Skip to content

crowdstrike: add support for OverwatchGenericDetectionSummaryEvent in falcon data stream#19969

Merged
navnit-elastic merged 5 commits into
elastic:mainfrom
navnit-elastic:crowdstrike-19509
Jul 9, 2026
Merged

crowdstrike: add support for OverwatchGenericDetectionSummaryEvent in falcon data stream#19969
navnit-elastic merged 5 commits into
elastic:mainfrom
navnit-elastic:crowdstrike-19509

Conversation

@navnit-elastic

Copy link
Copy Markdown
Contributor

Proposed commit message

crowdstrike: add support for OverwatchGenericDetectionSummaryEvent in falcon data stream

Add a dedicated ingest sub-pipeline to map CompositeId, FalconHostLink,
Description, and Severity to ECS fields, plus pipeline tests, DisplayName
field mapping, and docs.

The sanitized test sample is derived from CrowdStrike documentation.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@navnit-elastic navnit-elastic self-assigned this Jul 6, 2026
@navnit-elastic navnit-elastic added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:crowdstrike CrowdStrike Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:SDE-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Jul 6, 2026
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

✅ Elastic Docs Style Checker (Vale)

No issues found on modified lines!


The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale.

@github-actions

This comment has been minimized.

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

TL;DR

Buildkite failed before uploading the pipeline because the post-checkout hook could not merge PR #19969 with main. The merge conflict is in the CrowdStrike package version/changelog files, not in a test job.

Remediation

  • Rebase or merge main into the PR branch and resolve packages/crowdstrike/changelog.yml plus packages/crowdstrike/manifest.yml by keeping the PR's new 4.1.0 CrowdStrike release entry on top of the existing 4.0.0 entry from main.
  • Push the resolved branch and rerun Buildkite; the pipeline upload step should then proceed to the package/test jobs.
Investigation details

Root Cause

This is a merge-conflict/configuration failure during Buildkite checkout. The build log shows the agent checked out PR commit cc9d2fd33f9f43807dd5828de13d451ba6e6356c, fetched main at c3343f6425a, created pr_merge_19969, then failed to merge because both branches changed CrowdStrike release metadata:

Evidence

Auto-merging packages/crowdstrike/changelog.yml
CONFLICT (content): Merge conflict in packages/crowdstrike/changelog.yml
Auto-merging packages/crowdstrike/docs/README.md
Auto-merging packages/crowdstrike/manifest.yml
CONFLICT (content): Merge conflict in packages/crowdstrike/manifest.yml
Automatic merge failed; fix conflicts and then commit the result.
Merge failed: 1
Error: running "repository post-checkout" shell hook: The repository post-checkout hook exited with status 1

Verification

  • Not run: Buildkite never reached package validation or tests because checkout/pipeline upload failed first.

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

@elastic-vault-github-plugin-prod

elastic-vault-github-plugin-prod Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@navnit-elastic
navnit-elastic marked this pull request as ready for review July 6, 2026 06:16
@navnit-elastic
navnit-elastic requested review from a team as code owners July 6, 2026 06:16
@infra-vault-gh-plugin-prod

Copy link
Copy Markdown

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

field: event.kind
value: alert
tag: set_event_kind
- append:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severity: 🔵 Low confidence: medium path: packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/overwatch_generic_detection_summary.yml:8

The overwatch pipeline sets event.kind/type but no event.category; add an appropriate ECS event.category (e.g. threat/malware) as the sibling detection pipelines do.

Details

This pipeline sets event.kind: alert and event.type: info but leaves event.category unset. The sibling detection sub-pipelines in this same data stream (detection_summary.yml, mobile_detection_summary.yml) append an event.category (malware). Alerts without an event.category are harder to filter and correlate in category-based security views and detection rules.

Recommendation:

Append a semantically appropriate ECS event.category for the detection, for example:

- append:
    field: event.category
    value: threat
    tag: append_threat_category

🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills

⚠️ Automated review — verify suggestions before applying.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jamiehynds, do you have preference on event.category for OverwatchGenericDetectionSummaryEvent?

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@navnit-elastic I'd recommend event.category: malware to ensure consistency with our other CrowdStrike mappings. Although not every OverWatchDetection will be confirmed malware, they're typically EDR-sourced threat-hunting alerts, so they fall squarely under this category even when the specific finding is behavioral.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jamiehynds, Thank you for the confirmation.

@elastic-vault-github-plugin-prod

Copy link
Copy Markdown
Contributor

✅ All changelog entries have the correct PR link.

@vera-review-bot

Copy link
Copy Markdown

Reviewed the latest commits 29d28ca262fff7 (44 commits) — nothing new beyond already posted comments.

Review summary

Issues found across earlier commits 5ec1b7c — 1 medium
  • 🟡 Overwatch pipeline never maps the event's ISO Timestamp, so @​timestamp falls back to ingest time (link) (Unresolved)
Issues found across earlier commits 92c387a — 1 high, 1 low
  • 🟠 Overwatch events never set @​timestamp from their Timestamp field, so they are stamped with ingest time (link) (Resolved)
  • 🔵 The overwatch pipeline sets event.kind/type but no event.category (link) (Unresolved)

A new commit triggers another review — at most once every 15 minutes. I skip the PR while it's approved or has merge conflicts.

🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills

⚠️ Automated review — verify suggestions before applying.

@infra-vault-gh-plugin-prod

Copy link
Copy Markdown

💚 Build Succeeded

History

cc @navnit-elastic

@kcreddy kcreddy left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mergify

mergify Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Tick the box to add this pull request to the merge queue (same as @mergifyio queue).

  • Queue this pull request

@navnit-elastic
navnit-elastic merged commit b1aa21b into elastic:main Jul 9, 2026
12 checks passed
@elastic-vault-github-plugin-prod

Copy link
Copy Markdown
Contributor

Package crowdstrike - 4.2.0 containing this change is available at https://epr.elastic.co/package/crowdstrike/4.2.0/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:crowdstrike CrowdStrike Team:SDE-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[CrowdStrike] Add support for OverwatchGenericDetectionSummaryEvent

3 participants