Skip to content

CrowdStrike Adding Identity Protection IDP Parsing for FDR#19805

Open
jeff-bb wants to merge 3 commits into
elastic:mainfrom
jeff-bb:main
Open

CrowdStrike Adding Identity Protection IDP Parsing for FDR#19805
jeff-bb wants to merge 3 commits into
elastic:mainfrom
jeff-bb:main

Conversation

@jeff-bb

@jeff-bb jeff-bb commented Jun 26, 2026

Copy link
Copy Markdown

Proposed commit message

Create a pipeline (similar to Epp) for Idp events. The Falcon pipeline path has this, but the FDR pipline path does not. I used the existing Falcon Idp as the starting point with a few minor changes based on a combination of our real world data and the current version of the "Identity Protection detection summary fields" document from CrowdStrike

I've created a test-fdr-idp-detection-summary.log file with a single sanitized event, but do not know how to test this to produce the expected output file.

@jeff-bb jeff-bb requested review from a team as code owners June 26, 2026 20:43
@elastic-vault-github-plugin-prod

Copy link
Copy Markdown

Reviewers

Buildkite won't run for external contributors automatically; you need to add a comment:

  • /test : will kick off a build in Buildkite.

NOTE: https://github.com/elastic/integrations/blob/main/.buildkite/pull-requests.json contains all those details.

@andrewkroh andrewkroh added Integration:crowdstrike CrowdStrike Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Jun 29, 2026
@infra-vault-gh-plugin-prod

Copy link
Copy Markdown

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@vera-review-bot

Copy link
Copy Markdown

👀 I have started reviewing the PR

replacement: ""
tag: gsub_context_timestamp
if: "ctx.crowdstrike?.ContextTimeStamp != null && ctx.crowdstrike.ContextTimeStamp.length() > 18"
- date:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 HIGH data_stream/fdr/.../idp_detection_summary.yml:129

Date processors parse ISO 8601 timestamps as UNIX epoch

The ContextTimeStamp, StartTime, EndTime and AccountCreationTimeStamp date processors parse their input with the UNIX_MS / UNIX (numeric epoch) formats, but the values in the committed sample (test-fdr-idp-detection-summary.log) are ISO 8601 strings, e.g. ContextTimeStamp "2026-06-26T13:33:50.000Z", StartTime/EndTime "2026-06-26T13:31:39.000Z". The convert-to-string + gsub(\d{6}$) + UNIX_MS pattern is the one used elsewhere for numeric nanosecond epochs and does not apply here: the gsub never matches (the strings end in 'Z', not 6 digits), and the date processor then tries to read the full ISO string as milliseconds-since-epoch and fails. These date processors have no ignore_failure and no processor-level on_failure, so the failure propagates to the pipeline on_failure block, which sets event.kind=pipeline_error for every IDP detection event and leaves event.created/event.start/event.end unset. The pipeline and its own sample are inconsistent, so the pipeline test cannot pass.

Recommendation:

Parse the IDP timestamps as ISO 8601 instead of epoch (drop the convert/gsub/UNIX pair for these string fields):

- date:
    field: crowdstrike.ContextTimeStamp
    target_field: event.created
    timezone: UTC
    formats:
      - ISO8601
    tag: date_context_timestamp
    if: ctx.crowdstrike?.ContextTimeStamp != null
- date:
    field: crowdstrike.StartTime
    target_field: event.start
    timezone: UTC
    formats:
      - ISO8601
    tag: date_event_start_time
    if: ctx.crowdstrike?.StartTime != null
- date:
    field: crowdstrike.EndTime
    target_field: event.end
    timezone: UTC
    formats:
      - ISO8601
    tag: date_event_end_time
    if: ctx.crowdstrike?.EndTime != null

If CrowdStrike can emit either epoch or ISO for these fields, list both formats in a single formats list (e.g. - ISO8601, - UNIX_MS, - UNIX) so one processor handles all shapes.


🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills

⚠️ Automated review — verify suggestions before applying.

