will be the breaking change for the user so we can put this in the changelog.
Copy link
Member

@andrewkroh andrewkroh Sep 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We shouldn't make breaking changes. If device_id is needed then a field alias in the mappings (i.e. fields.yml) could be used. A user could even do this on their own via a logs-crowdstrike.alert-@custom component template.
@mohitjha-elastic
Merge branch 'main' of github.com:mohitjha-elastic/integrations into …
7190ec3 
…crowdstrike-1.41.0 Conflicts:	packages/crowdstrike/changelog.yml
@mohitjha-elastic
Resolve review comments.
ab43975 
Added ECS mappings as per the review comment suggestions.
andrewkroh
andrewkroh reviewed Sep 18, 2024
View reviewed changes
@kcreddy
Copy link
Contributor

kcreddy commented Sep 18, 2024

/test
@mohitjha-elastic
Merge branch 'main' of github.com:mohitjha-elastic/integrations into …
f419043 
…crowdstrike-1.41.0 Conflicts:	packages/crowdstrike/changelog.yml	packages/crowdstrike/manifest.yml
@mohitjha-elastic
Resolve review comments.
2dec26b 
1. Add foreach loop for appending tags. 2. Remove the breaking change to rename device id in alert pipeline.
@kcreddy
Copy link
Contributor

kcreddy commented Sep 20, 2024

/test
@elastic-sonarqube
Copy link

elastic-sonarqube bot commented Sep 20, 2024

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
97.9% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube
@elasticmachine
Copy link

elasticmachine commented Sep 20, 2024

💚 Build Succeeded

History
@kcreddy kcreddy merged commit 3189c70 into elastic:main Sep 20, 2024
@kcreddy
Copy link
Contributor

kcreddy commented Sep 20, 2024
edited
Loading

@mohitjha-elastic , could you also remove device.id renaming from the PR description?
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Sep 20, 2024

Package crowdstrike - 1.42.0 containing this change is available at https://epr.elastic.co/search?package=crowdstrike
harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 4, 2025
@mohitjha-elastic
[crowdstrike] Add Support of IDP and EPP Alert Fields (elastic#11135)
f4deb9d 
Add Support of IDP and EPP Alert Fields. - Enhance the existing pipeline by adding new IDP and EPP Alert Fields. - Add some visualizations related to IDP and EPP Alert. - Add support of some new Alert fields coming through v2 API endpoint. - Added test data for the supported fields.
harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 5, 2025
@mohitjha-elastic
[crowdstrike] Add Support of IDP and EPP Alert Fields (elastic#11135)
d572a98 
Add Support of IDP and EPP Alert Fields. - Enhance the existing pipeline by adding new IDP and EPP Alert Fields. - Add some visualizations related to IDP and EPP Alert. - Add support of some new Alert fields coming through v2 API endpoint. - Added test data for the supported fields.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Crest Contributions from Crest developement team. dashboard Relates to a Kibana dashboard bug, enhancement, or modification. enhancement New feature or request Integration:crowdstrike CrowdStrike Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

4 participants

@mohitjha-elastic @elasticmachine @kcreddy @andrewkroh