Skip to content

crowdstrike: add support for EppDetectionSummaryEvent events #12869

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Mar 26, 2025
Merged

crowdstrike: add support for EppDetectionSummaryEvent events #12869

merged 7 commits into from
Mar 26, 2025
+1,532 −54

Conversation

@efd6
Copy link
Contributor

@efd6 efd6 commented Feb 24, 2025
edited
Loading

Proposed commit message

See title.

Warning

This change needs more tests for coverage of all cases in the event structures that are expected in the new event type.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots
@efd6 efd6 added enhancement New feature or request Integration:crowdstrike CrowdStrike Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Feb 24, 2025
@efd6 efd6 self-assigned this Feb 24, 2025
@efd6 efd6 force-pushed the 12867-crowdstrike branch 2 times, most recently from 73579d0 to 909cac0 Compare February 24, 2025 03:07
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Feb 24, 2025

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport
@efd6 efd6 force-pushed the 12867-crowdstrike branch from 909cac0 to ff1c8b7 Compare March 12, 2025 03:55
@efd6 efd6 marked this pull request as ready for review March 12, 2025 05:26
@efd6 efd6 requested a review from a team as a code owner March 12, 2025 05:26
@elasticmachine
Copy link

elasticmachine commented Mar 12, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)
chrisberkhout
chrisberkhout approved these changes Mar 17, 2025
View reviewed changes
Copy link
Contributor

@chrisberkhout chrisberkhout left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Warning:
This change needs more tests for coverage of all cases in the event structures that are expected in the new event type.

To be added in the future?
@efd6
Copy link
Contributor Author

efd6 commented Mar 17, 2025

To be added in the future?

Hopefully to be added in this change. Waiting on availability.
@efd6 efd6 force-pushed the 12867-crowdstrike branch from ff1c8b7 to eaca5e4 Compare March 23, 2025 22:13
@efd6 efd6 requested a review from chrisberkhout March 23, 2025 22:13
@efd6
Copy link
Contributor Author

efd6 commented Mar 23, 2025

Replayed the fdr changes on falcon. Largely the same except that falcon depends on a metadata field that triggers specific pipelines. The approach is to have a preamble pipeline that does the necessary changes and then passes on to the old pipeline.

Also added processor for the severity semantics changes. The pipeline tests look odd since (AFAICS) the severities in the test data were fabricated.
efd6
efd6 commented Mar 23, 2025
View reviewed changes
packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml
field: event.id
description: Concat the fields used in fingerprint.
tag: set_event_id
if: ctx.crowdstrike?.id != null || ctx.crowdstrike?.aid != null || ctx.crowdstrike?.cid != null
Copy link
Contributor Author

@efd6 efd6 Mar 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kcreddy This likely never happens in real situations, but it does happen in tests. In case it actually does ever happen in real data, I think it would be best to not populate the field.
Copy link
Contributor

@kcreddy kcreddy Mar 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@efd6, Sounds good 👍🏼
@efd6 efd6 force-pushed the 12867-crowdstrike branch from 36d7f62 to 046c655 Compare March 25, 2025 19:36
@efd6 efd6 force-pushed the 12867-crowdstrike branch from 046c655 to ed1f080 Compare March 26, 2025 09:34
@elasticmachine
Copy link

elasticmachine commented Mar 26, 2025

💚 Build Succeeded

History

cc @efd6
@elastic-sonarqube
Copy link

elastic-sonarqube bot commented Mar 26, 2025

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
96.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube
@efd6 efd6 merged commit 9819fb7 into elastic:main Mar 26, 2025
7 checks passed
@efd6 efd6 mentioned this pull request Mar 26, 2025
Closed
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Mar 26, 2025

Package crowdstrike - 1.58.0 containing this change is available at https://epr.elastic.co/package/crowdstrike/1.58.0/
flexitrev pushed a commit that referenced this pull request Mar 28, 2025
@efd6 @flexitrev
crowdstrike: add support for EppDetectionSummaryEvent events (#12869)
597ce90 
Test cases added from: * https://docs.sekoia.io/integration/categories/endpoint/crowdstrike_falcon/#__tabbed_1_6 * https://docs.sekoia.io/integration/categories/endpoint/crowdstrike_falcon/#__tabbed_1_7 * https://docs.sekoia.io/integration/categories/endpoint/crowdstrike_falcon/#__tabbed_1_8
flexitrev pushed a commit that referenced this pull request Mar 28, 2025
@efd6 @flexitrev
crowdstrike: add support for EppDetectionSummaryEvent events (#12869)
53ba957 
Test cases added from: * https://docs.sekoia.io/integration/categories/endpoint/crowdstrike_falcon/#__tabbed_1_6 * https://docs.sekoia.io/integration/categories/endpoint/crowdstrike_falcon/#__tabbed_1_7 * https://docs.sekoia.io/integration/categories/endpoint/crowdstrike_falcon/#__tabbed_1_8
flexitrev pushed a commit that referenced this pull request Mar 28, 2025
@efd6 @flexitrev
crowdstrike: add support for EppDetectionSummaryEvent events (#12869)
f437641 
Test cases added from: * https://docs.sekoia.io/integration/categories/endpoint/crowdstrike_falcon/#__tabbed_1_6 * https://docs.sekoia.io/integration/categories/endpoint/crowdstrike_falcon/#__tabbed_1_7 * https://docs.sekoia.io/integration/categories/endpoint/crowdstrike_falcon/#__tabbed_1_8
@leandrojmp leandrojmp mentioned this pull request May 21, 2025
Closed
@leandrojmp
Copy link
Contributor

leandrojmp commented May 21, 2025
edited
Loading

This change needs more tests for coverage of all cases in the event structures that are expected in the new event type.

@efd6 what do you need to create those tests? some sample events for real use case?

I think I can provide some since I will have some free time and will already get some sample data to contribute with tests on the Cloudflare integration, the hardest thing will be to anonymize the data, but I think it is doable.
@efd6
Copy link
Contributor Author

efd6 commented May 21, 2025

@leandrojmp

what do you need to create those tests? some sample events for real use case?

Yes, what's needed is to populate test-falcon-epp-detection-summary.log so that we are covering more of the logic as described in the original issue. I think we are pretty close (and it's difficult to tell from the coverage report).
@efd6
Copy link
Contributor Author

efd6 commented Jun 5, 2025

@leandrojmp Just pinging to see if you have had a chance to collect some of those Crowdstrike events.
@leandrojmp
Copy link
Contributor

leandrojmp commented Jun 5, 2025

@efd6 I will try to get some sample events today.
@efd6
Copy link
Contributor Author

efd6 commented Jun 29, 2025

@leandrojmp How are we going with getting these events?
@efd6 efd6 mentioned this pull request Sep 1, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request Integration:crowdstrike CrowdStrike Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

5 participants

@efd6 @elasticmachine @leandrojmp @chrisberkhout @kcreddy