Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions packages/crowdstrike/_dev/build/docs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,7 @@ The following event types are supported for CrowdStrike Event Streams (whether y
- IDP Incidents
- IDP Summary events
- Mobile Detection events
- OverwatchGenericDetectionSummaryEvent
- Recon Notification events
- XDR Detection events
- Scheduled Report Notification events
Expand Down
5 changes: 5 additions & 0 deletions packages/crowdstrike/changelog.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "4.1.0"
changes:
- description: Add support for OverwatchGenericDetectionSummaryEvent in the Falcon data stream.
type: enhancement
link: https://github.com/elastic/integrations/pull/19969
- version: "4.0.0"
changes:
- description: >-
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{"metadata":{"customerIDString":"12345a1bc2d34fghi56jk7890lmno12p","eventType":"OverwatchGenericDetectionSummaryEvent","offset":1234567890,"version":"1.0"},"event":{"CompositeId":"718af202ab2c4ba5b6a5d10d39c0e0a5:lead:generic|718af202ab2c4ba5b6a5d10d39c0e0a5:89a1d5c1-2b3e-4f67-8a9b-0c1d2e3f4a5b","Timestamp":"2026-05-15T10:15:00Z","Name":"OverwatchDetection","DisplayName":"OverWatch Detection","Description":"Falcon Overwatch has identified malicious activity. This has been raised forimmediate action and should be investigated urgently.","Category":"Cloud","FalconHostLink":"https://falcon.crowdstrike.com/unified-detections/1abcd2345b8c4151a0cb45dcfbe6d3d0:lead:generic%7C718af202ab2c4ba5b6a5d10d39c0e0a5:79b0c4b0-1a2d-4e56-7a8b-9c0d1e2f3a4b?_cid=718af202ab2c4ba5b6a5d10d39c0e0a5","Severity":70,"SeverityName":"High","MitreAttack":[{"Tactic":"Falcon Overwatch","TacticID":"CSTA0006","Technique":"Malicious Activity","TechniqueID":"T1589.003"}]}}
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
{
"expected": [
{
"crowdstrike": {
"event": {
"Category": "Cloud",
"DisplayName": "OverWatch Detection",
"MitreAttack": [
{
"Tactic": "Falcon Overwatch",
"TacticID": "CSTA0006",
"Technique": "Malicious Activity",
"TechniqueID": "T1589.003"
}
],
"Name": "OverwatchDetection",
"Severity": 70,
"SeverityName": "High",
"Timestamp": "2026-05-15T10:15:00Z"
},
"metadata": {
"customerIDString": "12345a1bc2d34fghi56jk7890lmno12p",
"eventType": "OverwatchGenericDetectionSummaryEvent",
"offset": 1234567890,
"version": "1.0"
}
},
"ecs": {
"version": "8.17.0"
},
"event": {
"category": [
"malware"
],
"id": "718af202ab2c4ba5b6a5d10d39c0e0a5:lead:generic|718af202ab2c4ba5b6a5d10d39c0e0a5:89a1d5c1-2b3e-4f67-8a9b-0c1d2e3f4a5b",
"kind": "alert",
"original": "{\"metadata\":{\"customerIDString\":\"12345a1bc2d34fghi56jk7890lmno12p\",\"eventType\":\"OverwatchGenericDetectionSummaryEvent\",\"offset\":1234567890,\"version\":\"1.0\"},\"event\":{\"CompositeId\":\"718af202ab2c4ba5b6a5d10d39c0e0a5:lead:generic|718af202ab2c4ba5b6a5d10d39c0e0a5:89a1d5c1-2b3e-4f67-8a9b-0c1d2e3f4a5b\",\"Timestamp\":\"2026-05-15T10:15:00Z\",\"Name\":\"OverwatchDetection\",\"DisplayName\":\"OverWatch Detection\",\"Description\":\"Falcon Overwatch has identified malicious activity. This has been raised forimmediate action and should be investigated urgently.\",\"Category\":\"Cloud\",\"FalconHostLink\":\"https://falcon.crowdstrike.com/unified-detections/1abcd2345b8c4151a0cb45dcfbe6d3d0:lead:generic%7C718af202ab2c4ba5b6a5d10d39c0e0a5:79b0c4b0-1a2d-4e56-7a8b-9c0d1e2f3a4b?_cid=718af202ab2c4ba5b6a5d10d39c0e0a5\",\"Severity\":70,\"SeverityName\":\"High\",\"MitreAttack\":[{\"Tactic\":\"Falcon Overwatch\",\"TacticID\":\"CSTA0006\",\"Technique\":\"Malicious Activity\",\"TechniqueID\":\"T1589.003\"}]}}",
"reference": "https://falcon.crowdstrike.com/unified-detections/1abcd2345b8c4151a0cb45dcfbe6d3d0:lead:generic%7C718af202ab2c4ba5b6a5d10d39c0e0a5:79b0c4b0-1a2d-4e56-7a8b-9c0d1e2f3a4b?_cid=718af202ab2c4ba5b6a5d10d39c0e0a5",
"severity": 73,
"type": [
"info"
]
},
"message": "Falcon Overwatch has identified malicious activity. This has been raised forimmediate action and should be investigated urgently.",
"observer": {
"product": "Falcon",
"vendor": "Crowdstrike"
},
"tags": [
"preserve_original_event"
],
"threat": {
"framework": "CrowdStrike Falcon Detections Framework",
"tactic": {
"id": [
"CSTA0006"
],
"name": [
"Falcon Overwatch"
]
},
"technique": {
"id": [
"T1589.003"
],
"name": [
"Malicious Activity"
]
}
}
}
]
}
Original file line number Diff line number Diff line change
Expand Up @@ -256,7 +256,6 @@ processors:
]
}


