crowdstrike: improve falcon EppDetectionSummaryEvent field mapping (#13334)

Author: efd6

packages/crowdstrike/changelog.yml

@@ -1,9 +1,14 @@
 # newer versions go on top
+- version: "1.59.0"
+  changes:
+    - description: Improve `EppDetectionSummaryEvent` event field mapping for falcon.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/13334
 - version: "1.58.0"
   changes:
     - description: Add support for `EppDetectionSummaryEvent` events.
       type: enhancement
-      link: http://github.com/elastic/integrations/pull/12869
+      link: https://github.com/elastic/integrations/pull/12869
 - version: "1.57.0"
   changes:
     - description: Reduce storage load for less useful or constant fields.

packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-epp-detection-summary.log

@@ -689,6 +689,216 @@
             "user": {
                 "name": "azureuser"
             }
+        },
+        {
+            "@timestamp": "2025-03-21T19:07:20.000Z",
+            "crowdstrike": {
+                "event": {
+                    "AgentId": "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee",
+                    "AggregateId": "aggind:eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee:42952716106",
+                    "CompositeId": "cccccccccccccccccccccccccccccccc:ind:eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee:43185188660-10197-561424",
+                    "DataDomains": "Endpoint",
+                    "Description": "For evaluation only - benign, no action needed.",
+                    "FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/cccccccccccccccccccccccccccccccc:ind:eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee:43185188660-10197-561424?_cid=cccccccccccccccccccccccccccccccc",
+                    "FileName": "choice.exe",
+                    "FilePath": "\\Device\\HarddiskVolume4\\Windows\\System32\\choice.exe",
+                    "GrandParentCommandLine": "C:\\Windows\\Explorer.EXE",
+                    "GrandParentImageFileName": "explorer.exe",
+                    "GrandParentImageFilePath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe",
+                    "HostGroups": "88888888888888888888888888888888",
+                    "Hostname": "CISO-DUMMY-CSDEV",
+                    "LocalIP": "192.168.33.133",
+                    "LogonDomain": "CISO-DUMMY-CSDEV",
+                    "MACAddress": "00-0c-29-46-56-09",
+                    "MD5String": "00000000000000000000000000000000",
+                    "Name": "Suspicious Activity",
+                    "Objective": "Falcon Detection Method",
+                    "ParentImageFileName": "cmd.exe",
+                    "ParentImageFilePath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe",
+                    "ParentProcessId": 43146803382,
+                    "PatternDispositionDescription": "Detection, standard detection.",
+                    "PatternDispositionFlags": {
+                        "BlockingUnsupportedOrDisabled": false,
+                        "BootupSafeguardEnabled": false,
+                        "ContainmentFileSystem": false,
+                        "CriticalProcessDisabled": false,
+                        "Detect": false,
+                        "FsOperationBlocked": false,
+                        "HandleOperationDowngraded": false,
+                        "InddetMask": false,
+                        "Indicator": false,
+                        "KillActionFailed": false,
+                        "KillParent": false,
+                        "KillProcess": false,
+                        "KillSubProcess": false,
+                        "OperationBlocked": false,
+                        "PolicyDisabled": false,
+                        "ProcessBlocked": false,
+                        "QuarantineFile": false,
+                        "QuarantineMachine": false,
+                        "RegistryOperationBlocked": false,
+                        "Rooting": false,
+                        "SensorOnly": false,