@@ -0,0 +1 @@
{"AgentId":"c8d1292a8a904216aa25ab728f4b45fd","AggregateId":"aggind:c8d1292a8a904216aa25ab728f4b45fd:11111111111-2222-3333333","CompositeId":"44be50f58ccfcfcfcfcfcfcfcffc:ind:44be50f58ccfcfcfcfcfcfcfcffc:11111111111-2222-3333333","Confidence":20,"ContextTimeStamp":"2026-06-26T13:33:50.000Z","CreatedTimestamp":"2026-06-26T13:34:53.009548969Z","DataDomains":["Identity"],"Description":"A user logged in to a machine for the first time","DisplayName":"Unusual login to an endpoint","EndTime":"2026-06-26T13:31:39.000Z","FalconHostLink":"https://falcon.laggar.gcw.crowdstrike.com/identity-protection/detections/44be50f58ccfcfcfcfcfcfcfcffc:ind:44be50f58ccfcfcfcfcfcfcfcffc:11111111111-2222-3333333?_cid=99999999","HostName":["computer.ad.contoso.com"],"MitreAttack":[{"pattern_id":51135,"tactic_id":"TA0001","technique_id":"T1078","tactic":"Initial Access","technique":"Valid Accounts"}],"Name":"AnomalousNewEndpointUsage","Objective":"Gain Access","PatternId":51135,"Product":"idp","Scenario":"machine_learning","Severity":10,"SeverityName":"Informational","SourceAccountDomain":"ad.contoso.com","SourceAccountName":"JohnD","SourceAccountObjectGuid":"4D9D1676-D22D-4DE8-BB63-0C1661DA9236","SourceAccountObjectSid":"S-1-5-21-123456789-1234567890-1234567890-221133","SourceAccountUpn":"JohnD@ad.contoso.com","SourceEndpointAccountObjectGuid":"1415A515-7DE4-4A10-BF0F-CF5F5CD92812","SourceEndpointAccountObjectSid":"S-1-5-21-123456789-1234567890-1234567890-123456","SourceEndpointAddressIp4":"1.1.1.1","SourceEndpointHostName":"computer.ad.contoso.com","SourceEndpointIpAddress":"1.1.1.1","SourceEndpointSensorId":"c8d1292a8a904216aa25ab728f4b45fd","SourceHosts":["computer.ad.contoso.com"],"SourceIps":["1.1.1.1"],"SourceProducts":["Falcon Identity Protection"],"SourceVendors":["CrowdStrike"],"StartTime":"2026-06-26T13:31:39.000Z","TargetEndpointAccountObjectGuid":"6ECA688B-47F3-461C-AD46-73521AB8677D","TargetEndpointAccountObjectSid":"S-1-5-21-123456789-1234567890-1234567890-098765","TargetEndpointHostName":"DC01","TargetServiceAccessIdentifier":"HTTP/proxy.ad.contoso.com","Timestamp":"2026-06-26T13:33:52.274Z","Type":"idp-session-source-user-endpoint-target-info","UserName":"JohnD","UserNames":["JohnD","JohnD@ad.contoso.com"]}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 HIGH data_stream/fdr/.../test-fdr-idp-detection-summary.log:1

New test input has no matching -expected.json

This PR adds the pipeline test input test-fdr-idp-detection-summary.log but no companion test-fdr-idp-detection-summary.log-expected.json exists in the checkout. elastic-package test pipeline compares each input against its expected document and fails when the expected file is absent, so this addition will break the pipeline test run in CI. It also means the new idp_detection_summary.yml pipeline has no asserted output coverage.

Recommendation:

Generate and commit the expected output, then verify it reflects correct mappings (not pipeline_error from finding #​1):

cd packages/crowdstrike
elastic-package test pipeline --generate -d fdr

Commit the resulting test-fdr-idp-detection-summary.log-expected.json alongside the input.


🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills

⚠️ Automated review — verify suggestions before applying.

field: event.kind
value: alert
- append:
field: event.category

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 MEDIUM data_stream/fdr/.../idp_detection_summary.yml:9

event.category 'malware' is wrong for identity-protection detections

The pipeline appends event.category: malware for all IDP (Identity Protection) detection summary events. These events describe identity/authentication anomalies, not malware — the sample is DisplayName "Unusual login to an endpoint" / Name "AnomalousNewEndpointUsage" with DataDomains ["Identity"]. The value appears copied from epp_detection_summary.yml (endpoint malware) but is not semantically appropriate for identity detections, so dashboards and detections filtering on event.category will misclassify these events.

Recommendation:

Use an identity-appropriate ECS category such as authentication (and intrusion_detection where applicable) instead of malware:

- append:
    field: event.category
    value: authentication
    tag: append_authentication_category
- append:
    field: event.category
    value: intrusion_detection
    tag: append_intrusion_detection_category

🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills

⚠️ Automated review — verify suggestions before applying.

ignore_missing: true
tag: append_source_ip
- append:
field: threat.technique.name

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 MEDIUM data_stream/fdr/.../idp_detection_summary.yml:77

MITRE ATT&CK enrichment reads fields absent from IDP events

The threat.technique.name/id and threat.tactic.name/id appends read ctx.crowdstrike.Technique, .TechniqueId, .Tactic and .TacticId. IDP detection summary events carry their ATT&CK data in a MitreAttack array instead (the sample has MitreAttack:[{"pattern_id":...,"tactic_id":"TA0001","technique_id":"T1078","tactic":"Initial Access","technique":"Valid Accounts"}] and no flat crowdstrike.Technique* fields). Because the appends are guarded by if ... != null, they silently never fire, so threat.technique.* and threat.tactic.* are never populated for IDP events. The parent default.yml foreach over crowdstrike.MitreAttack does not cover this either — it reads differently-cased keys (_ingest._value.Tactic / TacticID / Technique / TechniqueID), which do not match this event's tactic_id / technique_id / tactic / technique keys.

