Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crowdstrike: fix handling of network direction #12508

Merged
merged 3 commits into from
Feb 5, 2025
Merged

crowdstrike: fix handling of network direction #12508

merged 3 commits into from
Feb 5, 2025

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Jan 28, 2025

Proposed commit message

Assume that network direction that is no inbound can be validly semantically represented as outbound using the ECS fields available. This is probably not true; documented values of the ConnectionDirection are 0 - outbound, 1 - inbound, 2 - neither, and 3 - both[1].

Adhering strictly to inbound/outbound makes it impossible to map the data to ECS since neither and both would only be expressible as unknown.

[1]https://docs.panther.com/data-onboarding/supported-logs/crowdstrike/falcon-data-replicator#crowdstrike.networkconnect

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@efd6 efd6 added Integration:crowdstrike CrowdStrike bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations] labels Jan 28, 2025
@efd6 efd6 self-assigned this Jan 28, 2025
@efd6 efd6 force-pushed the 12476-crowdstrike branch from 101bf00 to d9ddf43 Compare January 28, 2025 21:58
@elastic-vault-github-plugin-prod
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@efd6 efd6 marked this pull request as ready for review January 28, 2025 22:41
@efd6 efd6 requested a review from a team as a code owner January 28, 2025 22:41
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@efd6 efd6 mentioned this pull request Jan 28, 2025
Closed
kcreddy
kcreddy reviewed Jan 31, 2025
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be nice to hear from user on #12476 (comment)

packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/outbound_network.yml Show resolved Hide resolved
packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/outbound_network.yml Outdated Show resolved Hide resolved
packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml Show resolved Hide resolved
@efd6
Copy link
Contributor Author

efd6 commented Feb 3, 2025

Waiting for @monkeyonbranch. Setting as draft to avoid accidental merge.

@efd6 efd6 marked this pull request as draft February 3, 2025 05:00
@andrewkroh andrewkroh added Integration:1password 1Password Integration:abnormal_security Abnormal Security New Integration Issue or pull request for creating a new integration package. labels Feb 4, 2025
@efd6 efd6 force-pushed the 12476-crowdstrike branch from 9444961 to 77e1e98 Compare February 4, 2025 04:15
efd6 added 3 commits February 5, 2025 06:45
@efd6
crowdstrike: fix handling of network direction
24ecae1 
Assume that network direction that is no inbound can be validly
semantically represented as outbound using the ECS fields available.
This is probably not true; documented values of the ConnectionDirection
are 0 - outbound, 1 - inbound, 2 - neither, and 3 - both[1].

Adhering strictly to inbound/outbound makes it impossible to map the
data to ECS since neither and both would only be expressible as unknown.

[1]https://docs.panther.com/data-onboarding/supported-logs/crowdstrike/falcon-data-replicator#crowdstrike.networkconnect
@efd6
address pr comments
e0c3236
@efd6
improve IP address handling
07ef3af
@efd6 efd6 force-pushed the 12476-crowdstrike branch from 77e1e98 to 07ef3af Compare February 4, 2025 20:16
@elasticmachine
Copy link

💚 Build Succeeded

History

cc @efd6

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
91.4% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@monkeyonbranch
Copy link
Contributor

Sorry for the long wait. Sometimes life happens.
Yes, the fixes looks good to me. It should provide and improvement in making sure the right data is being set when normalizing it.

@efd6
Copy link
Contributor Author

efd6 commented Feb 5, 2025

Thanks @monkeyonbranch. If there are any issues with the heuristic we are using, please file a new issue.

@efd6 efd6 marked this pull request as ready for review February 5, 2025 20:23
@efd6 efd6 merged commit eda4138 into elastic:main Feb 5, 2025
5 checks passed
qcorporation pushed a commit that referenced this pull request Feb 5, 2025
@efd6
crowdstrike: fix handling of network direction (#12508)
ca98932 
Assume that network direction that is not inbound can be validly
semantically represented as outbound using the ECS fields available.
This is probably not true; documented values of the ConnectionDirection
are 0 - outbound, 1 - inbound, 2 - neither, and 3 - both[1].

Adhering strictly to inbound/outbound makes it impossible to map the
data to ECS since neither and both would only be expressible as unknown.

[1]https://docs.panther.com/data-onboarding/supported-logs/crowdstrike/falcon-data-replicator#crowdstrike.networkconnect
JoseLuisGJ pushed a commit to JoseLuisGJ/integrations that referenced this pull request Feb 6, 2025
@efd6 @JoseLuisGJ
crowdstrike: fix handling of network direction (elastic#12508)
2a69f73 
Assume that network direction that is not inbound can be validly
semantically represented as outbound using the ECS fields available.
This is probably not true; documented values of the ConnectionDirection
are 0 - outbound, 1 - inbound, 2 - neither, and 3 - both[1].

Adhering strictly to inbound/outbound makes it impossible to map the
data to ECS since neither and both would only be expressible as unknown.

[1]https://docs.panther.com/data-onboarding/supported-logs/crowdstrike/falcon-data-replicator#crowdstrike.networkconnect
@elastic-vault-github-plugin-prod
Copy link

Package crowdstrike - 1.49.1 containing this change is available at https://epr.elastic.co/package/crowdstrike/1.49.1/

@efd6 efd6 deleted the 12476-crowdstrike branch February 7, 2025 08:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kcreddy kcreddy kcreddy approved these changes

Assignees

@efd6 efd6

Labels
bugfix Pull request that fixes a bug issue Integration:crowdstrike CrowdStrike New Integration Issue or pull request for creating a new integration package. Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Crowdstrike FDR]: Pipeline sets fields wrongly based on bad assumption
5 participants
@efd6 @elasticmachine @monkeyonbranch @kcreddy @andrewkroh