Skip to content

Analyzer support for CrowdStrike and SentinelOne #2306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jul 31, 2025
Merged

Analyzer support for CrowdStrike and SentinelOne #2306

merged 6 commits into from
Jul 31, 2025

Conversation

natasha-moore-elastic
Copy link
Contributor

@natasha-moore-elastic natasha-moore-elastic commented Jul 29, 2025
edited
Loading

Contributes to #2024. Updates the visual event analyzer docs to document support for analyzing events from CrowdStrike and SentinelOne integrations.

Preview: Visual event analyzer

8.x PR: elastic/security-docs#6989

@natasha-moore-elastic natasha-moore-elastic self-assigned this Jul 29, 2025
natasha-moore-elastic
natasha-moore-elastic commented Jul 29, 2025
View reviewed changes
natasha-moore-elastic
natasha-moore-elastic commented Jul 29, 2025
View reviewed changes
@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 29, 2025
edited
Loading

🔍 Preview links for changed docs

@natasha-moore-elastic natasha-moore-elastic marked this pull request as ready for review July 29, 2025 13:32
@natasha-moore-elastic natasha-moore-elastic requested a review from a team as a code owner July 29, 2025 13:32
@natasha-moore-elastic natasha-moore-elastic mentioned this pull request Jul 29, 2025
Closed
florent-leborgne
florent-leborgne approved these changes Jul 29, 2025
View reviewed changes
Copy link
Contributor

@florent-leborgne florent-leborgne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

nastasha-solomon
nastasha-solomon approved these changes Jul 29, 2025
View reviewed changes
Copy link
Contributor

@nastasha-solomon nastasha-solomon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

@raqueltabuyo
Copy link

@natasha-moore-elastic I think we need to specify a little bit more on the Crowdstrike side, not sure if all the integration types are supported. I think only Crowdstrike Event Stream and Falcon Data Replicator. @tomsonpl can you confirm this? what is your opinion on this one?

raqueltabuyo
raqueltabuyo requested changes Jul 30, 2025
View reviewed changes
Copy link

@raqueltabuyo raqueltabuyo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Specify the Crowdstrike mode of integration that supports analyzer. I think it is only supported with Crowdstrike Event Stream and Falcon Data Replicar but better confirm with @tomsonpl

@tomsonpl
Copy link

tomsonpl commented Jul 31, 2025
edited
Loading

Hey @raqueltabuyo @natasha-moore-elastic 👋

Although it's still the same integration, I think we might mention that analyzer needs process data that comes from either FDR or Falcon Logs.

Screenshot for reference.
Screenshot 2025-07-31 at 12 38 28

@natasha-moore-elastic
Copy link
Contributor Author

natasha-moore-elastic commented Jul 31, 2025
edited
Loading

Thanks @tomsonpl! I've added this info now, but let me know if we need to describe this in more detail.
cc @raqueltabuyo

@raqueltabuyo
Copy link

Thanks @tomsonpl! I've added this info now, but let me know if we need to describe this in more detail. cc @raqueltabuyo

Hey @natasha-moore-elastic SIEM Connector won't help much here, after speaking with @tomsonpl , we think instead we can have the following:

You can visualize events from the following sources:

- Elastic Defend integration
- Sysmon data collected through Winlogbeat
- CrowdStrike integration (Falcon logs collected through Event Stream or FDR)
- SentinelOne Cloud Funnel integration

@natasha-moore-elastic
Copy link
Contributor Author

Thanks @tomsonpl! I've added this info now, but let me know if we need to describe this in more detail. cc @raqueltabuyo

Hey @natasha-moore-elastic SIEM Connector won't help much here, after speaking with @tomsonpl , we think instead we can have the following:

You can visualize events from the following sources:

- Elastic Defend integration
- Sysmon data collected through Winlogbeat
- CrowdStrike integration (Falcon logs collected through Event Stream or FDR)
- SentinelOne Cloud Funnel integration

Thanks @raqueltabuyo, I've updated to your suggested wording 👍

@natasha-moore-elastic natasha-moore-elastic enabled auto-merge (squash) July 31, 2025 13:13
@natasha-moore-elastic natasha-moore-elastic merged commit c03a6af into main Jul 31, 2025
7 of 8 checks passed
@natasha-moore-elastic natasha-moore-elastic deleted the issue-2024-edr-analyzer branch July 31, 2025 13:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nastasha-solomon nastasha-solomon nastasha-solomon approved these changes

@raqueltabuyo raqueltabuyo raqueltabuyo approved these changes

@tomsonpl tomsonpl Awaiting requested review from tomsonpl

@florent-leborgne florent-leborgne Awaiting requested review from florent-leborgne

Assignees

@natasha-moore-elastic natasha-moore-elastic

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@natasha-moore-elastic @raqueltabuyo @tomsonpl @florent-leborgne @nastasha-solomon