Skip to content

Commit 60cc39d

Browse files
crowdstrike: add support for OverwatchGenericDetectionSummaryEvent in falcon data stream
1 parent f8ef9d7 commit 60cc39d

9 files changed

Lines changed: 142 additions & 2 deletions

File tree

packages/crowdstrike/_dev/build/docs/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -108,6 +108,7 @@ The following event types are supported for CrowdStrike Event Streams (whether y
108108
- IDP Incidents
109109
- IDP Summary events
110110
- Mobile Detection events
111+
- OverwatchGenericDetectionSummaryEvent
111112
- Recon Notification events
112113
- XDR Detection events
113114
- Scheduled Report Notification events

packages/crowdstrike/changelog.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,9 @@
11
# newer versions go on top
2+
- version: "3.27.0"
3+
changes:
4+
- description: Add support for OverwatchGenericDetectionSummaryEvent in the Falcon data stream.
5+
type: enhancement
6+
link: https://github.com/elastic/integrations/pull/1
27
- version: "3.26.1"
38
changes:
49
- description: Remove incorrect unlimited maximum executions documentation.
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
{"metadata":{"customerIDString":"12345a1bc2d34fghi56jk7890lmno12p","eventType":"OverwatchGenericDetectionSummaryEvent","offset":1234567890,"version":"1.0"},"event":{"CompositeId":"718af202ab2c4ba5b6a5d10d39c0e0a5:lead:generic|718af202ab2c4ba5b6a5d10d39c0e0a5:89a1d5c1-2b3e-4f67-8a9b-0c1d2e3f4a5b","Timestamp":"2026-05-15T10:15:00Z","Name":"OverwatchDetection","DisplayName":"OverWatch Detection","Description":"Falcon Overwatch has identified malicious activity. This has been raised forimmediate action and should be investigated urgently.","Category":"Cloud","FalconHostLink":"https://falcon.crowdstrike.com/unified-detections/1abcd2345b8c4151a0cb45dcfbe6d3d0:lead:generic%7C718af202ab2c4ba5b6a5d10d39c0e0a5:79b0c4b0-1a2d-4e56-7a8b-9c0d1e2f3a4b?_cid=718af202ab2c4ba5b6a5d10d39c0e0a5","Severity":70,"SeverityName":"High","MitreAttack":[{"Tactic":"Falcon Overwatch","TacticID":"CSTA0006","Technique":"Malicious Activity","TechniqueID":"T1589.003"}]}}
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,70 @@
1+
{
2+
"expected": [
3+
{
4+
"crowdstrike": {
5+
"event": {
6+
"Category": "Cloud",
7+
"DisplayName": "OverWatch Detection",
8+
"MitreAttack": [
9+
{
10+
"Tactic": "Falcon Overwatch",
11+
"TacticID": "CSTA0006",
12+
"Technique": "Malicious Activity",
13+
"TechniqueID": "T1589.003"
14+
}
15+
],
16+
"Name": "OverwatchDetection",
17+
"Severity": 70,
18+
"SeverityName": "High",
19+
"Timestamp": "2026-05-15T10:15:00Z"
20+
},
21+
"metadata": {
22+
"customerIDString": "12345a1bc2d34fghi56jk7890lmno12p",
23+
"eventType": "OverwatchGenericDetectionSummaryEvent",
24+
"offset": 1234567890,
25+
"version": "1.0"
26+
}
27+
},
28+
"ecs": {
29+
"version": "8.17.0"
30+
},
31+
"event": {
32+
"id": "718af202ab2c4ba5b6a5d10d39c0e0a5:lead:generic|718af202ab2c4ba5b6a5d10d39c0e0a5:89a1d5c1-2b3e-4f67-8a9b-0c1d2e3f4a5b",
33+
"kind": "alert",
34+
"original": "{\"metadata\":{\"customerIDString\":\"12345a1bc2d34fghi56jk7890lmno12p\",\"eventType\":\"OverwatchGenericDetectionSummaryEvent\",\"offset\":1234567890,\"version\":\"1.0\"},\"event\":{\"CompositeId\":\"718af202ab2c4ba5b6a5d10d39c0e0a5:lead:generic|718af202ab2c4ba5b6a5d10d39c0e0a5:89a1d5c1-2b3e-4f67-8a9b-0c1d2e3f4a5b\",\"Timestamp\":\"2026-05-15T10:15:00Z\",\"Name\":\"OverwatchDetection\",\"DisplayName\":\"OverWatch Detection\",\"Description\":\"Falcon Overwatch has identified malicious activity. This has been raised forimmediate action and should be investigated urgently.\",\"Category\":\"Cloud\",\"FalconHostLink\":\"https://falcon.crowdstrike.com/unified-detections/1abcd2345b8c4151a0cb45dcfbe6d3d0:lead:generic%7C718af202ab2c4ba5b6a5d10d39c0e0a5:79b0c4b0-1a2d-4e56-7a8b-9c0d1e2f3a4b?_cid=718af202ab2c4ba5b6a5d10d39c0e0a5\",\"Severity\":70,\"SeverityName\":\"High\",\"MitreAttack\":[{\"Tactic\":\"Falcon Overwatch\",\"TacticID\":\"CSTA0006\",\"Technique\":\"Malicious Activity\",\"TechniqueID\":\"T1589.003\"}]}}",
35+
"reference": "https://falcon.crowdstrike.com/unified-detections/1abcd2345b8c4151a0cb45dcfbe6d3d0:lead:generic%7C718af202ab2c4ba5b6a5d10d39c0e0a5:79b0c4b0-1a2d-4e56-7a8b-9c0d1e2f3a4b?_cid=718af202ab2c4ba5b6a5d10d39c0e0a5",
36+
"severity": 73,
37+
"type": [
38+
"info"
39+
]
40+
},
41+
"message": "Falcon Overwatch has identified malicious activity. This has been raised forimmediate action and should be investigated urgently.",
42+
"observer": {
43+
"product": "Falcon",
44+
"vendor": "Crowdstrike"
45+
},
46+
"tags": [
47+
"preserve_original_event"
48+
],
49+
"threat": {
50+
"framework": "CrowdStrike Falcon Detections Framework",
51+
"tactic": {
52+
"id": [
53+
"CSTA0006"
54+
],
55+
"name": [
56+
"Falcon Overwatch"
57+
]
58+
},
59+
"technique": {
60+
"id": [
61+
"T1589.003"
62+
],
63+
"name": [
64+
"Malicious Activity"
65+
]
66+
}
67+
}
68+
}
69+
]
70+
}

packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -256,7 +256,6 @@ processors:
256256
]
257257
}
258258
259-
260259
- pipeline:
261260
name: '{{ IngestPipeline "automated_lead_summary" }}'
262261
tag: pipeline_automated_lead_summary
@@ -281,6 +280,10 @@ processors:
281280
name: '{{ IngestPipeline "mobile_detection_summary" }}'
282281
tag: pipeline_mobile_detection_summary
283282
if: ctx.crowdstrike?.metadata?.eventType == "MobileDetectionSummaryEvent"
283+
- pipeline:
284+
name: '{{ IngestPipeline "overwatch_generic_detection_summary" }}'
285+
tag: pipeline_overwatch_generic_detection_summary
286+
if: ctx.crowdstrike?.metadata?.eventType == "OverwatchGenericDetectionSummaryEvent"
284287
- pipeline:
285288
name: '{{ IngestPipeline "incident_summary" }}'
286289
tag: pipeline_incident_summary
@@ -577,6 +580,7 @@ processors:
577580
ctx.threat.framework = frameworks.iterator().next();
578581
on_failure:
579582
- append:
583+
tag: append_error_message_95be3cd6
580584
field: error.message
581585
value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
582586
# This removes any fields that are mapped to ECS, but have not been renamed.
Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
---
2+
description: Pipeline for OverwatchGenericDetectionSummaryEvent events.
3+
processors:
4+
- set:
5+
field: event.kind
6+
value: alert
7+
tag: set_event_kind
8+
- append:
9+
field: event.type
10+
value: info
11+
tag: append_info_type
12+
- rename:
13+
field: crowdstrike.event.CompositeId
14+
target_field: event.id
15+
ignore_missing: true
16+
tag: rename_composite_id_to_event_id
17+
- rename:
18+
field: crowdstrike.event.FalconHostLink
19+
target_field: event.reference
20+
ignore_missing: true
21+
tag: rename_falcon_host_link
22+
- rename:
23+
field: crowdstrike.event.Description
24+
target_field: message
25+
ignore_missing: true
26+
tag: rename_description_to_message
27+
- convert:
28+
field: crowdstrike.event.Severity
29+
type: long
30+
ignore_missing: true
31+
tag: convert_severity_to_long
32+
on_failure:
33+
- remove:
34+
tag: remove_crowdstrike_event_Severity_2c932c83
35+
field: crowdstrike.event.Severity
36+
ignore_missing: true
37+
- append:
38+
tag: append_error_message_48722b3e
39+
field: error.message
40+
value: |-
41+
Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}
42+
on_failure:
43+
- append:
44+
field: error.message
45+
value: |-
46+
Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}"
47+
- set:
48+
field: event.kind
49+
value: pipeline_error
50+
- append:
51+
field: tags
52+
value: preserve_original_event
53+
allow_duplicates: false

packages/crowdstrike/data_stream/falcon/fields/fields.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,10 @@
5656
Name of the computer where the detection occurred.
5757
- name: Description
5858
type: keyword
59+
- name: DisplayName
60+
type: keyword
61+
description: |
62+
The user-friendly detection name.
5963
- name: DetectName
6064
type: keyword
6165
description: |

packages/crowdstrike/docs/README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -108,6 +108,7 @@ The following event types are supported for CrowdStrike Event Streams (whether y
108108
- IDP Incidents
109109
- IDP Summary events
110110
- Mobile Detection events
111+
- OverwatchGenericDetectionSummaryEvent
111112
- Recon Notification events
112113
- XDR Detection events
113114
- Scheduled Report Notification events
@@ -1297,6 +1298,7 @@ An example event for `falcon` looks as following:
12971298
| crowdstrike.event.DetectName | Name of the detection. | keyword |
12981299
| crowdstrike.event.DetectionType | | keyword |
12991300
| crowdstrike.event.DeviceId | Device on which the event occurred. | keyword |
1301+
| crowdstrike.event.DisplayName | The user-friendly detection name. | keyword |
13001302
| crowdstrike.event.DnsRequests | Detected DNS requests done by a process. | nested |
13011303
| crowdstrike.event.DocumentsAccessed | Detected documents accessed by a process. | nested |
13021304
| crowdstrike.event.DomainName | | keyword |

packages/crowdstrike/manifest.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
name: crowdstrike
22
title: CrowdStrike
3-
version: "3.26.1"
3+
version: "3.27.0"
44
description: Collect logs from Crowdstrike with Elastic Agent.
55
type: integration
66
format_version: "3.4.0"

0 commit comments

Comments
 (0)