-
Notifications
You must be signed in to change notification settings - Fork 604
crowdstrike: add support for OverwatchGenericDetectionSummaryEvent in falcon data stream #19969
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| {"metadata":{"customerIDString":"12345a1bc2d34fghi56jk7890lmno12p","eventType":"OverwatchGenericDetectionSummaryEvent","offset":1234567890,"version":"1.0"},"event":{"CompositeId":"718af202ab2c4ba5b6a5d10d39c0e0a5:lead:generic|718af202ab2c4ba5b6a5d10d39c0e0a5:89a1d5c1-2b3e-4f67-8a9b-0c1d2e3f4a5b","Timestamp":"2026-05-15T10:15:00Z","Name":"OverwatchDetection","DisplayName":"OverWatch Detection","Description":"Falcon Overwatch has identified malicious activity. This has been raised forimmediate action and should be investigated urgently.","Category":"Cloud","FalconHostLink":"https://falcon.crowdstrike.com/unified-detections/1abcd2345b8c4151a0cb45dcfbe6d3d0:lead:generic%7C718af202ab2c4ba5b6a5d10d39c0e0a5:79b0c4b0-1a2d-4e56-7a8b-9c0d1e2f3a4b?_cid=718af202ab2c4ba5b6a5d10d39c0e0a5","Severity":70,"SeverityName":"High","MitreAttack":[{"Tactic":"Falcon Overwatch","TacticID":"CSTA0006","Technique":"Malicious Activity","TechniqueID":"T1589.003"}]}} |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| { | ||
| "expected": [ | ||
| { | ||
| "crowdstrike": { | ||
| "event": { | ||
| "Category": "Cloud", | ||
| "DisplayName": "OverWatch Detection", | ||
| "MitreAttack": [ | ||
| { | ||
| "Tactic": "Falcon Overwatch", | ||
| "TacticID": "CSTA0006", | ||
| "Technique": "Malicious Activity", | ||
| "TechniqueID": "T1589.003" | ||
| } | ||
| ], | ||
| "Name": "OverwatchDetection", | ||
| "Severity": 70, | ||
| "SeverityName": "High", | ||
| "Timestamp": "2026-05-15T10:15:00Z" | ||
| }, | ||
| "metadata": { | ||
| "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", | ||
| "eventType": "OverwatchGenericDetectionSummaryEvent", | ||
| "offset": 1234567890, | ||
| "version": "1.0" | ||
| } | ||
| }, | ||
| "ecs": { | ||
| "version": "8.17.0" | ||
| }, | ||
| "event": { | ||
| "category": [ | ||
| "malware" | ||
| ], | ||
| "id": "718af202ab2c4ba5b6a5d10d39c0e0a5:lead:generic|718af202ab2c4ba5b6a5d10d39c0e0a5:89a1d5c1-2b3e-4f67-8a9b-0c1d2e3f4a5b", | ||
| "kind": "alert", | ||
| "original": "{\"metadata\":{\"customerIDString\":\"12345a1bc2d34fghi56jk7890lmno12p\",\"eventType\":\"OverwatchGenericDetectionSummaryEvent\",\"offset\":1234567890,\"version\":\"1.0\"},\"event\":{\"CompositeId\":\"718af202ab2c4ba5b6a5d10d39c0e0a5:lead:generic|718af202ab2c4ba5b6a5d10d39c0e0a5:89a1d5c1-2b3e-4f67-8a9b-0c1d2e3f4a5b\",\"Timestamp\":\"2026-05-15T10:15:00Z\",\"Name\":\"OverwatchDetection\",\"DisplayName\":\"OverWatch Detection\",\"Description\":\"Falcon Overwatch has identified malicious activity. This has been raised forimmediate action and should be investigated urgently.\",\"Category\":\"Cloud\",\"FalconHostLink\":\"https://falcon.crowdstrike.com/unified-detections/1abcd2345b8c4151a0cb45dcfbe6d3d0:lead:generic%7C718af202ab2c4ba5b6a5d10d39c0e0a5:79b0c4b0-1a2d-4e56-7a8b-9c0d1e2f3a4b?_cid=718af202ab2c4ba5b6a5d10d39c0e0a5\",\"Severity\":70,\"SeverityName\":\"High\",\"MitreAttack\":[{\"Tactic\":\"Falcon Overwatch\",\"TacticID\":\"CSTA0006\",\"Technique\":\"Malicious Activity\",\"TechniqueID\":\"T1589.003\"}]}}", | ||
| "reference": "https://falcon.crowdstrike.com/unified-detections/1abcd2345b8c4151a0cb45dcfbe6d3d0:lead:generic%7C718af202ab2c4ba5b6a5d10d39c0e0a5:79b0c4b0-1a2d-4e56-7a8b-9c0d1e2f3a4b?_cid=718af202ab2c4ba5b6a5d10d39c0e0a5", | ||
| "severity": 73, | ||
| "type": [ | ||
| "info" | ||
| ] | ||
| }, | ||
| "message": "Falcon Overwatch has identified malicious activity. This has been raised forimmediate action and should be investigated urgently.", | ||
| "observer": { | ||
| "product": "Falcon", | ||
| "vendor": "Crowdstrike" | ||
| }, | ||
| "tags": [ | ||
| "preserve_original_event" | ||
| ], | ||
| "threat": { | ||
| "framework": "CrowdStrike Falcon Detections Framework", | ||
| "tactic": { | ||
| "id": [ | ||
| "CSTA0006" | ||
| ], | ||
| "name": [ | ||
| "Falcon Overwatch" | ||
| ] | ||
| }, | ||
| "technique": { | ||
| "id": [ | ||
| "T1589.003" | ||
| ], | ||
| "name": [ | ||
| "Malicious Activity" | ||
| ] | ||
| } | ||
| } | ||
| } | ||
| ] | ||
| } |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| --- | ||
