Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ti_crowdstrike: populate required threat.intelligence fields #12915

Merged
merged 2 commits into from
Mar 3, 2025
Merged

ti_crowdstrike: populate required threat.intelligence fields #12915

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
fe4622e
ti_crowdstrike: populate required threat.intelligence fields
efd6 Feb 27, 2025
df11fca
address pr comment
efd6 Mar 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/ti_crowdstrike/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "2.3.2"
changes:
- description: Ensure the appropriate `threat.indicator` fields are set to allow population of the Indicator column in Security Intelligence view.
type: bugfix
link: https://github.com/elastic/integrations/pull/12915
- version: "2.3.1"
changes:
- description: Updated SSL description in package manifest.yml to be uniform and to include links to documentation.
Expand Down
2 changes: 1 addition & 1 deletion packages/ti_crowdstrike/data_stream/intel/_dev/test/pipeline/test-intel.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -845,4 +845,4 @@
}
}
]
}
}
4 changes: 3 additions & 1 deletion packages/ti_crowdstrike/data_stream/ioc/_dev/test/pipeline/test-ioc.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,3 @@
{"id":"34874a88935860cf6yyfc856d6abb6f35a29d8c077195ed6291aa8373696b44","type":"ipv4","value":"81.2.69.192","action":"detect again","severity":"critical","description":"IS-38887","metadata":{"filename":"High_Serverity_Heuristic_Sandbox_Threat.docx"},"platforms":["windows","mac","linux"],"tags":["IS-38887"],"expired":false,"deleted":false,"applied_globally":true,"from_parent":false,"created_on":"2023-11-01T10:22:23.10607613Z","created_by":"[email protected]","modified_on":"2023-11-01T10:22:23.10607613Z","modified_by":"[email protected]"}
{"id":"34874a88935860cf6yyfc856d6abb6f35a29d8c077195ed6291aa8373696b44","type":"ipv4","value":"81.2.69.192","action":"detect again","severity":"critical","description":"IS-38887","metadata":{"filename":"High_Serverity_Heuristic_Sandbox_Threat.docx"},"platforms":["windows","mac","linux"],"tags":["IS-38887"],"expired":false,"deleted":false,"applied_globally":true,"from_parent":false,"created_on":"2023-11-01T10:22:23.10607613Z","created_by":"[email protected]","modified_on":"2023-11-01T10:22:23.10607613Z","modified_by":"[email protected]"}
{"action":"prevent","applied_globally":true,"created_by":"[email protected]","created_on":"2025-02-03T10:04:18.39565409Z","deleted":false,"description":"some description","expired":false,"from_parent":false,"id":"e6551b7d4ec26f0775640a62cda253a7e2237e02a9579ba8cdf53e2e649d8b72","metadata":{"av_hits":-1,"company_name":"org.localsend","file_description":"localsend_app","file_version":"1.14.0+45","original_filename":"localsend_app.exe","product_name":"localsend_app","product_version":"1.14.0+45","signed":false},"modified_by":"[email protected]","modified_on":"2025-02-03T10:04:18.39565409Z","platforms":["windows","mac","linux"],"severity":"low","type":"sha256","value":"42265b18327115957f629c707cdbe7b95a3030be7af8fbf1cc0469675ac2e4fb"}
{"action":"detect","applied_globally":true,"created_by":"[email protected]","created_on":"2025-01-29T09:01:39.125982486Z","deleted":false,"description":"Monitor use of deepseek.","expired":false,"from_parent":false,"id":"01f90f4e9dc9ad772363c725c502798bf91332502ecae2bc222d6ee57cfa091f","metadata":{},"modified_by":"[email protected]","modified_on":"2025-01-29T11:28:52.379311339Z","platforms":["windows","mac","linux"],"severity":"informational","type":"domain","value":"platform.deepseek.com"}
