Skip to content

Commit

Permalink
ti_crowdstrike: populate required threat.intelligence fields (#12915)
Browse files Browse the repository at this point in the history 
The Security Intelligence view Indicator is populated by logic in
kibana[1,2], so make sure we match that logic to make sure the relevant
value is visible.

[1]https://github.com/elastic/kibana/blob/33c18c72fa019430c6b73503dc3176e0136e3861/x-pack/solutions/security/plugins/threat_intelligence/server/utils/indicator_name.ts#L19C1-L53C1
[2]https://github.com/elastic/kibana/blob/33c18c72fa019430c6b73503dc3176e0136e3861/x-pack/solutions/security/plugins/threat_intelligence/common/types/indicator.ts#L11-L51
  • Loading branch information
@efd6
efd6 authored Mar 3, 2025
1 parent 4df3a48 commit 5841a40
Show file tree
Hide file tree
Showing 6 changed files with 186 additions and 15 deletions.
5 changes: 5 additions & 0 deletions packages/ti_crowdstrike/changelog.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "2.3.2"
changes:
- description: Ensure the appropriate `threat.indicator` fields are set to allow population of the Indicator column in Security Intelligence view.
type: bugfix
link: https://github.com/elastic/integrations/pull/12915
- version: "2.3.1"
changes:
- description: Updated SSL description in package manifest.yml to be uniform and to include links to documentation.
Expand Down
2 changes: 1 addition & 1 deletion packages/ti_crowdstrike/data_stream/intel/_dev/test/pipeline/test-intel.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -845,4 +845,4 @@
}
}
]
}
}
4 changes: 3 additions & 1 deletion packages/ti_crowdstrike/data_stream/ioc/_dev/test/pipeline/test-ioc.log
View file
Original file line number Diff line number Diff line change
@@ -1 +1,3 @@
{"id":"34874a88935860cf6yyfc856d6abb6f35a29d8c077195ed6291aa8373696b44","type":"ipv4","value":"81.2.69.192","action":"detect again","severity":"critical","description":"IS-38887","metadata":{"filename":"High_Serverity_Heuristic_Sandbox_Threat.docx"},"platforms":["windows","mac","linux"],"tags":["IS-38887"],"expired":false,"deleted":false,"applied_globally":true,"from_parent":false,"created_on":"2023-11-01T10:22:23.10607613Z","created_by":"[email protected]","modified_on":"2023-11-01T10:22:23.10607613Z","modified_by":"[email protected]"}
{"id":"34874a88935860cf6yyfc856d6abb6f35a29d8c077195ed6291aa8373696b44","type":"ipv4","value":"81.2.69.192","action":"detect again","severity":"critical","description":"IS-38887","metadata":{"filename":"High_Serverity_Heuristic_Sandbox_Threat.docx"},"platforms":["windows","mac","linux"],"tags":["IS-38887"],"expired":false,"deleted":false,"applied_globally":true,"from_parent":false,"created_on":"2023-11-01T10:22:23.10607613Z","created_by":"[email protected]","modified_on":"2023-11-01T10:22:23.10607613Z","modified_by":"[email protected]"}
{"action":"prevent","applied_globally":true,"created_by":"[email protected]","created_on":"2025-02-03T10:04:18.39565409Z","deleted":false,"description":"some description","expired":false,"from_parent":false,"id":"e6551b7d4ec26f0775640a62cda253a7e2237e02a9579ba8cdf53e2e649d8b72","metadata":{"av_hits":-1,"company_name":"org.localsend","file_description":"localsend_app","file_version":"1.14.0+45","original_filename":"localsend_app.exe","product_name":"localsend_app","product_version":"1.14.0+45","signed":false},"modified_by":"[email protected]","modified_on":"2025-02-03T10:04:18.39565409Z","platforms":["windows","mac","linux"],"severity":"low","type":"sha256","value":"42265b18327115957f629c707cdbe7b95a3030be7af8fbf1cc0469675ac2e4fb"}
{"action":"detect","applied_globally":true,"created_by":"[email protected]","created_on":"2025-01-29T09:01:39.125982486Z","deleted":false,"description":"Monitor use of deepseek.","expired":false,"from_parent":false,"id":"01f90f4e9dc9ad772363c725c502798bf91332502ecae2bc222d6ee57cfa091f","metadata":{},"modified_by":"[email protected]","modified_on":"2025-01-29T11:28:52.379311339Z","platforms":["windows","mac","linux"],"severity":"informational","type":"domain","value":"platform.deepseek.com"}
151 changes: 150 additions & 1 deletion packages/ti_crowdstrike/data_stream/ioc/_dev/test/pipeline/test-ioc.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,155 @@
"domain": "example.com",
"name": "abc.it"
}
},
{
"@timestamp": "2025-02-03T10:04:18.395Z",
"ecs": {
"version": "8.11.0"
},
"event": {
"action": "prevent",
"category": [
"threat"
],
"id": "e6551b7d4ec26f0775640a62cda253a7e2237e02a9579ba8cdf53e2e649d8b72",
"kind": "enrichment",
"original": "{\"action\":\"prevent\",\"applied_globally\":true,\"created_by\":\"[email protected]\",\"created_on\":\"2025-02-03T10:04:18.39565409Z\",\"deleted\":false,\"description\":\"some description\",\"expired\":false,\"from_parent\":false,\"id\":\"e6551b7d4ec26f0775640a62cda253a7e2237e02a9579ba8cdf53e2e649d8b72\",\"metadata\":{\"av_hits\":-1,\"company_name\":\"org.localsend\",\"file_description\":\"localsend_app\",\"file_version\":\"1.14.0+45\",\"original_filename\":\"localsend_app.exe\",\"product_name\":\"localsend_app\",\"product_version\":\"1.14.0+45\",\"signed\":false},\"modified_by\":\"[email protected]\",\"modified_on\":\"2025-02-03T10:04:18.39565409Z\",\"platforms\":[\"windows\",\"mac\",\"linux\"],\"severity\":\"low\",\"type\":\"sha256\",\"value\":\"42265b18327115957f629c707cdbe7b95a3030be7af8fbf1cc0469675ac2e4fb\"}",
"type": [
"indicator"
]
},
"related": {
"hash": [
"42265b18327115957f629c707cdbe7b95a3030be7af8fbf1cc0469675ac2e4fb"
],
"user": [
"[email protected]"
]
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields"
],
"threat": {
"indicator": {
"description": "some description",
"file": {
"hash": {
"sha256": "42265b18327115957f629c707cdbe7b95a3030be7af8fbf1cc0469675ac2e4fb"
}
},
"first_seen": "2025-02-03T10:04:18.395Z",
"modified_at": "2025-02-03T10:04:18.395Z",
"name": "42265b18327115957f629c707cdbe7b95a3030be7af8fbf1cc0469675ac2e4fb",
"provider": "crowdstrike",
"type": "file"
}
},
"ti_crowdstrike": {
"ioc": {
"action": "prevent",
"applied_globally": true,
"created_by": "[email protected]",
"created_on": "2025-02-03T10:04:18.395Z",
"deleted": false,
"description": "some description",
"expired": false,
"from_parent": false,
"id": "e6551b7d4ec26f0775640a62cda253a7e2237e02a9579ba8cdf53e2e649d8b72",
"metadata": {
"av_hits": -1,
"company_name": "org.localsend",
"file_description": "localsend_app",
"file_version": "1.14.0+45",
"original_filename": "localsend_app.exe",
"product_name": "localsend_app",
"product_version": "1.14.0+45",
"signed": false
},
"modified_by": "[email protected]",
"modified_on": "2025-02-03T10:04:18.395Z",
"platforms": [
"windows",
"mac",
"linux"
],
"severity": "low",
"type": "sha256",
"value": "42265b18327115957f629c707cdbe7b95a3030be7af8fbf1cc0469675ac2e4fb"
}
},
"user": {
"domain": "example.com",
"name": "user"
}
},
{
"@timestamp": "2025-01-29T11:28:52.379Z",
"ecs": {
"version": "8.11.0"
},
"event": {
"action": "detect",
"category": [
"threat"
],
"id": "01f90f4e9dc9ad772363c725c502798bf91332502ecae2bc222d6ee57cfa091f",
"kind": "enrichment",
