Skip to content

Ensure Consistency Across Ingested Data for Analyzer Development #12562

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
raqueltabuyo opened this issue Feb 3, 2025 · 2 comments · Fixed by #13984
Closed

Ensure Consistency Across Ingested Data for Analyzer Development #12562

raqueltabuyo opened this issue Feb 3, 2025 · 2 comments · Fixed by #13984
Assignees
@mohitjha-elastic
Labels
enhancement New feature or request Integration:crowdstrike CrowdStrike Integration:m365_defender Microsoft M365 Defender Integration:microsoft_defender_endpoint Microsoft Defender for Endpoint Integration:panw_cortex_xdr Palo Alto Cortex XDR Integration:sentinel_one SentinelOne Integration:trend_micro_vision_one Trend Micro Vision One Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors]

Comments

@raqueltabuyo
Copy link

raqueltabuyo commented Feb 3, 2025
edited
Loading

Ensure Consistency Across Ingested Data for Analyzer Development

Description

To support the development of the analyzer, we need consistency in the ingested data across CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint. Specifically, the following fields should be consistently available and mapped to ECS.

Requirements

Ensure all three integrations provide the following fields:

  • process.entity_id
  • process.parent.entity_id
  • process.name
  • event.module
  • event.kind

Impact

  • Without consistency in these fields, entity correlation and attack chain visualization will be incomplete.
  • Missing or inconsistent data will affect the accuracy and reliability of the analyzer.

Next Steps

  1. Prioritize Microsoft
  2. Assess data coverage gaps for each vendor.
  3. Align ingestion pipelines to normalize these fields in ECS.
  4. Define any necessary transformations or enrichment to standardize missing data.
Image
@raqueltabuyo raqueltabuyo added enhancement New feature or request Integration:crowdstrike CrowdStrike Team:Service-Integrations Label for the Observability Service Integrations team Integration:microsoft_defender_endpoint Microsoft Defender for Endpoint Integration:sentinel_one SentinelOne Integration:m365_defender Microsoft M365 Defender labels Feb 3, 2025
@andrewkroh andrewkroh added Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] and removed Team:Service-Integrations Label for the Observability Service Integrations team labels Mar 20, 2025
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@cpascale43 cpascale43 added Integration:panw_cortex_xdr Palo Alto Cortex XDR Integration:trendmicro Trend Micro Deep Security Integration:trend_micro_vision_one Trend Micro Vision One and removed Integration:trendmicro Trend Micro Deep Security labels May 6, 2025
@cpascale43
Copy link

cpascale43 commented May 6, 2025
edited
Loading

For

Let's make sure that these integrations contain the following fields

process.entity_id
process.parent.entity_id
process.name
event.module
event.kind

@cpascale43 cpascale43 added the Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] label May 6, 2025
@mohitjha-elastic mohitjha-elastic mentioned this issue May 23, 2025
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mohitjha-elastic mohitjha-elastic

Labels
enhancement New feature or request Integration:crowdstrike CrowdStrike Integration:m365_defender Microsoft M365 Defender Integration:microsoft_defender_endpoint Microsoft Defender for Endpoint Integration:panw_cortex_xdr Palo Alto Cortex XDR Integration:sentinel_one SentinelOne Integration:trend_micro_vision_one Trend Micro Vision One Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors]
Projects
None yet
Milestone
No milestone
5 participants
@andrewkroh @elasticmachine @cpascale43 @mohitjha-elastic @raqueltabuyo