Recommendation:

Iterate the MitreAttack array and read its actual keys:

- foreach:
    field: crowdstrike.MitreAttack
    if: ctx.crowdstrike?.MitreAttack instanceof List
    tag: foreach_mitreattack_technique_id
    processor:
      append:
        field: threat.technique.id
        value: '{{{_ingest._value.technique_id}}}'
        allow_duplicates: false
- foreach:
    field: crowdstrike.MitreAttack
    if: ctx.crowdstrike?.MitreAttack instanceof List
    tag: foreach_mitreattack_technique_name
    processor:
      append:
        field: threat.technique.name
        value: '{{{_ingest._value.technique}}}'
        allow_duplicates: false
- foreach:
    field: crowdstrike.MitreAttack
    if: ctx.crowdstrike?.MitreAttack instanceof List
    tag: foreach_mitreattack_tactic_id
    processor:
      append:
        field: threat.tactic.id
        value: '{{{_ingest._value.tactic_id}}}'
        allow_duplicates: false
- foreach:
    field: crowdstrike.MitreAttack
    if: ctx.crowdstrike?.MitreAttack instanceof List
    tag: foreach_mitreattack_tactic_name
    processor:
      append:
        field: threat.tactic.name
        value: '{{{_ingest._value.tactic}}}'
        allow_duplicates: false

🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills

⚠️ Automated review — verify suggestions before applying.

@kcreddy kcreddy requested a review from navnit-elastic June 30, 2026 04:33
@kcreddy

kcreddy commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

/test

@efd6

efd6 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

@jeff-bb To generate the test expectations, you will need to run elastic-package test pipeline -g in the package directory. elastic-package can be obtained from https://github.com/elastic/elastic-package/releases/

@elasticmachine

elasticmachine commented Jun 30, 2026

Copy link
Copy Markdown

💔 Build Failed

Failed CI Steps

History

@github-actions

This comment has been minimized.

@github-actions

Copy link
Copy Markdown
Contributor

TL;DR

The Check integrations crowdstrike Buildkite step failed in the pipeline tests after this PR added test-fdr-idp-detection-summary.log without the required matching test-fdr-idp-detection-summary.log-expected.json. Generate and commit the expected pipeline output, then rerun the CrowdStrike package test.

Remediation

  • From packages/crowdstrike, run elastic-package test pipeline --data-streams fdr --generate (or elastic-package test pipeline -g) and commit the generated data_stream/fdr/_dev/test/pipeline/test-fdr-idp-detection-summary.log-expected.json.
  • Before committing, review the generated output carefully. The new sample uses ISO8601 values for ContextTimeStamp, StartTime, and EndTime, while the new idp_detection_summary pipeline parses those fields only as UNIX_MS/UNIX; if the generated expectation contains event.kind: pipeline_error or date parse errors, add ISO8601 handling before regenerating expectations.
Investigation details

Root Cause

This is a pipeline test fixture issue introduced by the PR changes. The PR adds packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr-idp-detection-summary.log but does not add the corresponding test-fdr-idp-detection-summary.log-expected.json. The integration testing docs show pipeline fixtures must include the raw input plus expected output (docs/extend/pipeline-testing.md:49-53), and generated expected files are created with elastic-package test pipeline --generate (docs/extend/pipeline-testing.md:256-269).

The PR also wires Event_IdpDetectionSummaryEvent into the FDR default pipeline and adds idp_detection_summary.yml, so this new fixture is now exercised by the CrowdStrike pipeline test step.

Evidence

--- [crowdstrike] failed
🚨 Error: The command exited with status 1
2026-06-30 04:53:34 INFO   Uploading ... build/test-results/crowdstrike-pipeline-1782795202668765401.xml
  • PR diff evidence: packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr-idp-detection-summary.log:1 was added, but no test-fdr-idp-detection-summary.log-expected.json was included.
  • Fixture requirement evidence: docs/extend/pipeline-testing.md:49-53 lists test-sample.log-expected.json / test-events.json-expected.json as expected pipeline-test outputs.

Verification

Not run locally; the available Buildkite log only includes the step tail and artifact upload list, so the analysis used the failed job summary, PR file list, changed pipeline content, and repository pipeline-test documentation.


What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default.yml pipeline is configured to branch on ctx.crowdstrike?.ExternalApiType == 'Event_IdpDetectionSummaryEvent', but this field is missing from the sample. Additionally, the timestamp format in the sample consists of ISO 8601 strings, whereas the pipeline expects the UNIX epoch format. Is this sample from the FDR feed?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Integration:crowdstrike CrowdStrike Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants