Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add system test for CrowdStrike Falcon #429

Merged
merged 2 commits into from
Dec 9, 2020

Conversation

andrewkroh
Copy link
Member

What does this PR do?

Add a system test for CrowdStrike Falcon and fix the issues it detected.
These were the errors initially detected.

crowdstrike/falcon :
[0] field "crowdstrike.event.PatternDispositionFlags.Detect" is undefined
[1] field "crowdstrike.event.PatternDispositionFlags.InddetMask" is undefined
[2] field "crowdstrike.event.PatternDispositionFlags.Indicator" is undefined
[3] field "crowdstrike.event.PatternDispositionFlags.KillParent" is undefined
[4] field "crowdstrike.event.PatternDispositionFlags.KillProcess" is undefined
[5] field "crowdstrike.event.PatternDispositionFlags.KillSubProcess" is undefined
[6] field "crowdstrike.event.PatternDispositionFlags.OperationBlocked" is undefined
[7] field "crowdstrike.event.PatternDispositionFlags.PolicyDisabled" is undefined
[8] field "crowdstrike.event.PatternDispositionFlags.ProcessBlocked" is undefined
[9] field "crowdstrike.event.PatternDispositionFlags.QuarantineFile" is undefined
[10] field "crowdstrike.event.PatternDispositionFlags.QuarantineMachine" is undefined
[11] field "crowdstrike.event.PatternDispositionFlags.Rooting" is undefined
[12] field "crowdstrike.event.PatternDispositionFlags.SensorOnly" is undefined
[13] parsing field value failed: field "crowdstrike.event.LocalPort"''s Go type, string, does not match the expected field type: long
[14] parsing field value failed: field "crowdstrike.event.PID"''s Go type, string, does not match the expected field type: long
[15] parsing field value failed: field "crowdstrike.event.ProcessEndTime"''s Go type, float64, does not match the expected field type: date
[16] parsing field value failed: field "crowdstrike.event.RemotePort"''s Go type, string, does not match the expected field type: long
[17] parsing field value failed: field "destination.port"''s Go type, string, does not match the expected field type: long
[18] parsing field value failed: field "process.pid"''s Go type, string, does not match the expected field type: long
[19] parsing field value failed: field "source.port"''s Go type, string, does not match the expected field type: long

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all datasets collect metrics or logs.

How to test this PR locally

elastic-package stack up -d
$(elastic-package stack shellinit)
cd crowdstrike/data_stream/falcon
elastic-package test system -v

Related issues

Add a system test for CrowdStrike Falcon and fix the issues it detected.
These were the errors initially detected.

    crowdstrike/falcon :
    [0] field "crowdstrike.event.PatternDispositionFlags.Detect" is undefined
    [1] field "crowdstrike.event.PatternDispositionFlags.InddetMask" is undefined
    [2] field "crowdstrike.event.PatternDispositionFlags.Indicator" is undefined
    [3] field "crowdstrike.event.PatternDispositionFlags.KillParent" is undefined
    [4] field "crowdstrike.event.PatternDispositionFlags.KillProcess" is undefined
    [5] field "crowdstrike.event.PatternDispositionFlags.KillSubProcess" is undefined
    [6] field "crowdstrike.event.PatternDispositionFlags.OperationBlocked" is undefined
    [7] field "crowdstrike.event.PatternDispositionFlags.PolicyDisabled" is undefined
    [8] field "crowdstrike.event.PatternDispositionFlags.ProcessBlocked" is undefined
    [9] field "crowdstrike.event.PatternDispositionFlags.QuarantineFile" is undefined
    [10] field "crowdstrike.event.PatternDispositionFlags.QuarantineMachine" is undefined
    [11] field "crowdstrike.event.PatternDispositionFlags.Rooting" is undefined
    [12] field "crowdstrike.event.PatternDispositionFlags.SensorOnly" is undefined
    [13] parsing field value failed: field "crowdstrike.event.LocalPort"''s Go type, string, does not match the expected field type: long
    [14] parsing field value failed: field "crowdstrike.event.PID"''s Go type, string, does not match the expected field type: long
    [15] parsing field value failed: field "crowdstrike.event.ProcessEndTime"''s Go type, float64, does not match the expected field type: date
    [16] parsing field value failed: field "crowdstrike.event.RemotePort"''s Go type, string, does not match the expected field type: long
    [17] parsing field value failed: field "destination.port"''s Go type, string, does not match the expected field type: long
    [18] parsing field value failed: field "process.pid"''s Go type, string, does not match the expected field type: long
    [19] parsing field value failed: field "source.port"''s Go type, string, does not match the expected field type: long
@andrewkroh
Copy link
Member Author