151 changes: 150 additions & 1 deletion packages/ti_crowdstrike/data_stream/ioc/_dev/test/pipeline/test-ioc.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,155 @@
"domain": "example.com",
"name": "abc.it"
}
},
{
"@timestamp": "2025-02-03T10:04:18.395Z",
"ecs": {
"version": "8.11.0"
},
"event": {
"action": "prevent",
"category": [
"threat"
],
"id": "e6551b7d4ec26f0775640a62cda253a7e2237e02a9579ba8cdf53e2e649d8b72",
"kind": "enrichment",
"original": "{\"action\":\"prevent\",\"applied_globally\":true,\"created_by\":\"[email protected]\",\"created_on\":\"2025-02-03T10:04:18.39565409Z\",\"deleted\":false,\"description\":\"some description\",\"expired\":false,\"from_parent\":false,\"id\":\"e6551b7d4ec26f0775640a62cda253a7e2237e02a9579ba8cdf53e2e649d8b72\",\"metadata\":{\"av_hits\":-1,\"company_name\":\"org.localsend\",\"file_description\":\"localsend_app\",\"file_version\":\"1.14.0+45\",\"original_filename\":\"localsend_app.exe\",\"product_name\":\"localsend_app\",\"product_version\":\"1.14.0+45\",\"signed\":false},\"modified_by\":\"[email protected]\",\"modified_on\":\"2025-02-03T10:04:18.39565409Z\",\"platforms\":[\"windows\",\"mac\",\"linux\"],\"severity\":\"low\",\"type\":\"sha256\",\"value\":\"42265b18327115957f629c707cdbe7b95a3030be7af8fbf1cc0469675ac2e4fb\"}",
"type": [
"indicator"
]
},
"related": {
"hash": [
"42265b18327115957f629c707cdbe7b95a3030be7af8fbf1cc0469675ac2e4fb"
],
"user": [
"[email protected]"
]
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields"
],
"threat": {
"indicator": {
"description": "some description",
"file": {
"hash": {
"sha256": "42265b18327115957f629c707cdbe7b95a3030be7af8fbf1cc0469675ac2e4fb"
}
},
"first_seen": "2025-02-03T10:04:18.395Z",
"modified_at": "2025-02-03T10:04:18.395Z",
"name": "42265b18327115957f629c707cdbe7b95a3030be7af8fbf1cc0469675ac2e4fb",
"provider": "crowdstrike",
"type": "file"
}
},
"ti_crowdstrike": {
"ioc": {
"action": "prevent",
"applied_globally": true,
"created_by": "[email protected]",
"created_on": "2025-02-03T10:04:18.395Z",
"deleted": false,
"description": "some description",
"expired": false,
"from_parent": false,
"id": "e6551b7d4ec26f0775640a62cda253a7e2237e02a9579ba8cdf53e2e649d8b72",
"metadata": {
"av_hits": -1,
"company_name": "org.localsend",
"file_description": "localsend_app",
"file_version": "1.14.0+45",
"original_filename": "localsend_app.exe",
"product_name": "localsend_app",
"product_version": "1.14.0+45",
"signed": false
},
"modified_by": "[email protected]",
"modified_on": "2025-02-03T10:04:18.395Z",
"platforms": [
"windows",
"mac",
"linux"
],
"severity": "low",
"type": "sha256",
"value": "42265b18327115957f629c707cdbe7b95a3030be7af8fbf1cc0469675ac2e4fb"
}
},
"user": {
"domain": "example.com",
"name": "user"
}
},
{
"@timestamp": "2025-01-29T11:28:52.379Z",
"ecs": {
"version": "8.11.0"
},
"event": {
"action": "detect",
"category": [
"threat"
],
"id": "01f90f4e9dc9ad772363c725c502798bf91332502ecae2bc222d6ee57cfa091f",
"kind": "enrichment",
"original": "{\"action\":\"detect\",\"applied_globally\":true,\"created_by\":\"[email protected]\",\"created_on\":\"2025-01-29T09:01:39.125982486Z\",\"deleted\":false,\"description\":\"Monitor use of deepseek.\",\"expired\":false,\"from_parent\":false,\"id\":\"01f90f4e9dc9ad772363c725c502798bf91332502ecae2bc222d6ee57cfa091f\",\"metadata\":{},\"modified_by\":\"[email protected]\",\"modified_on\":\"2025-01-29T11:28:52.379311339Z\",\"platforms\":[\"windows\",\"mac\",\"linux\"],\"severity\":\"informational\",\"type\":\"domain\",\"value\":\"platform.deepseek.com\"}",
"type": [
"indicator"
]
},
"related": {
"user": [
"[email protected]"
]
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields"
],
"threat": {
"indicator": {
"description": "Monitor use of deepseek.",
"first_seen": "2025-01-29T09:01:39.125Z",
"modified_at": "2025-01-29T11:28:52.379Z",
"name": "platform.deepseek.com",
"provider": "crowdstrike",
"type": "domain-name",
"url": {
"domain": "platform.deepseek.com"
}
}
},
"ti_crowdstrike": {
"ioc": {
"action": "detect",
"applied_globally": true,
"created_by": "[email protected]",
"created_on": "2025-01-29T09:01:39.125Z",
"deleted": false,
"description": "Monitor use of deepseek.",
"expired": false,
"from_parent": false,
"id": "01f90f4e9dc9ad772363c725c502798bf91332502ecae2bc222d6ee57cfa091f",
"modified_by": "[email protected]",
"modified_on": "2025-01-29T11:28:52.379Z",
"platforms": [
"windows",
"mac",
"linux"
],
"severity": "informational",
"type": "domain",
"value": "platform.deepseek.com"
}
},
"user": {
"domain": "example.com",
"name": "user"
}
}
]
}
}
37 changes: 26 additions & 11 deletions packages/ti_crowdstrike/data_stream/ioc/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -260,6 +260,16 @@ processors:
tag: rename_tags
target_field: ti_crowdstrike.ioc.tags
ignore_missing: true
- rename:
field: json.value
tag: rename_value
target_field: ti_crowdstrike.ioc.value
ignore_missing: true
- set:
field: threat.indicator.name
tag: set_threat_indicator_name
copy_from: ti_crowdstrike.ioc.value
ignore_empty_value: true
- rename:
field: json.type
tag: rename_type
Expand All @@ -280,22 +290,27 @@ processors:
source: >
String mapping = params[ctx.ti_crowdstrike.ioc.type];
if (mapping != null) {
ctx.threat.indicator.type = mapping;
ctx.threat.indicator.type = mapping;
// IP values are handled below to allow conversion checks.
if (ctx.ti_crowdstrike.ioc.type == 'domain') {
ctx.threat.indicator.url = ctx.threat.indicator.url ?: [:];
ctx.threat.indicator.url.domain = ctx.ti_crowdstrike?.ioc.value;
} else if (mapping == 'file') {
ctx.threat.indicator.file = ctx.threat.indicator.file ?: [:];
ctx.threat.indicator.file.hash = ctx.threat.indicator.file.hash ?: [:];
if (ctx.ti_crowdstrike.ioc.type == 'md5') {
ctx.threat.indicator.file.hash.md5 = ctx.ti_crowdstrike?.ioc.value;
} else if (ctx.ti_crowdstrike.ioc.type == 'sha256') {
ctx.threat.indicator.file.hash.sha256 = ctx.ti_crowdstrike?.ioc.value;
} else if (ctx.ti_crowdstrike.ioc.type == 'sha1') {
ctx.threat.indicator.file.hash.sha1 = ctx.ti_crowdstrike?.ioc.value;
}
}
}
on_failure:
- append:
field: error.message
value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- rename:
field: json.value
tag: rename_value
target_field: ti_crowdstrike.ioc.value
ignore_missing: true
- set:
field: threat.indicator.name
tag: set_threat_indicator_name
copy_from: ti_crowdstrike.ioc.value
ignore_empty_value: true
- convert:
field: ti_crowdstrike.ioc.value
tag: convert_ioc_value_to_ip
Expand Down
2 changes: 1 addition & 1 deletion packages/ti_crowdstrike/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: 3.0.3
name: ti_crowdstrike
title: CrowdStrike Falcon Intelligence
version: "2.3.1"
version: "2.3.2"
description: Collect logs from CrowdStrike Falcon Intelligence with Elastic Agent.
type: integration
categories:
Expand Down