crowdstrike: add support for EppDetectionSummaryEvent events (#12869)

Test cases added from:
* https://docs.sekoia.io/integration/categories/endpoint/crowdstrike_falcon/#__tabbed_1_6
* https://docs.sekoia.io/integration/categories/endpoint/crowdstrike_falcon/#__tabbed_1_7
* https://docs.sekoia.io/integration/categories/endpoint/crowdstrike_falcon/#__tabbed_1_8

Author: efd6

packages/crowdstrike/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.58.0"
+  changes:
+    - description: Add support for `EppDetectionSummaryEvent` events.
+      type: enhancement
+      link: http://github.com/elastic/integrations/pull/12869
 - version: "1.57.0"
   changes:
     - description: Reduce storage load for less useful or constant fields.

packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-event-stream.log-expected.json

@@ -119,6 +119,7 @@
                     "DataDomains": "Identity",
                     "Objective": "Gain Access",
                     "PatternId": "51135",
+                    "Severity": 34,
                     "SeverityName": "Low",
                     "SourceAccountUpn": "admin.service@example.com",
                     "SourceEndpointAccountObjectGuid": "C078A5DA-E13B-4418-AA28-802EF8C16210",
@@ -147,7 +148,7 @@
                 "kind": "alert",
                 "original": "{\"metadata\":{\"customerIDString\":\"abcabcabc22222\",\"offset\":8693906,\"eventType\":\"IdpDetectionSummaryEvent\",\"eventCreationTime\":1698921607000,\"version\":\"1.0\"},\"event\":{\"ContextTimeStamp\":133433951380000000,\"DetectId\":\"abcabcabc22222:ind:abcabcabc22222:5E8D397E-79C1-AAAA-9715-EEEEEE2222\",\"DetectName\":\"Unusual login to an endpoint\",\"DetectDescription\":\"A user logged into a machine for the first time\",\"FalconHostLink\":\"https://falcon.crowdstrike.com/identity-protection/detections/abcabcabc22222:ind:abcabcabc22222:5E8D397E-79C1-AAAA-9715-EEEEEE2222?_cid=abcabcabc22222\",\"StartTime\":133433949600000000,\"EndTime\":133433949600000000,\"Severity\":34,\"SeverityName\":\"Low\",\"Tactic\":\"InitialAccess\",\"Technique\":\"ValidAccounts\",\"Objective\":\"Gain Access\",\"SourceAccountDomain\":\"NA.AAA.ABC.com\",\"SourceAccountName\":\"abc.service\",\"SourceAccountUpn\":\"admin.service@example.com\",\"SourceAccountObjectSid\":\"S-1-S-1-S-1-1111-1844237615-1801674531-175881\",\"SourceEndpointAccountObjectGuid\":\"C078A5DA-E13B-4418-AA28-802EF8C16210\",\"SourceEndpointAccountObjectSid\":\"S-1-S-1-S-1-1111-1844237615-1801674531-316681\",\"SourceEndpointHostName\":\"nope122.na.net.ABC.com\",\"SourceEndpointIpAddress\":\"81.2.69.142\",\"SourceEndpointSensorId\":\"a2f1de586958434eb5e14e30214e17ed\",\"ActivityId\":\"76CC8396-7148-4CEB-84CB-08FAFE4FAC37\",\"PatternId\":51135,\"SourceVendors\":\"CrowdStrike\",\"SourceProducts\":\"FalconIdentityProtection\",\"DataDomains\":\"Identity\"}}",
                 "reference": "https://falcon.crowdstrike.com/identity-protection/detections/abcabcabc22222:ind:abcabcabc22222:5E8D397E-79C1-AAAA-9715-EEEEEE2222?_cid=abcabcabc22222",
-                "severity": 34,
+                "severity": 21,
                 "start": "2023-11-02T10:36:00.000Z",
                 "type": [
                     "info"
@@ -206,6 +207,7 @@
                     "Category": "Detections",
                     "NumberOfCompromisedEntities": 2,
                     "NumbersOfAlerts": 1,
+                    "Severity": 4,
                     "SeverityName": "LOW",
                     "State": "NEW"
                 },
@@ -229,7 +231,7 @@
                 "kind": "event",
                 "original": "{\"metadata\":{\"customerIDString\":\"abcabcabc22222\",\"offset\":8694126,\"eventType\":\"IdentityProtectionEvent\",\"eventCreationTime\":1698923523065,\"version\":\"1.0\"},\"event\":{\"IncidentType\":\"Unusuallogintoanendpoint\",\"IncidentDescription\":\"Unusuallogintoanendpoint\",\"Severity\":4,\"SeverityName\":\"LOW\",\"StartTime\":1698923340000,\"EndTime\":1698923340000,\"IdentityProtectionIncidentId\":\"7a79b2de-4e10-41fb-818f-2bdf53c1625a\",\"UserName\":\"NA.NET.ABC.com\\\\abc.service\",\"EndpointName\":\"itreg1d3wp8vh3.eu.net.ABC.com\",\"EndpointIp\":\"\",\"Category\":\"Detections\",\"NumbersOfAlerts\":1,\"NumberOfCompromisedEntities\":2,\"State\":\"NEW\",\"FalconHostLink\":\"https://falcon.crowdstrike.com/identity-protection/detections/abcabcabc22222:ind:abcabcabc22222:7A79B2DE-4E10-41FB-818F-2BDF53C1625A\"}}",
