Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crowdstrike FDR Mapping Enhancement #4040

Closed
jamiehynds opened this issue Aug 22, 2022 · 4 comments · Fixed by #8684
Closed

Crowdstrike FDR Mapping Enhancement #4040

jamiehynds opened this issue Aug 22, 2022 · 4 comments · Fixed by #8684
Assignees
@efd6
Labels
enhancement New feature or request Integration:crowdstrike CrowdStrike

Comments

@jamiehynds
Copy link

related.ip
Our FDR pipeline currently adds observer.ip, source.ip and destination.ip to related.hosts but customer feedback suggests, it should be added be added to related.ip field instead of related.hosts.
https://github.com/elastic/integrations/blob/main/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml#L1342
https://github.com/elastic/integrations/blob/main/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml#L1834
https://github.com/elastic/integrations/blob/main/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml#L1839

crowdstrike.FirstSeen
Customer has suggested this field is mapped to @timestamp. What field do we currently rely on to generate the timestamp? We do have a threat.indicator.first_seen but not a good fit here, as it relates more to IOC's.
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@jamiehynds jamiehynds added Integration:crowdstrike CrowdStrike enhancement New feature or request labels Aug 22, 2022
@jamiehynds
Copy link
Author

Currently blocked by elastic/kibana#134321

@botelastic
Copy link

botelastic bot commented Aug 31, 2023

Hi! We just realized that we haven't looked into this issue in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Aug 31, 2023
@botelastic botelastic bot removed the Stalled label Dec 6, 2023
@efd6
Copy link
Contributor

efd6 commented Dec 10, 2023

Regarding the timestamp, the logic is to take the first available value from the FDR data in the following list:

  1. UTCTimestamp
  2. timestamp
  3. CreationTimeStamp
  4. AgentLocalTime
  5. _time

This seems fairly sensible to me, and there will always be an argument that it should be different, no matter what we have, so I'm not sure it should be changed.

@efd6 efd6 mentioned this issue Dec 10, 2023
Merged
4 tasks
@efd6 efd6 mentioned this issue Dec 18, 2023
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@efd6 efd6

Labels
enhancement New feature or request Integration:crowdstrike CrowdStrike
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

crowdstrike: do not populate related.hosts with IP values efd6/integrations
3 participants
@elasticmachine @jamiehynds @efd6