Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cherry-pick #16988 to 7.x: New input for CrowdStrike Falcon events #17770

Merged
merged 5 commits into from
Apr 21, 2020
Merged

Cherry-pick #16988 to 7.x: New input for CrowdStrike Falcon events #17770

merged 5 commits into from
Apr 21, 2020

Conversation

tonymeehan
Copy link

@tonymeehan tonymeehan commented Apr 16, 2020
edited by andresrc
Loading

Cherry-pick of PR #16988 to 7.x branch. Original message:

What does this PR do?

This adds a new input for CrowdStrike Falcon events forwarded by CrowdStrike's SIEM forwarder. This input uses the default JSON output format from the SIEM forwarder.

Why is it important?

We've had several users asks us for adding support for CrowdStrike Falcon in ECS. We strive to be data agnostic to help enable our SOC users aggregate all of their data in our SIEM. Using some log data provided by our users, I've put this new module together to ingest the data and convert many fields into ECS (including categorization).

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works

How to test this PR locally

mage update build integTest

Screenshots

crowdstrike mov

Proof this works

[success] 0.85% test_xpack_modules.XPackTest.test_fileset_file_008_crowdstrike: 2.7708s
----------------------------------------------------------------------
Ran 135 tests in 326.929s

OK

I also ran make docs to validate the documentation looked good.

Other comments

I'll squash before merging.

New input for Crowdstrike Falcon events (#16988)
fdec19d 
* Initial commit of the Crowdstrike Falcon module.

* Change default location

* Initial docs file

* asciidoc url

* Adding screenshots.

* Doc updates

* Updating falcon pipeline.

* Doc updates

* Update docs

* Typo in docs.asciidocs

* Documentation fixes.

* all integration tests pass

* Update fields.asciidoc

* Update go.sum

* Added fields.go

* Add crowdstrike.asciidoc

* Add copy of siem images for docs

* PR feedback

* Docs fix

* Update crowdstrike asciidoc

* PR feedback round 2

* Update fields asciidoc

* Consolidate the filesets into one.

* Documentation updates.

* make update

(cherry picked from commit 4e02957)
@tonymeehan tonymeehan requested a review from leehinman April 16, 2020 18:42
leehinman
leehinman requested changes Apr 16, 2020
View reviewed changes
Copy link
Contributor

@leehinman leehinman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

needs a small fix to CHANGELOG, otherwise looks great.

CHANGELOG.next.asciidoc Outdated Show resolved Hide resolved
leehinman
leehinman requested changes Apr 16, 2020
View reviewed changes
CHANGELOG.next.asciidoc Outdated Show resolved Hide resolved
CHANGELOG.next.asciidoc Outdated Show resolved Hide resolved
leehinman
leehinman requested changes Apr 17, 2020
View reviewed changes
CHANGELOG.next.asciidoc Outdated Show resolved Hide resolved
@tonymeehan
Copy link
Author

@leehinman should I update this PR with the fix from #17819 so that tests pass here? Looks like the failing test is due to the issue identified in #17819.

@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@tonymeehan tonymeehan merged commit 5a62b67 into elastic:7.x Apr 21, 2020
@tonymeehan tonymeehan deleted the backport_16988_7.x branch April 21, 2020 13:22
@zube zube bot added [zube]: Done and removed [zube]: Inbox labels Apr 21, 2020
@zube zube bot removed the [zube]: Done label Oct 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leehinman leehinman leehinman approved these changes

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees
No one assigned
Labels
backport
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@tonymeehan @elasticmachine @andrewkroh @leehinman @andresrc