Skip to content

crowdstrike: add support for OverwatchGenericDetectionSummaryEvent in falcon data stream#19969

Open
navnit-elastic wants to merge 3 commits into
elastic:mainfrom
navnit-elastic:crowdstrike-19509
Open

crowdstrike: add support for OverwatchGenericDetectionSummaryEvent in falcon data stream#19969
navnit-elastic wants to merge 3 commits into
elastic:mainfrom
navnit-elastic:crowdstrike-19509

Conversation

@navnit-elastic

Copy link
Copy Markdown
Contributor

Proposed commit message

crowdstrike: add support for OverwatchGenericDetectionSummaryEvent in falcon data stream

Add a dedicated ingest sub-pipeline to map CompositeId, FalconHostLink,
Description, and Severity to ECS fields, plus pipeline tests, DisplayName
field mapping, and docs.

The sanitized test sample is derived from CrowdStrike documentation.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@navnit-elastic navnit-elastic self-assigned this Jul 6, 2026
@navnit-elastic navnit-elastic added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:crowdstrike CrowdStrike Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:SDE-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Jul 6, 2026
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

✅ Elastic Docs Style Checker (Vale)

No issues found on modified lines!


The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale.

@github-actions

This comment has been minimized.

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

TL;DR

Buildkite failed before uploading the pipeline because the post-checkout hook could not merge PR #19969 with main. The merge conflict is in the CrowdStrike package version/changelog files, not in a test job.

Remediation

  • Rebase or merge main into the PR branch and resolve packages/crowdstrike/changelog.yml plus packages/crowdstrike/manifest.yml by keeping the PR's new 4.1.0 CrowdStrike release entry on top of the existing 4.0.0 entry from main.
  • Push the resolved branch and rerun Buildkite; the pipeline upload step should then proceed to the package/test jobs.
Investigation details

Root Cause

This is a merge-conflict/configuration failure during Buildkite checkout. The build log shows the agent checked out PR commit cc9d2fd33f9f43807dd5828de13d451ba6e6356c, fetched main at c3343f6425a, created pr_merge_19969, then failed to merge because both branches changed CrowdStrike release metadata:

Evidence

Auto-merging packages/crowdstrike/changelog.yml
CONFLICT (content): Merge conflict in packages/crowdstrike/changelog.yml
Auto-merging packages/crowdstrike/docs/README.md
Auto-merging packages/crowdstrike/manifest.yml
CONFLICT (content): Merge conflict in packages/crowdstrike/manifest.yml
Automatic merge failed; fix conflicts and then commit the result.
Merge failed: 1
Error: running "repository post-checkout" shell hook: The repository post-checkout hook exited with status 1

Verification

  • Not run: Buildkite never reached package validation or tests because checkout/pipeline upload failed first.

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

@elastic-vault-github-plugin-prod

elastic-vault-github-plugin-prod Bot commented Jul 6, 2026

Copy link
Copy Markdown

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@navnit-elastic navnit-elastic marked this pull request as ready for review July 6, 2026 06:16
@navnit-elastic navnit-elastic requested review from a team as code owners July 6, 2026 06:16
@infra-vault-gh-plugin-prod

Copy link
Copy Markdown

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

field: event.kind
value: alert
tag: set_event_kind
- append:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severity: 🔵 Low confidence: medium path: packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/overwatch_generic_detection_summary.yml:8

The overwatch pipeline sets event.kind/type but no event.category; add an appropriate ECS event.category (e.g. threat/malware) as the sibling detection pipelines do.

Details

This pipeline sets event.kind: alert and event.type: info but leaves event.category unset. The sibling detection sub-pipelines in this same data stream (detection_summary.yml, mobile_detection_summary.yml) append an event.category (malware). Alerts without an event.category are harder to filter and correlate in category-based security views and detection rules.

Recommendation:

Append a semantically appropriate ECS event.category for the detection, for example:

- append:
    field: event.category
    value: threat
    tag: append_threat_category

🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills

⚠️ Automated review — verify suggestions before applying.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jamiehynds, do you have preference on event.category for OverwatchGenericDetectionSummaryEvent?

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@navnit-elastic I'd recommend event.category: malware to ensure consistency with our other CrowdStrike mappings. Although not every OverWatchDetection will be confirmed malware, they're typically EDR-sourced threat-hunting alerts, so they fall squarely under this category even when the specific finding is behavioral.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jamiehynds, Thank you for the confirmation.

@elastic-vault-github-plugin-prod

Copy link
Copy Markdown

✅ All changelog entries have the correct PR link.

---
description: Pipeline for OverwatchGenericDetectionSummaryEvent events.
processors:
- set:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severity: 🟡 Medium confidence: high path: packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/overwatch_generic_detection_summary.yml:4

Overwatch pipeline never maps the event's ISO Timestamp, so @​timestamp falls back to ingest time; add a date processor mapping crowdstrike.event.Timestamp to @​timestamp.

Details

OverwatchGenericDetectionSummaryEvent carries its detection time only in crowdstrike.event.Timestamp (an ISO8601 string, e.g. 2026-05-15T10:15:00Z) and has no UTCTimestamp, eventCreationTime, or ContextTimeStamp. The default pipeline's date processors and the '@​timestamp copy_from event.created' step (default.yml lines 133-167) all run BEFORE this sub-pipeline is invoked (default.yml line 284) and find no usable field, and this sub-pipeline sets no date field. The result is that neither @​timestamp nor event.created is ever populated from the event, so @​timestamp defaults to ingestion time and the true detection time is lost. The committed expected output confirms this: it contains no @​timestamp and no event.created. Sibling summary pipelines (recon_notification_summary, mobile_detection_summary, cspm_events) all map their event timestamp; this one is the outlier.

Recommendation:

Add a date processor in the sub-pipeline that parses the ISO Timestamp into @​timestamp (and drop it from the removal list / leave it as-is per package convention):

  - date:
      field: crowdstrike.event.Timestamp
      target_field: '@​timestamp'
      timezone: UTC
      formats:
        - ISO8601
      tag: date_overwatch_timestamp
      if: ctx.crowdstrike?.event?.Timestamp != null
      on_failure:
        - append:
            tag: append_error_message_overwatch_timestamp
            field: error.message
            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'

Then extend the expected test output to assert the resulting @​timestamp so the mapping stays covered.


🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills

⚠️ Automated review — verify suggestions before applying.

@vera-review-bot

Copy link
Copy Markdown

Review summary

Issues found across the latest commits 5ec1b7c — 1 medium
  • 🟡 Overwatch pipeline never maps the event's ISO Timestamp, so @​timestamp falls back to ingest time (link) (Unresolved)
Issues found across earlier commits 92c387a — 1 high, 1 low
  • 🟠 Overwatch events never set @​timestamp from their Timestamp field, so they are stamped with ingest time (link) (Resolved)
  • 🔵 The overwatch pipeline sets event.kind/type but no event.category (link) (Unresolved)

A new commit triggers another review — at most once every 15 minutes. I skip the PR while it's approved or has merge conflicts.

🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills

⚠️ Automated review — verify suggestions before applying.

@infra-vault-gh-plugin-prod

Copy link
Copy Markdown

💚 Build Succeeded

History

cc @navnit-elastic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:crowdstrike CrowdStrike Team:SDE-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[CrowdStrike] Add support for OverwatchGenericDetectionSummaryEvent

2 participants