elasticmachine
commented
2 months ago Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)
Open buzzdeee opened 2 months ago
elasticmachine
commented
2 months ago Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)
Integration Name
CrowdStrike [crowdstrike]
Dataset Name
crowdstrike.falcon
Integration Version
1.39.2
Agent Version
8.15.0
Agent Output Type
elasticsearch
Elasticsearch Version
8.15.0
OS Version and Architecture
Ubuntu 22.04.4 LTS
Software/API Version
Crowdstrike API
Error Message
no error message shown, the top related hosts visualization is just empty.
Event Original
no event.original
What did you do?
just looking at the dashboard
What did you see?
Looking at the related request of the Visualization, I can see it's looking for host.hostname. Looking in discover for event.dataset: crowdstrike.falcon, most events don't set host.hostname or host.name. but for example, events with event.kind: alert set host.name.
Looking at other crowdstrike related datasets: i.e. crowdstrike.alert or crowdstrike.host, they use host.hostname.
What did you expect to see?
I'd expect consistently using host.hostname for crowdstrike.falcon dataset as well, which I guess in turn would populate the Top Related Hosts visualization as well.
Anything else?
No response