crowdstrike: add support for OverwatchGenericDetectionSummaryEvent in falcon data stream#19969
Conversation
… falcon data stream
60cc39d to
cc9d2fd
Compare
✅ Elastic Docs Style Checker (Vale)No issues found on modified lines! The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale. |
This comment has been minimized.
This comment has been minimized.
TL;DRBuildkite failed before uploading the pipeline because the post-checkout hook could not merge PR #19969 with Remediation
Investigation detailsRoot CauseThis is a merge-conflict/configuration failure during Buildkite checkout. The build log shows the agent checked out PR commit
Evidence
Verification
What is this? | From workflow: PR Buildkite Detective Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not. |
🚀 Benchmarks reportTo see the full report comment with |
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
| field: event.kind | ||
| value: alert | ||
| tag: set_event_kind | ||
| - append: |
There was a problem hiding this comment.
Severity: 🔵 Low confidence: medium path: packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/overwatch_generic_detection_summary.yml:8
The overwatch pipeline sets event.kind/type but no event.category; add an appropriate ECS event.category (e.g. threat/malware) as the sibling detection pipelines do.
Details
This pipeline sets event.kind: alert and event.type: info but leaves event.category unset. The sibling detection sub-pipelines in this same data stream (detection_summary.yml, mobile_detection_summary.yml) append an event.category (malware). Alerts without an event.category are harder to filter and correlate in category-based security views and detection rules.
Recommendation:
Append a semantically appropriate ECS event.category for the detection, for example:
- append:
field: event.category
value: threat
tag: append_threat_category🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills
⚠️ Automated review — verify suggestions before applying.
There was a problem hiding this comment.
@jamiehynds, do you have preference on event.category for OverwatchGenericDetectionSummaryEvent?
There was a problem hiding this comment.
@navnit-elastic I'd recommend event.category: malware to ensure consistency with our other CrowdStrike mappings. Although not every OverWatchDetection will be confirmed malware, they're typically EDR-sourced threat-hunting alerts, so they fall squarely under this category even when the specific finding is behavioral.
There was a problem hiding this comment.
@jamiehynds, Thank you for the confirmation.
|
✅ All changelog entries have the correct PR link. |
|
Reviewed the latest commits 29d28ca…262fff7 (44 commits) — nothing new beyond already posted comments. Review summaryIssues found across earlier commits 5ec1b7c — 1 medium
Issues found across earlier commits 92c387a — 1 high, 1 low
🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills
|
💚 Build Succeeded
History
|
|
Tick the box to add this pull request to the merge queue (same as
|
|
Package crowdstrike - 4.2.0 containing this change is available at https://epr.elastic.co/package/crowdstrike/4.2.0/ |
Proposed commit message
Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Related issues
Screenshots