crowdstrike: add shims to recover deprecated fields #11282
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
efd6 added enhancement efd6 force-pushed the e22451-crowdstrike branch 2 times, most recently from 67c1d70 to 5b8f34f Compare 
🚀 Benchmarks reportTo see the full report comment with |
| Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
efd6 force-pushed the e22451-crowdstrike branch from 5b8f34f to bfa6979 Compare 
chrisberkhout approved these changes Oct 14, 2024
Contributor
chrisberkhout left a comment
chrisberkhout left a comment There was a problem hiding this comment.
Looks good.
One comment in a couple of places.
Question about new input data.
Comment on lines +852 to +857
Contributor
There was a problem hiding this comment.
Either:
- move the
ctx.crowdstrike.alertinitalization into
if (c.type == 'module' || c.type == 'script') { ..., or - set a false value.
Comment on lines +1087 to +1093
Contributor
There was a problem hiding this comment.
This new example contains
"ioc_values": [], Does that exist post deprecation?
Contributor Author
There was a problem hiding this comment.
We have no cases to test against. I left it in to ensure that we continue to function correctly with the current state. I have added another test case which is identical to this one, but with that field removed.
This is derived from the first case, but with deprecated fields removed.
The documentation for the deprecation of fields indicates the following correspondences: old new is_synthetic_quarantine_disposition pattern_disposition* to identify quarantined files has_script_or_module_ioc ioc_context ioc_values ioc_value However, there is no other information relating to how these correspond with each other. By inspection of documents from an alerts stream, we can see that pattern_disposition_details contains a quarantine_file boolean. This, with the text in the deprecation notice, hints that we can use this field to get the is_synthetic_quarantine_disposition. The ioc_context field contains an array of object with a type property which in the examples I have available include (only) "module", hinting that this can be used to detect the state corresponding to has_script_or_module_ioc. Finally, ioc_value fields are sprinkled around the documents, so collect them into ioc_values.
efd6 force-pushed the e22451-crowdstrike branch from c2eda94 to 121d1a3 Compare 💚 Build Succeeded
History
cc @efd6 |
|
| Package crowdstrike - 1.43.0 containing this change is available at https://epr.elastic.co/search?package=crowdstrike |
harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 4, 2025
The documentation for the deprecation of fields indicates the following correspondences: old new is_synthetic_quarantine_disposition pattern_disposition* to identify quarantined files has_script_or_module_ioc ioc_context ioc_values ioc_value However, there is no other information relating to how these correspond with each other. By inspection of documents from an alerts stream, we can see that pattern_disposition_details contains a quarantine_file boolean. This, with the text in the deprecation notice, hints that we can use this field to get the is_synthetic_quarantine_disposition. The ioc_context field contains an array of object with a type property which in the examples I have available include (only) "module", hinting that this can be used to detect the state corresponding to has_script_or_module_ioc. Finally, ioc_value fields are sprinkled around the documents, so collect them into ioc_values. The test case is derived from the first case, but with deprecated fields removed.
harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 5, 2025
The documentation for the deprecation of fields indicates the following correspondences: old new is_synthetic_quarantine_disposition pattern_disposition* to identify quarantined files has_script_or_module_ioc ioc_context ioc_values ioc_value However, there is no other information relating to how these correspond with each other. By inspection of documents from an alerts stream, we can see that pattern_disposition_details contains a quarantine_file boolean. This, with the text in the deprecation notice, hints that we can use this field to get the is_synthetic_quarantine_disposition. The ioc_context field contains an array of object with a type property which in the examples I have available include (only) "module", hinting that this can be used to detect the state corresponding to has_script_or_module_ioc. Finally, ioc_value fields are sprinkled around the documents, so collect them into ioc_values. The test case is derived from the first case, but with deprecated fields removed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
Proposed commit message
Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Related issues
Screenshots