Skip to content

crowdstrike: add parsing for cspm events in FDR data stream #15783

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

crowdstrike: add parsing for cspm events in FDR data stream #15783

wants to merge 3 commits into from

Conversation

@navnit-elastic
Copy link
Contributor

@navnit-elastic navnit-elastic commented Oct 28, 2025
edited
Loading

Proposed commit message

crowdstrike: add parsing for cspm events in FDR data stream

This change enhances the FDR ingest pipeline
to parse CSPM IOA and IOM events
that were previously being indexed as-is.
It also adds a new CSPM dashboard.
The logs used for testing are taken from the live instance.

Note

This PR adds parsing for CSPM events in the FDR logs that were previously being indexed as-is.
No configuration changes are required on user side to enable parsing.
The CSPM event schema is inferred from sample logs generated in CrowdStrike and is not officially documented.
There is a risk of missed parsing if the event format changes in future by CrowdStrike.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Pipeline tests:

--- Test results for package: crowdstrike - START ---
╭─────────────┬─────────────┬───────────┬───────────────────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE     │ DATA STREAM │ TEST TYPE │ TEST NAME                                                     │ RESULT │ TIME ELAPSED │
├─────────────┼─────────────┼───────────┼───────────────────────────────────────────────────────────────┼────────┼──────────────┤
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-data.log)                      │ PASS   │ 372.514352ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdr-cspm-ioa.log)              │ PASS   │ 358.086557ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdr-cspm-iom-evaluation.log)   │ PASS   │ 400.730503ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdr-cspm-iom.log)              │ PASS   │ 363.444314ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdr-epp-detection-summary.log) │ PASS   │ 402.584394ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdr-lengthy-field-delete.log)  │ PASS   │ 392.419671ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdr-lengthy-field-index.log)   │ PASS   │ 344.066493ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdr.log)                       │ PASS   │ 340.027935ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdrv2-notmanaged.log)          │ PASS   │ 342.015995ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-linux.log)                     │ PASS   │ 338.581524ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-macos.log)                     │ PASS   │ 325.249412ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-tags-formats.log)              │ PASS   │ 363.011579ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-windows.log)                   │ PASS   │ 447.255036ms │
│ crowdstrike │ fdr         │ pipeline  │ test-data.log                                                 │ PASS   │ 224.980587ms │
│ crowdstrike │ fdr         │ pipeline  │ test-fdr-cspm-ioa.log                                         │ PASS   │ 194.166866ms │
│ crowdstrike │ fdr         │ pipeline  │ test-fdr-cspm-iom-evaluation.log                              │ PASS   │  184.71006ms │
│ crowdstrike │ fdr         │ pipeline  │ test-fdr-cspm-iom.log                                         │ PASS   │ 173.779343ms │
│ crowdstrike │ fdr         │ pipeline  │ test-fdr-epp-detection-summary.log                            │ PASS   │ 552.064945ms │
│ crowdstrike │ fdr         │ pipeline  │ test-fdr-lengthy-field-delete.log                             │ PASS   │ 167.081273ms │
│ crowdstrike │ fdr         │ pipeline  │ test-fdr-lengthy-field-index.log                              │ PASS   │ 173.847296ms │
│ crowdstrike │ fdr         │ pipeline  │ test-fdr.log                                                  │ PASS   │ 2.746417735s │
│ crowdstrike │ fdr         │ pipeline  │ test-fdrv2-notmanaged.log                                     │ PASS   │ 152.450961ms │
│ crowdstrike │ fdr         │ pipeline  │ test-linux.log                                                │ PASS   │ 310.175636ms │
│ crowdstrike │ fdr         │ pipeline  │ test-macos.log                                                │ PASS   │ 487.159451ms │
│ crowdstrike │ fdr         │ pipeline  │ test-tags-formats.log                                         │ PASS   │ 154.757749ms │
│ crowdstrike │ fdr         │ pipeline  │ test-windows.log                                              │ PASS   │ 2.236329709s │
╰─────────────┴─────────────┴───────────┴───────────────────────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: crowdstrike - END   ---
Done

Related issues

Screenshots

CrowdStrike CSPM Dashboard:

crowdstrike-cspm-dashboard

@elastic-vault-github-plugin-prod
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

navnit-elastic
navnit-elastic commented Oct 28, 2025
View reviewed changes
packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/cspm_ioa.yml
ignore_missing: true

# Renames
- rename:
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These renames are not necessary, maybe we can remove this.

packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/cspm_iom.yml

# Converts
- convert:
field: crowdstrike.Severity
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This field is already defined as an integer.

packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml
target_field: crowdstrike.resource_name
if: ctx.crowdstrike?.resource instanceof String
ignore_missing: true
- remove:
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is to make sure that no cloud.* fields collide.

packages/crowdstrike/img/crowdstrike-cspm-dashboard.png
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The discrepancy I noticed in the CSPM dashboard is that the matrices are not exactly the same as those shown in the CrowdStrike dashboard.
This could be due to duplicate events in the FDR data stream (I noticed a few) or delays in the logs being sent from CrowdStrike to S3.

The FDR feed consists of regular transfers of data (data dumps), intended to store data beyond the Falcon retention period.

@navnit-elastic navnit-elastic added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:crowdstrike CrowdStrike Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Oct 28, 2025
@navnit-elastic navnit-elastic self-assigned this Oct 28, 2025
@navnit-elastic navnit-elastic changed the title crowdstrike: add support for cspm events in FDR data stream crowdstrike: add parsing for cspm events in FDR data stream Oct 28, 2025
@andrewkroh andrewkroh added the dashboard Relates to a Kibana dashboard bug, enhancement, or modification. label Oct 28, 2025
@elasticmachine
Copy link

💚 Build Succeeded

History

cc @navnit-elastic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@navnit-elastic navnit-elastic

Labels

dashboard Relates to a Kibana dashboard bug, enhancement, or modification. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:crowdstrike CrowdStrike Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@navnit-elastic @elasticmachine @andrewkroh