- pipeline:
name: '{{ IngestPipeline "automated_lead_summary" }}'
tag: pipeline_automated_lead_summary
Expand All @@ -281,6 +280,10 @@ processors:
name: '{{ IngestPipeline "mobile_detection_summary" }}'
tag: pipeline_mobile_detection_summary
if: ctx.crowdstrike?.metadata?.eventType == "MobileDetectionSummaryEvent"
- pipeline:
name: '{{ IngestPipeline "overwatch_generic_detection_summary" }}'
tag: pipeline_overwatch_generic_detection_summary
if: ctx.crowdstrike?.metadata?.eventType == "OverwatchGenericDetectionSummaryEvent"
- pipeline:
name: '{{ IngestPipeline "incident_summary" }}'
tag: pipeline_incident_summary
Expand Down Expand Up @@ -577,6 +580,7 @@ processors:
ctx.threat.framework = frameworks.iterator().next();
on_failure:
- append:
tag: append_error_message_95be3cd6
field: error.message
value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
# This removes any fields that are mapped to ECS, but have not been renamed.
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
---
description: Pipeline for OverwatchGenericDetectionSummaryEvent events.
processors:
- set:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severity: 🟡 Medium confidence: high path: packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/overwatch_generic_detection_summary.yml:4

Overwatch pipeline never maps the event's ISO Timestamp, so @​timestamp falls back to ingest time; add a date processor mapping crowdstrike.event.Timestamp to @​timestamp.

Details

OverwatchGenericDetectionSummaryEvent carries its detection time only in crowdstrike.event.Timestamp (an ISO8601 string, e.g. 2026-05-15T10:15:00Z) and has no UTCTimestamp, eventCreationTime, or ContextTimeStamp. The default pipeline's date processors and the '@​timestamp copy_from event.created' step (default.yml lines 133-167) all run BEFORE this sub-pipeline is invoked (default.yml line 284) and find no usable field, and this sub-pipeline sets no date field. The result is that neither @​timestamp nor event.created is ever populated from the event, so @​timestamp defaults to ingestion time and the true detection time is lost. The committed expected output confirms this: it contains no @​timestamp and no event.created. Sibling summary pipelines (recon_notification_summary, mobile_detection_summary, cspm_events) all map their event timestamp; this one is the outlier.

Recommendation:

Add a date processor in the sub-pipeline that parses the ISO Timestamp into @​timestamp (and drop it from the removal list / leave it as-is per package convention):

  - date:
      field: crowdstrike.event.Timestamp
      target_field: '@​timestamp'
      timezone: UTC
      formats:
        - ISO8601
      tag: date_overwatch_timestamp
      if: ctx.crowdstrike?.event?.Timestamp != null
      on_failure:
        - append:
            tag: append_error_message_overwatch_timestamp
            field: error.message
            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'

Then extend the expected test output to assert the resulting @​timestamp so the mapping stays covered.


🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills

⚠️ Automated review — verify suggestions before applying.

field: event.kind
value: alert
tag: set_event_kind
- append:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severity: 🔵 Low confidence: medium path: packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/overwatch_generic_detection_summary.yml:8

The overwatch pipeline sets event.kind/type but no event.category; add an appropriate ECS event.category (e.g. threat/malware) as the sibling detection pipelines do.

Details

This pipeline sets event.kind: alert and event.type: info but leaves event.category unset. The sibling detection sub-pipelines in this same data stream (detection_summary.yml, mobile_detection_summary.yml) append an event.category (malware). Alerts without an event.category are harder to filter and correlate in category-based security views and detection rules.

Recommendation:

Append a semantically appropriate ECS event.category for the detection, for example:

- append:
    field: event.category
    value: threat
    tag: append_threat_category

🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills

⚠️ Automated review — verify suggestions before applying.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jamiehynds, do you have preference on event.category for OverwatchGenericDetectionSummaryEvent?

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@navnit-elastic I'd recommend event.category: malware to ensure consistency with our other CrowdStrike mappings. Although not every OverWatchDetection will be confirmed malware, they're typically EDR-sourced threat-hunting alerts, so they fall squarely under this category even when the specific finding is behavioral.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jamiehynds, Thank you for the confirmation.

field: event.category
value: malware
tag: append_malware_category
- append:
field: event.type
value: info
tag: append_info_type
- rename:
field: crowdstrike.event.CompositeId
target_field: event.id
ignore_missing: true
tag: rename_composite_id_to_event_id
- rename:
field: crowdstrike.event.FalconHostLink
target_field: event.reference
ignore_missing: true
tag: rename_falcon_host_link
- rename:
field: crowdstrike.event.Description
target_field: message
ignore_missing: true
tag: rename_description_to_message
- convert:
Comment thread
navnit-elastic marked this conversation as resolved.
field: crowdstrike.event.Severity
type: long
ignore_missing: true
tag: convert_severity_to_long
on_failure:
- remove:
tag: remove_crowdstrike_event_Severity_2c932c83
field: crowdstrike.event.Severity
ignore_missing: true
- append:
tag: append_error_message_48722b3e
field: error.message
value: |-
Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}
on_failure:
- append:
field: error.message
value: |-
Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}"
- set:
field: event.kind
value: pipeline_error
- append:
field: tags
value: preserve_original_event
allow_duplicates: false
4 changes: 4 additions & 0 deletions packages/crowdstrike/data_stream/falcon/fields/fields.yml
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,10 @@
Name of the computer where the detection occurred.
- name: Description
type: keyword
- name: DisplayName
type: keyword
description: |
The user-friendly detection name.
- name: DetectName
type: keyword
description: |
Expand Down
2 changes: 2 additions & 0 deletions packages/crowdstrike/docs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,7 @@ The following event types are supported for CrowdStrike Event Streams (whether y
- IDP Incidents
- IDP Summary events
- Mobile Detection events
- OverwatchGenericDetectionSummaryEvent
- Recon Notification events
- XDR Detection events
- Scheduled Report Notification events
Expand Down Expand Up @@ -1297,6 +1298,7 @@ An example event for `falcon` looks as following:
| crowdstrike.event.DetectName | Name of the detection. | keyword |
| crowdstrike.event.DetectionType | | keyword |
| crowdstrike.event.DeviceId | Device on which the event occurred. | keyword |
| crowdstrike.event.DisplayName | The user-friendly detection name. | keyword |
| crowdstrike.event.DnsRequests | Detected DNS requests done by a process. | nested |
| crowdstrike.event.DocumentsAccessed | Detected documents accessed by a process. | nested |
| crowdstrike.event.DomainName | | keyword |
Expand Down
2 changes: 1 addition & 1 deletion packages/crowdstrike/manifest.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: crowdstrike
title: CrowdStrike
version: "4.0.0"
version: "4.1.0"
description: Collect logs from Crowdstrike with Elastic Agent.
type: integration
format_version: "3.4.0"
Expand Down
Loading