Skip to content

crowdstrike: improve windows events mappings in FDR data stream #15342

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Sep 24, 2025
Merged

crowdstrike: improve windows events mappings in FDR data stream #15342

merged 6 commits into from
Sep 24, 2025

Conversation

@navnit-elastic
Copy link
Contributor

@navnit-elastic navnit-elastic commented Sep 16, 2025
edited
Loading

Proposed commit message

Note

For all events:

  • Add mapping aid to host.id.
  • The following is valid for all events with the event.action ending with *Written, except for PeFileWritten, NewExecutableWritten, NewScriptWritten
    • event.category is not set for events ending with Written
    • event.action should be set to creation
  • Add mapping ContextProcessId to process.entity_id (mapping ParentProcessId to process.parent.entity_id is already present) in network, file, configuration, registry, driver events.

Registry events (event.category=registry):

  • Add support for following new events:
    • RegCrowdstrikeKeyUpdate
    • RegCrowdstrikeValueUpdate
  • Remove extra backslash (\) in the start of registry.key.
  • Populate registry.path when RegValueName is empty
    • Some events do not populate RegValueName. We can check if it is the case and use only RegObjectName if it is the only one available. Sample doc
  • crowdstrike.RegOperationType
    • On RegOperationType 3 event.type is set to both change and creation, should be creation only
    • On RegOperationType 4 event.type is set change, but it is related to deletion, we should set it to deletion, and don’t populate the > event.type with change by default.

File events (event.category=file):

  • crowdstrike.OriginalFilename is being mapped to process.pe.original_file_name:
    • We should map it to file.pe.original_file_name instead
  • user.id is not populated
    • We can use FileOperatorSid to populate it when present
  • Set event.type to creation on FileDetectInfo events.
  • For NewExecutableRenamed and FileRenameInfo event.action values:
    • Use crowdstrike.TargetFileName to populate file.path
      • We can extract the file name from to populate file.name
    • Use crowdstrike.SourceFileName to populate file.Ext.original.path
      • We can extract the file name from to populate file.Ext.original.name

Library events (event.category=library):

  • crowdstrike.OriginalFilename is being mapped to process.pe.original_file_name:
    • We should map it to dll.pe.original_file_name instead
  • dll.code_signature.trusted is being populated with true even for unsigned DLLs
    • The documentation says that ImageSignatureLevel 2 is ENTERPRISE (0x2), but when I tested with an unsigned DLL it was populated with > 2. However, we can combine it with ImageSignatureType so it becomes more reliable.
    • Here is a more specific logic so we can refine this:
      • If ImageSignatureType == 0 (NONE (0x0)):
        • Set dll.code_signature.exists to false
        • Set dll.code_signature.trusted to false
      • If ImageSignatureType >= 1 and ImageSignatureLevel is 0 or 1:
        • Set dll.code_signature.exists to true
        • Set dll.code_signature.trusted to false
      • If ImageSignatureType >= 1 and ImageSignatureLevel >= 2:
        • Set dll.code_signature.exists to true
        • Set dll.code_signature.trusted to true
  • Drop process.pid, I mistakenly suggested that we could use ContextProcessId to populate it, but considering other events, this > doesn’t make sense

Driver events for when (event.category is driver):

  • crowdstrike.OriginalFilename is being mapped to process.pe.original_file_name:
    • We should map it to dll.pe.original_file_name instead
  • CertificatePublisher can used to populate dll.code_signature.subject_name
  • ImageFileName can used to populate dll.path
    • dll.name can be extracted from the ImageFileName path
  • ContextProcessId can used to populate process.entity_id
  • event.action can be set to load
  • SHA256HashData can used to populate dll.hash.sha256
  • MD5HashData can used to populate dll.hash.md5
  • ServiceDisplayName can used to populate service.name

Additional adjustments:

Misclassification of events as malware

  • Remove malware from event.category for the following events:
  • AssociateIndicator
  • SensitiveWmiQuery
    • Keep event.category process only, not malware
  • SuspiciousCreateSymbolicLink
    • Drop the malware value, keep the file
  • DetectionExcluded
    • Use event.category configuration, not malware
  • RegistryOperationDetectInfo
    • Drop the malware value, keep the registry

Overuse of event.kind: alert

  • Using event.kind == alert too broadly promotes many irrelevant events to security alerts, Set event.kind to event for following > events:
    • ErrorEvent
    • RansomwareOpenFile
    • RansomwareCreateFile
    • ModifyServiceBinary
    • DetectionExcluded
    • SensitiveWmiQuery
    • FileSystemOperationDetectInfo

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots
@navnit-elastic navnit-elastic self-assigned this Sep 16, 2025
@navnit-elastic navnit-elastic added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:crowdstrike CrowdStrike Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Sep 16, 2025
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Sep 16, 2025
edited
Loading

🚀 Benchmarks report

Package crowdstrike 👍(1) 💚(3) 💔(1)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
falcon 6896.55 5076.14 -1820.41 (-26.4%) 💔

To see the full report comment with /test benchmark fullreport
@navnit-elastic navnit-elastic mentioned this pull request Sep 17, 2025
Closed
@navnit-elastic navnit-elastic force-pushed the crowdstrike-15113 branch 4 times, most recently from 600d541 to 171497b Compare September 17, 2025 07:38
navnit-elastic
navnit-elastic commented Sep 17, 2025
View reviewed changes
packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml
'1':
type: change
action: modification
'2':
Copy link
Contributor Author

@navnit-elastic navnit-elastic Sep 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Screenshot 2025-09-08 181109
@navnit-elastic navnit-elastic marked this pull request as ready for review September 18, 2025 10:59
@navnit-elastic navnit-elastic requested a review from a team as a code owner September 18, 2025 10:59
@elasticmachine
Copy link

elasticmachine commented Sep 18, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)
efd6
efd6 reviewed Sep 18, 2025
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This LGTM, but will wait for @w0rk3r before approving.
@navnit-elastic navnit-elastic mentioned this pull request Sep 19, 2025
Open
w0rk3r
w0rk3r reviewed Sep 23, 2025
View reviewed changes
Copy link
Contributor

@w0rk3r w0rk3r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Really great work, some of the asked changes are still missing, but we are close. Thanks!
@elasticmachine
Copy link

elasticmachine commented Sep 24, 2025

💚 Build Succeeded

History

cc @navnit-elastic
@elastic-sonarqube
Copy link

elastic-sonarqube bot commented Sep 24, 2025

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube
efd6
efd6 approved these changes Sep 24, 2025
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but we will wait for confirmation from @w0rk3r.
w0rk3r
w0rk3r approved these changes Sep 24, 2025
View reviewed changes
Copy link
Contributor

@w0rk3r w0rk3r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great stuff, looks g2g for me
@efd6 efd6 merged commit 34b9ef5 into elastic:main Sep 24, 2025
9 checks passed
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Sep 24, 2025

Package crowdstrike - 2.4.0 containing this change is available at https://epr.elastic.co/package/crowdstrike/2.4.0/
@navnit-elastic
Copy link
Contributor Author

navnit-elastic commented Sep 25, 2025

Thank you all!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:crowdstrike CrowdStrike Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors]

4 participants

@navnit-elastic @elasticmachine @w0rk3r @efd6