                 "reference": "https://falcon.crowdstrike.com/identity-protection/detections/abcabcabc22222:ind:abcabcabc22222:7A79B2DE-4E10-41FB-818F-2BDF53C1625A",
-                "severity": 4,
+                "severity": 21,
                 "start": "2023-11-02T11:09:00.000Z",
                 "type": [
                     "info"
@@ -608,6 +610,7 @@
                     "PatternDispositionValue": 2048,
                     "PatternId": "10186",
                     "SensorId": "69027ffffffffffffaaf50",
+                    "Severity": 4,
                     "SeverityName": "High"
                 },
                 "metadata": {
@@ -629,7 +632,7 @@
                 "kind": "alert",
                 "original": "{\"metadata\":{\"customerIDString\":\"abcabcabc22222\",\"offset\":8695332,\"eventType\":\"DetectionSummaryEvent\",\"eventCreationTime\":1698932615000,\"version\":\"1.0\"},\"event\":{\"ProcessStartTime\":1698932614,\"ProcessEndTime\":1698932614,\"ProcessId\":54665651,\"ParentProcessId\":540396081,\"ComputerName\":\"INNOIDL0032\",\"UserName\":\"vishnu.sharma\",\"DetectName\":\"AttackerMethodology\",\"DetectDescription\":\"Rundll32launchedafilewithanunusualname.Somemalwareabusesrundll32tolaunchmaliciouspayloads.Investigatethecommandlinearguments,astheylikelyreferencethemaliciouspayload.\",\"Severity\":4,\"SeverityName\":\"High\",\"FileName\":\"rundll32.exe\",\"FilePath\":\"\\\\Device\\\\HarddiskVolume4\\\\Windows\\\\System32\",\"CommandLine\":\"\\\"C:\\\\Windows\\\\System32\\\\rundll32.exe\\\"\\\\lwbuimisawnmsfdjmazvobzb.brl,kokknnjfybyqjrrh\",\"SHA256String\":\"d64d27be4c907b0a2a0c32e1b1a4a44a1333a936fe63127d69df41c859da8c9e\",\"MD5String\":\"a52bfa4a96f97c368312028dbd7c8461\",\"SHA1String\":\"0000000000000000000000000000000000000000\",\"MachineDomain\":\"AP\",\"FalconHostLink\":\"https://falcon.crowdstrike.com/activity/detections/detail/6902738b2a374a718cd9a45085baaf50/2246270721205?_cid=gffffffffy3zjobdz7ewb4xjqyjsy5a\",\"SensorId\":\"69027ffffffffffffaaf50\",\"IOCType\":\"hash_sha256\",\"IOCValue\":\"d64d27be4c907b0a2a0c32e1b1a4a44a1333a936fe63127d69df41c859da8c9e\",\"DetectId\":\"ldt:690ddddddd0721205\",\"LocalIP\":\"81.2.69.144\",\"MACAddress\":\"02-50-41-00-00-01\",\"Tactic\":\"DefenseEvasion\",\"Technique\":\"Rundll32\",\"Objective\":\"KeepAccess\",\"PatternDispositionDescription\":\"Prevention,processwasblockedfromexecution.\",\"PatternDispositionValue\":2048,\"PatternDispositionFlags\":{\"Indicator\":false,\"Detect\":false,\"InddetMask\":false,\"SensorOnly\":false,\"Rooting\":false,\"KillProcess\":false,\"KillSubProcess\":false,\"QuarantineMachine\":false,\"QuarantineFile\":false,\"PolicyDisabled\":false,\"KillParent\":false,\"OperationBlocked\":false,\"ProcessBlocked\":true,\"RegistryOperationBlocked\":false,\"CriticalProcessDisabled\":false,\"BootupSafeguardEnabled\":false,\"FsOperationBlocked\":false,\"HandleOperationDowngraded\":false,\"KillActionFailed\":false,\"BlockingUnsupportedOrDisabled\":false,\"SuspendProcess\":false,\"SuspendParent\":false},\"ParentImageFileName\":\"\\\\Device\\\\HarddiskVolume4\\\\Windows\\\\explorer.exe\",\"ParentCommandLine\":\"C:\\\\Windows\\\\Explorer.EXE\",\"GrandparentImageFileName\":\"\\\\Device\\\\HarddiskVolume4\\\\Windows\\\\System32\\\\userinit.exe\",\"GrandparentCommandLine\":\"C:\\\\Windows\\\\system32\\\\userinit.exe\",\"HostGroups\":\"e2091491a28248eaae3ede9f217e03fc,e837d750b8ba400c953380da346e2b04,186c20383a98495cb0e0a7d5540f3aff,24d1f760fcdc46d992bb8f41d7dd897b,2b7bd0fede874baaa1afdea20f255632,a293aded9c4548469d0e853b7267cce5,adab9db4541040729e01d16211189a27,b75b27ce17244922bd0a862a712ea812\",\"Tags\":\"SensorGroupingTags/USB_Storage_Exception\",\"AssociatedFile\":\"\\\\Device\\\\HarddiskVolume4\\\\Windows\\\\System32\\\\rundll32.exe\",\"PatternId\":10186}}",
                 "reference": "https://falcon.crowdstrike.com/activity/detections/detail/6902738b2a374a718cd9a45085baaf50/2246270721205?_cid=gffffffffy3zjobdz7ewb4xjqyjsy5a",
-                "severity": 4,
+                "severity": 73,
                 "type": [
                     "info"
                 ]

packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-cspmioa-streaming.log-expected.json

@@ -14,6 +14,7 @@
             "crowdstrike": {
                 "event": {
                     "PolicyId": 249,
+                    "Severity": 1,
                     "SeverityName": "High"
                 },
                 "metadata": {
@@ -35,7 +36,7 @@
                 "kind": "alert",
                 "original": "{\n\t\"metadata\": {\n\t\t\"customerIDString\": \"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\",\n\t\t\"offset\": 54712858,\n\t\t\"eventType\": \"CSPMIOAStreamingEvent\",\n\t\t\"eventCreationTime\": 1663011160000,\n\t\t\"version\": \"1.0\"\n\t},\n\t\"event\": {\n\t\t\"AccountId\": \"XXXXXXXXXXXX\",\n\t\t\"PolicyId\": 249,\n\t\t\"PolicyStatement\": \"EC2 instance manually deleted by IAM user\",\n\t\t\"CloudProvider\": \"aws\",\n\t\t\"CloudService\": \"EC2\",\n\t\t\"Severity\": 1,\n\t\t\"SeverityName\": \"High\",\n\t\t\"EventAction\": \"TerminateInstances\",\n\t\t\"EventSource\": \"aws.cloudtrail\",\n\t\t\"EventCreatedTimestamp\": 1663011160,\n\t\t\"UserId\": \"AIDAXRCSSEFWEAH3BLR2Z\",\n\t\t\"UserName\": \"cs_internal_service_acct\",\n\t\t\"UserSourceIp\": \"81.2.69.144\",\n\t\t\"Tactic\": \"Impact\",\n\t\t\"Technique\": \"Data Destruction\"\n\t}\n}",
                 "provider": "aws.cloudtrail",
-                "severity": 1,
+                "severity": 73,
                 "type": [
                     "info",
                     "change"

packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-cspmsearch-streaming.log-expected.json