+                        "SuspendParent": false,
+                        "SuspendProcess": false
+                    },
+                    "PatternId": "10197",
+                    "ProcessId": 43185188660,
+                    "SHA1String": "0000000000000000000000000000000000000000",
+                    "SHA256String": "0000000000000000000000000000000000000000000000000000000000000000",
+                    "Severity": 30,
+                    "SeverityName": "Low",
+                    "SourceProducts": "Falcon Insight",
+                    "SourceVendors": "CrowdStrike",
+                    "Type": "ldt",
+                    "UserName": "Administrator"
+                },
+                "metadata": {
+                    "customerIDString": "cccccccccccccccccccccccccccccccc",
+                    "eventType": "EppDetectionSummaryEvent",
+                    "offset": 1532939,
+                    "version": "1.0"
+                }
+            },
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "created": "2025-03-21T19:07:20.000Z",
+                "original": "{\"metadata\":{\"customerIDString\":\"cccccccccccccccccccccccccccccccc\",\"offset\":1532939,\"eventType\":\"EppDetectionSummaryEvent\",\"eventCreationTime\":1742584040000,\"version\":\"1.0\"},\"event\":{\"ProcessStartTime\":1742583971,\"ProcessEndTime\":1742583972,\"ProcessId\":43185188660,\"ParentProcessId\":43146803382,\"Hostname\":\"CISO-DUMMY-CSDEV\",\"UserName\":\"Administrator\",\"Name\":\"Suspicious Activity\",\"Description\":\"For evaluation only - benign, no action needed.\",\"Severity\":30,\"SeverityName\":\"Low\",\"FileName\":\"choice.exe\",\"FilePath\":\"\\\\Device\\\\HarddiskVolume4\\\\Windows\\\\System32\\\\choice.exe\",\"CommandLine\":\"choice  /m crowdstrike_sample_detection\",\"SHA256String\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"MD5String\":\"00000000000000000000000000000000\",\"SHA1String\":\"0000000000000000000000000000000000000000\",\"LogonDomain\":\"CISO-DUMMY-CSDEV\",\"FalconHostLink\":\"https://falcon.crowdstrike.com/activity-v2/detections/cccccccccccccccccccccccccccccccc:ind:eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee:43185188660-10197-561424?_cid=cccccccccccccccccccccccccccccccc\",\"AgentId\":\"eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee\",\"CompositeId\":\"cccccccccccccccccccccccccccccccc:ind:eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee:43185188660-10197-561424\",\"LocalIP\":\"192.168.33.133\",\"MACAddress\":\"00-0c-29-46-56-09\",\"Tactic\":\"Malware\",\"Technique\":\"Malicious File\",\"Objective\":\"Falcon Detection Method\",\"PatternDispositionDescription\":\"Detection, standard detection.\",\"PatternDispositionValue\":0,\"PatternDispositionFlags\":{\"Indicator\":false,\"Detect\":false,\"InddetMask\":false,\"SensorOnly\":false,\"Rooting\":false,\"KillProcess\":false,\"KillSubProcess\":false,\"QuarantineMachine\":false,\"QuarantineFile\":false,\"PolicyDisabled\":false,\"KillParent\":false,\"OperationBlocked\":false,\"ProcessBlocked\":false,\"RegistryOperationBlocked\":false,\"CriticalProcessDisabled\":false,\"BootupSafeguardEnabled\":false,\"FsOperationBlocked\":false,\"HandleOperationDowngraded\":false,\"KillActionFailed\":false,\"BlockingUnsupportedOrDisabled\":false,\"SuspendProcess\":false,\"SuspendParent\":false,\"ContainmentFileSystem\":false},\"ParentImageFileName\":\"cmd.exe\",\"ParentCommandLine\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\" \",\"GrandParentImageFileName\":\"explorer.exe\",\"GrandParentCommandLine\":\"C:\\\\Windows\\\\Explorer.EXE\",\"HostGroups\":\"88888888888888888888888888888888\",\"PatternId\":10197,\"SourceVendors\":\"CrowdStrike\",\"SourceProducts\":\"Falcon Insight\",\"DataDomains\":\"Endpoint\",\"AggregateId\":\"aggind:eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee:42952716106\",\"Type\":\"ldt\",\"ParentImageFilePath\":\"\\\\Device\\\\HarddiskVolume4\\\\Windows\\\\System32\\\\cmd.exe\",\"GrandParentImageFilePath\":\"\\\\Device\\\\HarddiskVolume4\\\\Windows\\\\explorer.exe\",\"LocalIPv6\":\"\"}}",
+                "severity": 21
+            },
+            "observer": {
+                "product": "Falcon",
+                "vendor": "Crowdstrike"
+            },
+            "process": {
+                "args": [
+                    "choice",
+                    "/m",
+                    "crowdstrike_sample_detection"
+                ],
+                "command_line": "choice  /m crowdstrike_sample_detection",
+                "executable": "choice",
+                "parent": {
+                    "args": [
+                        "\"C:\\Windows\\system32\\cmd.exe\""
+                    ],
+                    "command_line": "\"C:\\Windows\\system32\\cmd.exe\"",
+                    "executable": "\"C:\\Windows\\system32\\cmd.exe\""
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2025-03-21T19:10:02.000Z",
+            "crowdstrike": {
+                "event": {
+                    "AgentId": "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee",
+                    "AggregateId": "aggind:eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee:42953194054",
+                    "AssociatedFile": "\\Device\\HarddiskVolume4\\Users\\Administrator\\Desktop\\atera.exe.exe",
+                    "CompositeId": "cccccccccccccccccccccccccccccccc:ind:eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee:43186863960-41001-568080",
+                    "DataDomains": "Endpoint",
+                    "Description": "A process triggered a high severity custom rule.",
+                    "FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/cccccccccccccccccccccccccccccccc:ind:eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee:43186863960-41001-568080?_cid=cccccccccccccccccccccccccccccccc",
+                    "FileName": "atera.exe.exe",
+                    "FilePath": "\\Device\\HarddiskVolume4\\Users\\Administrator\\Desktop\\atera.exe.exe",
+                    "GrandParentCommandLine": "C:\\Windows\\system32\\userinit.exe",
+                    "GrandParentImageFileName": "userinit.exe",
+                    "GrandParentImageFilePath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe",
+                    "HostGroups": "88888888888888888888888888888888",
+                    "Hostname": "CISO-DUMMY-CSDEV",
+                    "IOARuleGroupName": "Custom IOA Group - Windows",
+                    "IOARuleInstanceID": "167",
+                    "IOARuleInstanceVersion": 2,
+                    "IOARuleName": "Initial Access via Remote Service (Atera) Block",
+                    "IOCType": "hash_sha256",
+                    "IOCValue": "0000000000000000000000000000000000000000000000000000000000000000",
+                    "LocalIP": "192.168.33.133",
+                    "LogonDomain": "CISO-DUMMY-CSDEV",
+                    "MACAddress": "00-ff-12-46-56-09",
+                    "MD5String": "00000000000000000000000000000000",
+                    "Name": "Suspicious Activity",
+                    "Objective": "Falcon Detection Method",
+                    "ParentImageFileName": "explorer.exe",
+                    "ParentImageFilePath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe",
+                    "ParentProcessId": 43046029968,
+                    "PatternDispositionDescription": "Prevention, process was blocked from execution.",
+                    "PatternDispositionFlags": {
+                        "BlockingUnsupportedOrDisabled": false,
+                        "BootupSafeguardEnabled": false,
+                        "ContainmentFileSystem": false,
+                        "CriticalProcessDisabled": false,
+                        "Detect": false,
+                        "FsOperationBlocked": false,
+                        "HandleOperationDowngraded": false,
+                        "InddetMask": false,
+                        "Indicator": false,
+                        "KillActionFailed": false,
+                        "KillParent": false,
+                        "KillProcess": false,
+                        "KillSubProcess": false,
+                        "OperationBlocked": false,
+                        "PolicyDisabled": false,
+                        "ProcessBlocked": true,
+                        "QuarantineFile": false,
+                        "QuarantineMachine": false,
+                        "RegistryOperationBlocked": false,
+                        "Rooting": false,
+                        "SensorOnly": false,
+                        "SuspendParent": false,
+                        "SuspendProcess": false
+                    },
+                    "PatternDispositionValue": 2048,
+                    "PatternId": "41001",
+                    "ProcessId": 43186863960,
+                    "SHA1String": "0000000000000000000000000000000000000000",
+                    "SHA256String": "0000000000000000000000000000000000000000000000000000000000000000",
+                    "Severity": 70,
+                    "SeverityName": "High",
+                    "SourceProducts": "Falcon Insight",
+                    "SourceVendors": "CrowdStrike",
+                    "Type": "ldt",
+                    "UserName": "Administrator"
+                },
+                "metadata": {
+                    "customerIDString": "cccccccccccccccccccccccccccccccc",
+                    "eventType": "EppDetectionSummaryEvent",
+                    "offset": 1532956,
+                    "version": "1.0"
+                }
+            },
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "created": "2025-03-21T19:10:02.000Z",
+                "original": "{\"metadata\":{\"customerIDString\":\"cccccccccccccccccccccccccccccccc\",\"offset\":1532956,\"eventType\":\"EppDetectionSummaryEvent\",\"eventCreationTime\":1742584202000,\"version\":\"1.0\"},\"event\":{\"ProcessStartTime\":1742584138,\"ProcessEndTime\":1742584138,\"ProcessId\":43186863960,\"ParentProcessId\":43046029968,\"Hostname\":\"CISO-DUMMY-CSDEV\",\"UserName\":\"Administrator\",\"Name\":\"Suspicious Activity\",\"Description\":\"A process triggered a high severity custom rule.\",\"Severity\":70,\"SeverityName\":\"High\",\"FileName\":\"atera.exe.exe\",\"FilePath\":\"\\\\Device\\\\HarddiskVolume4\\\\Users\\\\Administrator\\\\Desktop\\\\atera.exe.exe\",\"CommandLine\":\"\\\"C:\\\\Users\\\\Administrator\\\\Desktop\\\\atera.exe.exe\\\" \",\"SHA256String\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"MD5String\":\"00000000000000000000000000000000\",\"SHA1String\":\"0000000000000000000000000000000000000000\",\"LogonDomain\":\"CISO-DUMMY-CSDEV\",\"FalconHostLink\":\"https://falcon.crowdstrike.com/activity-v2/detections/cccccccccccccccccccccccccccccccc:ind:eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee:43186863960-41001-568080?_cid=cccccccccccccccccccccccccccccccc\",\"AgentId\":\"eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee\",\"IOCType\":\"hash_sha256\",\"IOCValue\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"CompositeId\":\"cccccccccccccccccccccccccccccccc:ind:eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee:43186863960-41001-568080\",\"LocalIP\":\"192.168.33.133\",\"MACAddress\":\"00-ff-12-46-56-09\",\"Tactic\":\"Custom Intelligence\",\"Technique\":\"Indicator of Attack\",\"Objective\":\"Falcon Detection Method\",\"PatternDispositionDescription\":\"Prevention, process was blocked from execution.\",\"PatternDispositionValue\":2048,\"PatternDispositionFlags\":{\"Indicator\":false,\"Detect\":false,\"InddetMask\":false,\"SensorOnly\":false,\"Rooting\":false,\"KillProcess\":false,\"KillSubProcess\":false,\"QuarantineMachine\":false,\"QuarantineFile\":false,\"PolicyDisabled\":false,\"KillParent\":false,\"OperationBlocked\":false,\"ProcessBlocked\":true,\"RegistryOperationBlocked\":false,\"CriticalProcessDisabled\":false,\"BootupSafeguardEnabled\":false,\"FsOperationBlocked\":false,\"HandleOperationDowngraded\":false,\"KillActionFailed\":false,\"BlockingUnsupportedOrDisabled\":false,\"SuspendProcess\":false,\"SuspendParent\":false,\"ContainmentFileSystem\":false},\"ParentImageFileName\":\"explorer.exe\",\"ParentCommandLine\":\"C:\\\\Windows\\\\Explorer.EXE\",\"GrandParentImageFileName\":\"userinit.exe\",\"GrandParentCommandLine\":\"C:\\\\Windows\\\\system32\\\\userinit.exe\",\"IOARuleInstanceID\":\"167\",\"IOARuleInstanceVersion\":2,\"IOARuleName\":\"Initial Access via Remote Service (Atera) Block\",\"IOARuleGroupName\":\"Custom IOA Group - Windows\",\"HostGroups\":\"88888888888888888888888888888888\",\"AssociatedFile\":\"\\\\Device\\\\HarddiskVolume4\\\\Users\\\\Administrator\\\\Desktop\\\\atera.exe.exe\",\"PatternId\":41001,\"SourceVendors\":\"CrowdStrike\",\"SourceProducts\":\"Falcon Insight\",\"DataDomains\":\"Endpoint\",\"AggregateId\":\"aggind:eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee:42953194054\",\"Type\":\"ldt\",\"ParentImageFilePath\":\"\\\\Device\\\\HarddiskVolume4\\\\Windows\\\\explorer.exe\",\"GrandParentImageFilePath\":\"\\\\Device\\\\HarddiskVolume4\\\\Windows\\\\System32\\\\userinit.exe\",\"LocalIPv6\":\"\"}}",
+                "severity": 73
+            },
+            "observer": {
+                "product": "Falcon",
+                "vendor": "Crowdstrike"
+            },
+            "process": {
+                "args": [
+                    "\"C:\\Users\\Administrator\\Desktop\\atera.exe.exe\""
+                ],
+                "command_line": "\"C:\\Users\\Administrator\\Desktop\\atera.exe.exe\"",
+                "executable": "\"C:\\Users\\Administrator\\Desktop\\atera.exe.exe\"",
+                "parent": {
+                    "args": [
+                        "C:\\Windows\\Explorer.EXE"
+                    ],
+                    "command_line": "C:\\Windows\\Explorer.EXE",
+                    "executable": "C:\\Windows\\Explorer.EXE"
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
         }
     ]
 }

packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-epp-detection-summary.log-expected.json

@@ -24,6 +24,8 @@
   fields:
     - name: AccountId
       type: keyword
+    - name: AgentId
+      type: keyword
     - name: AgentIdString
       type: keyword
     - name: AggregateId
@@ -90,6 +92,12 @@
           type: keyword
         - name: Timestamp
           type: keyword
+    - name: FalconHostLink
+      type: keyword
+    - name: FileName
+      type: keyword
+    - name: FilePath
+      type: keyword
     - name: FilesWritten
       type: group
       fields:
@@ -101,8 +109,22 @@
           type: date
     - name: GrandparentImageFilePath
       type: keyword
+    - name: GrandParentCommandLine
+      type: keyword
+    - name: GrandParentImageFileName
+      type: keyword
+    - name: GrandParentImageFilePath
+      type: keyword
+    - name: Hostname
+      type: keyword
     - name: LocalIPv6
       type: ip
+    - name: IOARuleGroupName
+      type: keyword
+    - name: IOARuleInstanceID
+      type: keyword
+    - name: LogonDomain
+      type: keyword
     - name: MobileAppsDetails
       type: group
       fields:
@@ -122,6 +144,8 @@
           type: keyword
         - name: IsContainerized
           type: keyword
+    - name: Name
+      type: keyword
     - name: NetworkAccesses
       type: group
       fields:
@@ -143,8 +167,14 @@
           type: keyword
         - name: RemotePort
           type: keyword
+    - name: PatternDispositionDescription
+      type: keyword
     - name: ParentImageFilePath
       type: keyword
+    - name: ParentProcessId
+      type: long
+    - name: ProcessId
+      type: long
     - name: Region
       type: keyword
     - name: ReportFileReference
@@ -160,6 +190,8 @@
     - name: Type
       type: keyword
       description: 'The endpoint detection type ("ldt": Legacy Endpoint Detection, or "ofp": Office Prevention Macro Detection).'
+    - name: UserName
+      type: keyword
     - name: UserUUID
       type: keyword
     - name: ActivityId
@@ -411,6 +443,8 @@
       description: |
         Flags indicating actions taken.
       fields:
+        - name: ContainmentFileSystem
+          type: boolean
         - name: Detect
           type: boolean
         - name: InddetMask