| description: Pipeline for OverwatchGenericDetectionSummaryEvent events. | ||
| processors: | ||
| - set: | ||
| field: event.kind | ||
| value: alert | ||
| tag: set_event_kind | ||
| - append: | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Severity: 🔵 Low The overwatch pipeline sets event.kind/type but no event.category; add an appropriate ECS event.category (e.g. threat/malware) as the sibling detection pipelines do. DetailsThis pipeline sets event.kind: alert and event.type: info but leaves event.category unset. The sibling detection sub-pipelines in this same data stream (detection_summary.yml, mobile_detection_summary.yml) append an event.category (malware). Alerts without an event.category are harder to filter and correlate in category-based security views and detection rules. Recommendation: Append a semantically appropriate ECS event.category for the detection, for example: - append:
field: event.category
value: threat
tag: append_threat_category🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @jamiehynds, do you have preference on There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @navnit-elastic I'd recommend
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @jamiehynds, Thank you for the confirmation. |
||
| field: event.category | ||
| value: malware | ||
| tag: append_malware_category | ||
| - append: | ||
| field: event.type | ||
| value: info | ||
| tag: append_info_type | ||
| - rename: | ||
| field: crowdstrike.event.CompositeId | ||
| target_field: event.id | ||
| ignore_missing: true | ||
| tag: rename_composite_id_to_event_id | ||
| - rename: | ||
| field: crowdstrike.event.FalconHostLink | ||
| target_field: event.reference | ||
| ignore_missing: true | ||
| tag: rename_falcon_host_link | ||
| - rename: | ||
| field: crowdstrike.event.Description | ||
| target_field: message | ||
| ignore_missing: true | ||
| tag: rename_description_to_message | ||
| - convert: | ||
|
navnit-elastic marked this conversation as resolved.
|
||
| field: crowdstrike.event.Severity | ||
| type: long | ||
| ignore_missing: true | ||
| tag: convert_severity_to_long | ||
| on_failure: | ||
| - remove: | ||
| tag: remove_crowdstrike_event_Severity_2c932c83 | ||
| field: crowdstrike.event.Severity | ||
| ignore_missing: true | ||
| - append: | ||
| tag: append_error_message_48722b3e | ||
| field: error.message | ||
| value: |- | ||
| Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}} | ||
| on_failure: | ||
| - append: | ||
| field: error.message | ||
| value: |- | ||
| Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" | ||
| - set: | ||
| field: event.kind | ||
| value: pipeline_error | ||
| - append: | ||
| field: tags | ||
| value: preserve_original_event | ||
| allow_duplicates: false | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Severity: 🟡 Medium
confidence: highpath: packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/overwatch_generic_detection_summary.yml:4Overwatch pipeline never maps the event's ISO Timestamp, so @timestamp falls back to ingest time; add a date processor mapping crowdstrike.event.Timestamp to @timestamp.
Details
OverwatchGenericDetectionSummaryEvent carries its detection time only in crowdstrike.event.Timestamp (an ISO8601 string, e.g. 2026-05-15T10:15:00Z) and has no UTCTimestamp, eventCreationTime, or ContextTimeStamp. The default pipeline's date processors and the '@timestamp copy_from event.created' step (default.yml lines 133-167) all run BEFORE this sub-pipeline is invoked (default.yml line 284) and find no usable field, and this sub-pipeline sets no date field. The result is that neither @timestamp nor event.created is ever populated from the event, so @timestamp defaults to ingestion time and the true detection time is lost. The committed expected output confirms this: it contains no @timestamp and no event.created. Sibling summary pipelines (recon_notification_summary, mobile_detection_summary, cspm_events) all map their event timestamp; this one is the outlier.
Recommendation:
Add a date processor in the sub-pipeline that parses the ISO Timestamp into @timestamp (and drop it from the removal list / leave it as-is per package convention):
Then extend the expected test output to assert the resulting @timestamp so the mapping stays covered.
🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills