search

elastic / integrations

Elastic Integrations
https://www.elastic.co/integrations
Other
24 stars 436 forks source link

crowdstrike/fdr: Support SSL Certificate-related events #3485

Closed adriansr closed 11 months ago

adriansr commented 2 years ago

Crowdstrike integration / fdr data_stream does not enrich events related to SSL Certificates. We should add support to these.

Example event:

{
  "eid": 118,
  "IssuerCN": "GlobalSign ObjectSign CA",
  "CustomerIdString": "f3011c6076444fbedffa8472f8aaaaa",
  "EventType": "Event_ExternalApiEvent",
  "SubjectCertValidTo": "2008-09-24T10:50:55Z",
  "SignInfoFlagUnknownError": false,
  "SubjectVersion": "3",
  "UTCTimestamp": 1653626693230,
  "AuthorityKeyIdentifier": "ffffffffeeeeeeeeeddddddddccccccceaaaaaaaa",
  "SubjectDN": "CN=Testing Testing,C=JP,1.2.999.999999.1.9.1=#ffffffffeeeeeeeeddddddddccccccccbbbbbbbbaaaaaaaaaa",
  "SignatureDigestEncryptAlg": "RSA",
  "SignInfoFlagHasValidSignature": true,
  "AuthenticodeHashData": "ffffffffffffffffffffffffffffffffffffffff",
  "SignInfoFlagSignHashMismatch": false,
  "AuthenticodeMatch": true,
  "SignInfoFlagMicrosoftSigned": false,
  "SignInfoFlagNoSignature": false,
  "SubjectSerialNumber": "115372fffff",
  "timestamp": "2022-05-27T04:44:53Z",
  "SignInfoFlagInvalidSignChain": false,
  "IssuerDN": "CN=GlobalSign ObjectSign CA,OU=ObjectSign CA,O=GlobalSign nv-sa,C=BE",
  "SignatureDigestAlg": "SHA1-RSA",
  "SignInfoFlagNoCodeKeyUsage": false,
  "SHA256HashData": "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
  "SubjectKeyIdentifier": "",
  "SubjectCN": "Testing Testing",
  "ExternalApiType": "Event_ModuleSummaryInfoEvent",
  "SignInfoFlagNoEmbeddedCert": false,
  "Nonce": 1202666347322065700,
  "SignInfoFlagThirdPartyRoot": false,
  "SubjectCertThumbprint": "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
  "SignInfoFlagCatalogSigned": false,
  "SignInfoFlagSelfSigned": false,
  "SignInfoFlagFailedCertCheck": false,
  "AgentIdString": "99999999999999999999999999999999",
  "SubjectCertValidFrom": "2007-09-24T10:50:55Z",
  "SignInfoFlagEmbeddedSigned": true,
  "cid": "11111111111111111111111111111111"
}
elasticmachine commented 2 years ago

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

botelastic[bot] commented 1 year ago

Hi! We just realized that we haven't looked into this issue in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!