search

elastic / integrations

Elastic Integrations
https://www.elastic.co/integrations
Other
194 stars 421 forks source link

[crowdstrike.fdr]: Handle ZeroTrustHostAssessment event type #11022

Closed andrewkroh closed 2 days ago

andrewkroh commented 1 week ago

Integration Name

CrowdStrike [crowdstrike]

Dataset Name

crowdstrike.fdr

Integration Version

1.40.0

Agent Version

8.15.0

Agent Output Type

elasticsearch

Elasticsearch Version

8.15.0

OS Version and Architecture

AWS Linux on EC2

Software/API Version

No response

Error Message

There are _ignored values

  "_ignored": [
    "crowdstrike.assessments",
    "crowdstrike.event_type",
    "crowdstrike.host_hidden_status",
    "crowdstrike.hostname",
    "crowdstrike.os_version",
    "crowdstrike.product_type_desc",
    "crowdstrike.scores"
  ]

Event Original

{
  "aid": "11111111111111111111111111111111",
  "cid": "22222222222222222222222222222222",
  "hostname": "example-XXXXXXXXX",
  "os_version": "Sonoma (14)",
  "product_name": "",
  "product_type_desc": "Workstation",
  "host_hidden_status": "VISIBLE",
  "event_platform": "Mac",
  "scores": {
    "os": 89,
    "sensor": 100,
    "overall": 97,
    "version": "3.8.1",
    "modified_time": "2024-02-13T22:33:34.077075097Z"
  },
  "assessments": {
    "analytics_and_improvements_mac": "yes",
    "application_firewall_mac": "yes",
    "crendential_dumping_hash_mac": "yes",
    "crendential_dumping_kcpassword_mac": "yes",
    "crowdstrike_full_disk_access": "yes",
    "execution_blocking_custom_blocking_enabled_mac": "yes",
    "execution_blocking_intel_threats_enabled_mac": "yes",
    "execution_blocking_suspicious_processes_enabled_mac": "yes",
    "file_vault_enabled_mac": "yes",
    "gatekeeper_mac": "yes",
    "internet_sharing_mac": "yes",
    "mac_os_version": "yes",
    "ml_adware_detection_mac": "yes",
    "ml_adware_prevention_mac": "yes",
    "ml_cloud_antimalware_detection_mac": "yes",
    "ml_cloud_antimalware_prevention_mac": "yes",
    "ml_sensor_adware_and_pup_detection_mac": "yes",
    "ml_sensor_adware_and_pup_prevention_mac": "yes",
    "ml_sensor_antimalware_detection_mac": "yes",
    "ml_sensor_antimalware_prevention_mac": "yes",
    "quarantine_mac": "yes",
    "real_time_response_enabled_mac": "yes",
    "remote_login_mac": "yes",
    "script_based_execution_monitoring_mac": "yes",
    "sip_enabled_mac": "yes",
    "stealth_mode_mac": "no",
    "system_full_disk_access_mac": "no",
    "unauthorized_remote_access_chopper_mac": "yes",
    "unauthorized_remote_access_empyre_mac": "yes",
    "unauthorized_remote_access_xpcom_mac": "yes"
  },
  "event_type": "ZeroTrustHostAssessment"
}

What did you do?

Ingested FDR data from AWS S3.

What did you see?

The are _ignored fields being flagged by the data quality dashboard.

Image

What did you expect to see?

No _ignored fields.

And regarding the timestamp, the file containing this event is from Aug 30, but the ZeroTrustHostAssessment data all has the time at which it was read from S3 (Sep 5). There's only one timestamp in the document and it is from Feb, so that would likely be misleading to use as the @timestamp. My ideal behavior would be have the S3 input configured to include the Last-Modified metadata from the object and use that as the @timestamp. But this is a lesser concern to the ignored field.

Anything else?

No response

elasticmachine commented 1 week ago

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

efd6 commented 1 week ago

~Those aid and cid values do not look right.~ Fixed

andrewkroh commented 1 week ago

Sanitization problems on my end. Took it from JSON -> YAML -> Edit things -> JSON :bomb:. And since I changed the aid/cid to all numbers yq properly interpreted it as number.