Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@monkeyonbranch Do you have example event.original events that you can share for the inbound case? Also, what would you propose be the behaviour in the case that the direction is unknown (an event for this would also be helpful)?

@monkeyonbranch Please take a look at #12508 which is an attempt at a fix. There are subtleties that make it more difficult to have a definitive fix than it would seem at the surface (there is an impedance mismatch between ECS and the convention used by Crowdstrike for network direction, and there are test cases where we have no data in the ConnectionDirection and so we don't know how to handle to the directionality). I'd be grateful if you would take a look and add any input that you have that would be useful.

In the case that the direction is unknown it is very hard to guess. Best guess, that would have the highest hit rate would be to assume direction based on port number. Ports 10000 and below are usually services and therefore usually destination. It is not 100% correct but based on how things "normally" work it is more correct than it is wrong.

I'll grab a look at #12508, asap. Thank you for helping out!