[Crowdstrike Alerts] change hash compution #12534
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Made with ❤️️ by updatecli Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…12034) Bumps [updatecli/updatecli-action](https://github.com/updatecli/updatecli-action) from 2.72.0 to 2.73.0. - [Release notes](https://github.com/updatecli/updatecli-action/releases) - [Commits](updatecli/updatecli-action@fb02bdc...11d8c3e) --- updated-dependencies: - dependency-name: updatecli/updatecli-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
- Add Alert Insight panel to the `Security Posture` dashboard. - Add `SMB v1 Connections` visualization into the Unencrypted Traffic Hygiene panel. - Update the `VPN Connections` visualization by changing it from a bar chart to a line chart.
Add a template to help support users making new feature requests for existing integrations.
For cert updates, in _dev/deploy/docker/files run openssl req -x509 -newkey rsa:2048 -keyout detection-private.key -out detection-certificate.crt -sha256 -days 3650 -nodes -subj "/C=XX/L=Default City/O=Default Company Ltd/CN=xx.incident-management.eset.systems" openssl req -x509 -newkey rsa:2048 -keyout device_task-private.key -out device_task-certificate.crt -sha256 -days 3650 -nodes -subj "/C=XX/L=Default City/O=Default Company Ltd/CN=xx.automation.eset.systems" openssl req -x509 -newkey rsa:2048 -keyout oauth-private.key -out oauth-certificate.crt -sha256 -days 3650 -nodes -subj "/C=XX/L=Default City/O=Default Company Ltd/CN=xx.business-account.iam.eset.systems" and then distribute the certificate to the system test configs.
…ptions. (#12053) - Change the UI setting name from `Cloudflare R2 Bucket Name` to `S3-Compatible Bucket Name`. - Generalise the setting's description. - Also update README to generalise the option.
Based on a list of field names from a live system. Hasn't been tested with full data.
* Add ELB Connection logs dashboard
…nd set to "pipeline_error" (#12046) Omit problematic packages: google_workspace, jamf_protect and ti_mandiant_advantage. [git-generate] for f in $( ( for p in $( yq 'select(.owner.github == "elastic/security-service-integrations")|.name' packages/**/manifest.yml \ | grep -v -- --- ); do rg -l -g 'default.yml' "value: pipeline_error" packages/$p done )|sort|uniq|egrep -v 'google_workspace|jamf_protect|ti_mandiant_advantage' ); do (grep 'value: preserve_original_event' $f >/dev/null 2>&1) && continue perl -i -pe 'BEGIN{undef $/;} s/([a-z:"]) ( *)(- set:.*value: pipeline_error)/$1 $2$3 $2- append: $2 field: tags $2 value: preserve_original_event $2 allow_duplicates: false/smg' $f done for p in $(git diff --name-only HEAD~1|cut -d/ -f1,2|sort|uniq); do ( cd $p elastic-package changelog add \ --description 'Add "preserve_original_event" tag to documents with `event.kind` set to "pipeline_error".' \ --type enhancement \ --next minor \ --link #12046 )>/dev/null 2>&1 done
…1881) This PR adds event.original to events directly ingested from Falco Sidekick. It also updates the Alerts by Host visualization to rely on the host.name instead of host.hostname.
The purpose of this code change is to make failed SSH login attempts to Juniper equipment visible in Elastic Security. To this end, we populate the following fields on a failed SSH login attempt in the system logging pipeline. If SSH login failed: - event.outcome: failure - event.category: authentication (append) For system logs: - observer.name -> host.name (copy)
Tested against a real endpoint. Pipeline test cases obtained from a test instance. Up to 10 examples of each available type are included. Not all types are represented.
- Map extra fields from the new default `threat_response` format. - Set `event.kind` as a scalar not an array. - Set `event.kind` to `alert` if an alert ID is present.
Enable the creation of issues for flaky tests in the daily builds triggered using 9.0.0 as stack release.
…2072) * add SQS calls and S3 permissions in docs * bump package version * fix pr id * add SQS GetQueueAttributes sort permissions
Credential construction by the v3.21 alpine results in system test failures
with the error:
private key should be a PEM or plain PKCS1 or PKCS8; parse error: asn1:
structure error: tags don't match (16 vs {class:0 tag:13 length:45
isCompound:true}) {optional:false explicit:false application:false
private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false
omitEmpty:false} pkcs1PrivateKey @2
Pin alpine to v3.20 until the root of the issue is identified and fixed.
…n. (#12092) Qualys can send empty XML response body with 200 success status. Handle this case as valid.
* Fix broken links * Update packages/google_workspace/_dev/build/docs/README.md Co-authored-by: Krishna Chaitanya Reddy Burri <[email protected]> * Fix tychon link * Fix Lumos link * Fix wiz link * Remove link to vulnerability data stream * Update wiz changelog and manifest * Update bbot changelog and manifest * Update cisco_duo changelog and manifest * Update ti_cybersixgill changelog and manifest * Update google_workspace changelog and manifest * Update lumos changelog and manifest * Update tychon changelog and manifest * Update thycotic_ss changelog and manifest * Update authentik changelog and manifest * update google workspace readme --------- Co-authored-by: Krishna Chaitanya Reddy Burri <[email protected]>
The source.ip field is never set, so this is redundant.
andrewkroh
added
bugfix
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
🚀 Benchmarks reportTo see the full report comment with |
There was a problem hiding this comment.
The original list of fingerprint fields was set in #10567.
crowdstrike has several background processes that can change this value without any change to the alert itself
This change seems good if changes to the updated_timestamp value never come with changes to the alert itself.
To catch all alert changes we could fingerprint everything except the updated_timestamp.
efd6
reviewed
Jan 30, 2025
|
💚 Build Succeeded
History
|
qcorporation
force-pushed
the
main
branch
2 times, most recently
from
eda4138 to
f728ca7
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently, the integration uses multiple fields, including the updated_timestamp to compute a unique _id for the alerts.
Due to the nature of the updated_timestamp field, which can be changed due to internal background processes of CrowdStrike without having any change to the alert, this can lead to duplicates.
This PR changes this to use the created and context timestamp, which are static per alert, instead of the static one to avoid these duplicates