@@ -27,6 +27,7 @@
                     "ResourceId": "i-0108fce80eXXXXXXX",
                     "ResourceIdType": "Instance Id",
                     "ResourceUrl": "https://us-west-2.console.aws.amazon.com/ec2/v2/home?region=us-west-2#InstanceDetails:instanceId=i-0108fce80eXXXXXXX",
+                    "Severity": 1,
                     "SeverityName": "High",
                     "Timestamp": 1663009688832
                 },
@@ -49,7 +50,7 @@
                 "original": "{\n\t\"metadata\": {\n\n\t\t\"customerIDString\": \"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\",\n\t\t\"offset\": 54712611,\n\t\t\"eventType\": \"CSPMSearchStreamingEvent\",\n\t\t\"eventCreationTime\": 1663009688832,\n\t\t\"version\": \"1.0\"\n\t},\n\t\"event\": {\n\t\t\"AccountId\": \"XXXXXXXXXXXX\",\n\t\t\"Region\": \"us-west-2\",\n\t\t\"ResourceId\": \"i-0108fce80eXXXXXXX\",\n\t\t\"ResourceIdType\": \"Instance Id\",\n\t\t\"ResourceName\": \"\",\n\t\t\"ResourceCreateTime\": 0,\n\t\t\"PolicyStatement\": \"EC2 NACL configured for global ingress\",\n\t\t\"PolicyId\": 26,\n\t\t\"Severity\": 1,\n\t\t\"SeverityName\": \"High\",\n\t\t\"CloudPlatform\": \"AWS\",\n\t\t\"CloudService\": \"EC2\",\n\t\t\"Disposition\": \"Failed\",\n\t\t\"ResourceUrl\": \"https://us-west-2.console.aws.amazon.com/ec2/v2/home?region=us-west-2#InstanceDetails:instanceId=i-0108fce80eXXXXXXX\",\n\t\t\"Finding\": \"Instance ID: i-0108fce80e5ab5129|VPC ID: vpc-0e886040c27d9f526|Network ACL ID: acl-005e6bb98e75ac17e|Rule Number: 100|CIDR Block: 0.0.0.0/0|Protocol: All\",\n\t\t\"ResourceAttributes\": \"{\\\"ACL ID\\\": \\\"acl - 005e6 bb98e75ac17e\\\",\\\"VPC ID\\\": \\\"vpc - 0e886040 c27d9f526\\\",\\\"Platform\\\": \\\"Linux\\\",\\\"Instance ID\\\": \\\"i - 0108 fce80eXXXXXXX\\\",\\\"Launch Time\\\": \\\"2022 - 09 - 12 17: 11: 06 + 00\\\",\\\"Instance State\\\": \\\"running\\\"}\",\n\t\t\"Tags\": [{\n\t\t\t\"Key\": \"cstag-business\",\n\t\t\t\"ValueString\": \"Sales\"\n\t\t}, {\n\t\t\t\"Key\": \"cstag-accounting\",\n\t\t\t\"ValueString\": \"dev\"\n\t\t}, {\n\t\t\t\"Key\": \"cstag-department\",\n\t\t\t\"ValueString\": \"Sales - 310000\"\n\t\t}, {\n\t\t\t\"Key\": \"Slackbot Env UUID\",\n\t\t\t\"ValueString\": \"C68EC25E-32BD-11ED-AE4B-0EBCA3237C75\"\n\t\t}, {\n\t\t\t\"Key\": \"Name\",\n\t\t\t\"ValueString\": \"CS-SE-Demo-KALI-ROBERT.WILSON\"\n\t\t}, {\n\t\t\t\"Key\": \"Slack_User\",\n\t\t\t\"ValueString\": \"bob.smith\"\n\t\t}, {\n\t\t\t\"Key\": \"cstag-owner\",\n\t\t\t\"ValueString\": \"jane.doe\"\n\t\t}],\n\t\t\"ReportUrl\": \"https://falcon.crowdstrike.com/cloud-security/cspm/assessment-drilldown?event-type=cspm_policy_26\\u0026policy_id=26\\u0026scan_id=1a8adc1c36aa7d83e90e5c06\\u0026service=EC2\",\n\t\t\"Timestamp\": 1663009688832\n\t}\n}",
                 "outcome": "failure",
                 "reference": "https://falcon.crowdstrike.com/cloud-security/cspm/assessment-drilldown?event-type=cspm_policy_26&policy_id=26&scan_id=1a8adc1c36aa7d83e90e5c06&service=EC2",
-                "severity": 1,
+                "severity": 73,
                 "type": [
                     "info",
                     "change"

packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-detection-summary.log-expected.json

@@ -63,6 +63,7 @@
                     "PatternDispositionValue": 2304,
                     "PatternId": "5728",
                     "SensorId": "sensorid123",
+                    "Severity": 2,
                     "SeverityName": "Low"
                 },
                 "metadata": {
@@ -84,7 +85,7 @@
                 "kind": "alert",
                 "original": "{\n    \"metadata\": {\n        \"customerIDString\": \"123123abcd\",\n        \"offset\": 1,\n        \"eventType\": \"DetectionSummaryEvent\",\n        \"eventCreationTime\": 1686845212400,\n        \"version\": \"1.0\"\n    },\n    \"event\": {\n        \"ProcessStartTime\": 1686845212400,\n        \"ProcessEndTime\": 0,\n        \"ProcessId\": 123123,\n        \"ParentProcessId\": 321321,\n        \"ComputerName\": \"ELASTICHOST\",\n        \"UserName\": \"ELASTICUSER\",\n        \"DetectName\": \"NGAV\",\n        \"DetectDescription\": \"This file is classified as Adware/PUP based on its SHA256 hash.\",\n        \"Severity\": 2,\n        \"SeverityName\": \"Low\",\n        \"FileName\": \"TESTFILE.exe\",\n        \"FilePath\": \"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\ELASTICUSER\\\\Software\\\\TESTSOFTWARE\",\n        \"CommandLine\": \"\\\"C:\\\\Users\\\\TESTUSER\\\\SOFTWARE\\\\TESTSOFTWARE\\\\FILE.exe\\\" -Embedding\",\n        \"SHA256String\": \"0b2cde5b355bda69aeb15159fa98b5554053f0936259a53c6dfb0934389238a2\",\n        \"MD5String\": \"49f30e09200e7b59edc5ef32fbd0442c\",\n        \"SHA1String\": \"7e54a24d4df5b7fe4a75d7ce1c027705c368666b\",\n        \"MachineDomain\": \"INTERNAL\",\n        \"NetworkAccesses\": [\n            {\n                \"AccessType\": 0,\n                \"AccessTimestamp\": 1686845157,\n                \"Protocol\": \"TCP\",\n                \"LocalAddress\": \"10.0.0.1\",\n                \"LocalPort\": 53517,\n                \"RemoteAddress\": \"67.43.156.1\",\n                \"RemotePort\": 443,\n                \"ConnectionDirection\": 0,\n                \"IsIPV6\": false\n            },\n            {\n                \"AccessType\": 0,\n                \"AccessTimestamp\": 1686845158,\n                \"Protocol\": \"TCP\",\n                \"LocalAddress\": \"10.0.0.2\",\n                \"LocalPort\": 53518,\n                \"RemoteAddress\": \"67.43.156.1\",\n                \"RemotePort\": 80,\n                \"ConnectionDirection\": 0,\n                \"IsIPV6\": false\n            }\n        ],\n        \"FalconHostLink\": \"https://falcon.crowdstrike.com/activity/detections/detail/REFERENCE?_cid=CID\",\n        \"SensorId\": \"sensorid123\",\n        \"IOCType\": \"hash_sha256\",\n        \"IOCValue\": \"0b2cde5b355bda69aeb15159fa98b5554053f0936259a53c6dfb0934389238a2\",\n        \"DetectId\": \"detect::id::test\",\n        \"LocalIP\": \"89.160.20.112\",\n        \"MACAddress\": \"1c-2d-b3-4a-56-7e\",\n        \"Tactic\": \"Malware\",\n        \"Technique\": \"PUP\",\n        \"Objective\": \"Falcon Detection Method\",\n        \"PatternDispositionDescription\": \"Detection, process would have been blocked if related prevention policy setting was enabled.\",\n        \"PatternDispositionValue\": 2304,\n        \"PatternDispositionFlags\": {\n            \"Indicator\": false,\n            \"Detect\": false,\n            \"InddetMask\": false,\n            \"SensorOnly\": false,\n            \"Rooting\": false,\n            \"KillProcess\": false,\n            \"KillSubProcess\": false,\n            \"QuarantineMachine\": false,\n            \"QuarantineFile\": false,\n            \"PolicyDisabled\": true,\n            \"KillParent\": false,\n            \"OperationBlocked\": false,\n            \"ProcessBlocked\": true,\n            \"RegistryOperationBlocked\": false,\n            \"CriticalProcessDisabled\": false,\n            \"BootupSafeguardEnabled\": false,\n            \"FsOperationBlocked\": false,\n            \"HandleOperationDowngraded\": false,\n            \"KillActionFailed\": false,\n            \"BlockingUnsupportedOrDisabled\": false,\n            \"SuspendProcess\": false,\n            \"SuspendParent\": false\n        },\n        \"ParentImageFileName\": \"\",\n        \"ParentCommandLine\": \"\",\n        \"GrandparentImageFileName\": \"\",\n        \"GrandparentCommandLine\": \"\",\n        \"HostGroups\": \"hostgroupsID\",\n        \"AssociatedFile\": \"\\\\Device\\\\HarddiskVolume3\\\\TESTUSER\\\\TESTELASTICUSER\\\\SOFTWARE\\\\TESTSOFTWARE\\\\FILE.exe\",\n        \"PatternId\": 5728\n    }\n}",
                 "reference": "https://falcon.crowdstrike.com/activity/detections/detail/REFERENCE?_cid=CID",
-                "severity": 2,
+                "severity": 21,
                 "type": [
                     "info"
                 ]