"original": "{\"action\":\"detect\",\"applied_globally\":true,\"created_by\":\"[email protected]\",\"created_on\":\"2025-01-29T09:01:39.125982486Z\",\"deleted\":false,\"description\":\"Monitor use of deepseek.\",\"expired\":false,\"from_parent\":false,\"id\":\"01f90f4e9dc9ad772363c725c502798bf91332502ecae2bc222d6ee57cfa091f\",\"metadata\":{},\"modified_by\":\"[email protected]\",\"modified_on\":\"2025-01-29T11:28:52.379311339Z\",\"platforms\":[\"windows\",\"mac\",\"linux\"],\"severity\":\"informational\",\"type\":\"domain\",\"value\":\"platform.deepseek.com\"}",
"type": [
"indicator"
]
},
"related": {
"user": [
"[email protected]"
]
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields"
],
"threat": {
"indicator": {
"description": "Monitor use of deepseek.",
"first_seen": "2025-01-29T09:01:39.125Z",
"modified_at": "2025-01-29T11:28:52.379Z",
"name": "platform.deepseek.com",
"provider": "crowdstrike",
"type": "domain-name",
"url": {
"domain": "platform.deepseek.com"
}
}
},
"ti_crowdstrike": {
"ioc": {
"action": "detect",
"applied_globally": true,
"created_by": "[email protected]",
"created_on": "2025-01-29T09:01:39.125Z",
"deleted": false,
"description": "Monitor use of deepseek.",
"expired": false,
"from_parent": false,
"id": "01f90f4e9dc9ad772363c725c502798bf91332502ecae2bc222d6ee57cfa091f",
"modified_by": "[email protected]",
"modified_on": "2025-01-29T11:28:52.379Z",
"platforms": [
"windows",
"mac",
"linux"
],
"severity": "informational",
"type": "domain",
"value": "platform.deepseek.com"
}
},
"user": {
"domain": "example.com",
"name": "user"
}
}
]
}
}
37 changes: 26 additions & 11 deletions packages/ti_crowdstrike/data_stream/ioc/elasticsearch/ingest_pipeline/default.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -260,6 +260,16 @@ processors:
tag: rename_tags
target_field: ti_crowdstrike.ioc.tags
ignore_missing: true
- rename:
field: json.value
tag: rename_value
target_field: ti_crowdstrike.ioc.value
ignore_missing: true
- set:
field: threat.indicator.name
tag: set_threat_indicator_name
copy_from: ti_crowdstrike.ioc.value
ignore_empty_value: true
- rename:
field: json.type
tag: rename_type
Expand All @@ -280,22 +290,27 @@ processors:
source: >
String mapping = params[ctx.ti_crowdstrike.ioc.type];
if (mapping != null) {
ctx.threat.indicator.type = mapping;
ctx.threat.indicator.type = mapping;
// IP values are handled below to allow conversion checks.
if (ctx.ti_crowdstrike.ioc.type == 'domain') {
ctx.threat.indicator.url = ctx.threat.indicator.url ?: [:];
ctx.threat.indicator.url.domain = ctx.ti_crowdstrike?.ioc.value;
} else if (mapping == 'file') {
ctx.threat.indicator.file = ctx.threat.indicator.file ?: [:];
ctx.threat.indicator.file.hash = ctx.threat.indicator.file.hash ?: [:];
if (ctx.ti_crowdstrike.ioc.type == 'md5') {
ctx.threat.indicator.file.hash.md5 = ctx.ti_crowdstrike?.ioc.value;
} else if (ctx.ti_crowdstrike.ioc.type == 'sha256') {
ctx.threat.indicator.file.hash.sha256 = ctx.ti_crowdstrike?.ioc.value;
} else if (ctx.ti_crowdstrike.ioc.type == 'sha1') {
ctx.threat.indicator.file.hash.sha1 = ctx.ti_crowdstrike?.ioc.value;
}
}
}
on_failure:
- append:
field: error.message
value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- rename:
field: json.value
tag: rename_value
target_field: ti_crowdstrike.ioc.value
ignore_missing: true
- set:
field: threat.indicator.name
tag: set_threat_indicator_name
copy_from: ti_crowdstrike.ioc.value
ignore_empty_value: true
- convert:
field: ti_crowdstrike.ioc.value
tag: convert_ioc_value_to_ip
Expand Down
2 changes: 1 addition & 1 deletion packages/ti_crowdstrike/manifest.yml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: 3.0.3
name: ti_crowdstrike
title: CrowdStrike Falcon Intelligence
version: "2.3.1"
version: "2.3.2"
description: Collect logs from CrowdStrike Falcon Intelligence with Elastic Agent.
type: integration
categories:
Expand Down

0 comments on commit 5841a40

Please sign in to comment.