andrewkroh commented Dec 2, 2020

The pipeline needs updated to correct the JSON data types to match the mapping.

@elasticmachine
Copy link

elasticmachine commented Dec 2, 2020

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: Branch indexing

  • Start Time: 2020-12-08T22:28:41.977+0000

  • Duration: 18 min 3 sec

Test stats 🧪

Test Results
Failed 0
Passed 73
Skipped 0
Total 73

- crowdstrike.event.LocalPort, long
- crowdstrike.event.PID, long
- crowdstrike.event.ProcessEndTime, delete if 0
- crowdstrike.event.RemotePort, long
- destination.port, long
- process.pid, long
- source.port, long
@leehinman leehinman marked this pull request as ready for review December 2, 2020 19:23
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@leehinman
Copy link
Contributor

run tests

@andrewkroh andrewkroh merged commit 5a52482 into elastic:master Dec 9, 2020
eyalkraft pushed a commit to build-security/integrations that referenced this pull request Mar 30, 2022
* Add system test for CrowdStrike Falcon

Add a system test for CrowdStrike Falcon and fix the issues it detected.
These were the errors initially detected.

    crowdstrike/falcon :
    [0] field "crowdstrike.event.PatternDispositionFlags.Detect" is undefined
    [1] field "crowdstrike.event.PatternDispositionFlags.InddetMask" is undefined
    [2] field "crowdstrike.event.PatternDispositionFlags.Indicator" is undefined
    [3] field "crowdstrike.event.PatternDispositionFlags.KillParent" is undefined
    [4] field "crowdstrike.event.PatternDispositionFlags.KillProcess" is undefined
    [5] field "crowdstrike.event.PatternDispositionFlags.KillSubProcess" is undefined
    [6] field "crowdstrike.event.PatternDispositionFlags.OperationBlocked" is undefined
    [7] field "crowdstrike.event.PatternDispositionFlags.PolicyDisabled" is undefined
    [8] field "crowdstrike.event.PatternDispositionFlags.ProcessBlocked" is undefined
    [9] field "crowdstrike.event.PatternDispositionFlags.QuarantineFile" is undefined
    [10] field "crowdstrike.event.PatternDispositionFlags.QuarantineMachine" is undefined
    [11] field "crowdstrike.event.PatternDispositionFlags.Rooting" is undefined
    [12] field "crowdstrike.event.PatternDispositionFlags.SensorOnly" is undefined
    [13] parsing field value failed: field "crowdstrike.event.LocalPort"''s Go type, string, does not match the expected field type: long
    [14] parsing field value failed: field "crowdstrike.event.PID"''s Go type, string, does not match the expected field type: long
    [15] parsing field value failed: field "crowdstrike.event.ProcessEndTime"''s Go type, float64, does not match the expected field type: date
    [16] parsing field value failed: field "crowdstrike.event.RemotePort"''s Go type, string, does not match the expected field type: long
    [17] parsing field value failed: field "destination.port"''s Go type, string, does not match the expected field type: long
    [18] parsing field value failed: field "process.pid"''s Go type, string, does not match the expected field type: long
    [19] parsing field value failed: field "source.port"''s Go type, string, does not match the expected field type: long

* Fix types for crowdstrike

- crowdstrike.event.LocalPort, long
- crowdstrike.event.PID, long
- crowdstrike.event.ProcessEndTime, delete if 0
- crowdstrike.event.RemotePort, long
- destination.port, long
- process.pid, long
- source.port, long

Co-authored-by: Lee E. Hinman <lee.e.hinman@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants