Skip to content

crowdstrike,m365_defender,microsoft_defender_{cloud,endpoint},sentinel_one: normalise severity handling#13955

Merged
efd6 merged 1 commit intoelastic:mainfrom
efd6:12662-edr_severities
May 22, 2025
Merged

crowdstrike,m365_defender,microsoft_defender_{cloud,endpoint},sentinel_one: normalise severity handling#13955
efd6 merged 1 commit intoelastic:mainfrom
efd6:12662-edr_severities

Conversation

@efd6
Copy link
Contributor

@efd6 efd6 commented May 21, 2025

Proposed commit message

crowdstrike,m365_defender,microsoft_defender_{cloud,endpoint},sentinel_one: normalise severity handling

This change normalises the interpretation of severity names for the Crowdstrike,
Microsoft and Sentinel One EDR integrations modulo consistent semantics of the
terms used by those vendors.

Severity terms are also recovered from the vendor's severity scale if the term
is missing and a scale to term mapping is known.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@efd6 efd6 self-assigned this May 21, 2025
@efd6 efd6 added enhancement New feature or request Integration:crowdstrike CrowdStrike Integration:microsoft_defender_endpoint Microsoft Defender for Endpoint Integration:sentinel_one SentinelOne Integration:m365_defender Microsoft Defender XDR Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Integration:microsoft_defender_cloud Microsoft Defender for Cloud labels May 21, 2025
@efd6 efd6 force-pushed the 12662-edr_severities branch from 6ddfee4 to 8b5d0ba Compare May 21, 2025 03:52
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented May 21, 2025
edited
Loading

🚀 Benchmarks report

Package crowdstrike 👍(3) 💚(1) 💔(1)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
falcon 7092.2 5780.35 -1311.85 (-18.5%) 💔

Package microsoft_defender_endpoint 👍(1) 💚(1) 💔(1)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
machine_action 9174.31 5494.51 -3679.8 (-40.11%) 💔

Package sentinel_one 👍(2) 💚(2) 💔(1)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
agent 2985.07 1972.39 -1012.68 (-33.92%) 💔

To see the full report comment with /test benchmark fullreport

@efd6 efd6 force-pushed the 12662-edr_severities branch from 8b5d0ba to a4b8d62 Compare May 21, 2025 04:28
@efd6 efd6 marked this pull request as ready for review May 21, 2025 05:59
@efd6 efd6 requested a review from a team as a code owner May 21, 2025 05:59
@elasticmachine
Copy link

elasticmachine commented May 21, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

chrisberkhout
chrisberkhout approved these changes May 21, 2025
View reviewed changes
Copy link
Contributor

@chrisberkhout chrisberkhout left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the reason for not making info/informational lower than low severity?

I'm guessing that rules want to consider info level as more significant than severity: 0.

@chrisberkhout
Copy link
Contributor

chrisberkhout commented May 21, 2025

One more thing: several of the sample event files don't have significant changes and could be left out. Just updating everything seem okay though.

@efd6
Copy link
Contributor Author

efd6 commented May 21, 2025

What's the reason for not making info/informational lower than low severity?

The issue requirements:

Similar mappings will be created for Microsoft Defender for Endpoint (MDE) and CrowdStrike once their scales are validated. In the case there are Informational and Low severity levels, use the same value (21) for both.

One more thing: several of the sample event files don't have significant changes and could be left out. Just updating everything seem okay though.

I considered that, but I wanted to present a consistent documentation (there has been a lapse in sample event updates for the past few changes).

@efd6 efd6 requested a review from chrisberkhout May 22, 2025 08:52
chrisberkhout
chrisberkhout approved these changes May 22, 2025
View reviewed changes
Copy link
Contributor

@chrisberkhout chrisberkhout left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@efd6
crowdstrike,m365_defender,microsoft_defender_{cloud,endpoint},sentine…
e2b4487 
…l_one: normalise severity handling

This change normalises the interpretation of severity names for the Crowdstrike,
Microsoft and Sentinel One EDR integrations modulo consistent semantics of the
terms used by those vendors.

Severity terms are also recovered from the vendor's severity scale if the term
is missing and a scale to term mapping is known.
@efd6 efd6 force-pushed the 12662-edr_severities branch from a4b8d62 to e2b4487 Compare May 22, 2025 20:58
@efd6 efd6 enabled auto-merge (squash) May 22, 2025 21:02
@elasticmachine
Copy link

elasticmachine commented May 22, 2025

💚 Build Succeeded

History

cc @efd6

@efd6 efd6 merged commit 6d2a6d1 into elastic:main May 22, 2025
6 checks passed
@elastic-sonarqube
Copy link

elastic-sonarqube bot commented May 22, 2025

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
93.6% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented May 22, 2025

Package crowdstrike - 1.70.0 containing this change is available at https://epr.elastic.co/package/crowdstrike/1.70.0/

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented May 22, 2025

Package m365_defender - 3.5.0 containing this change is available at https://epr.elastic.co/package/m365_defender/3.5.0/

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented May 22, 2025

Package microsoft_defender_cloud - 2.6.0 containing this change is available at https://epr.elastic.co/package/microsoft_defender_cloud/2.6.0/

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented May 22, 2025

Package microsoft_defender_endpoint - 2.35.0 containing this change is available at https://epr.elastic.co/package/microsoft_defender_endpoint/2.35.0/

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented May 22, 2025

Package sentinel_one - 1.35.0 containing this change is available at https://epr.elastic.co/package/sentinel_one/1.35.0/

@jamiehynds
Copy link

jamiehynds commented May 23, 2025

FYI @raqueltabuyo

v1v added a commit to v1v/integrations that referenced this pull request May 26, 2025
@v1v
Merge branch 'main' into feature/use-google-secrets
52daeaf 
* main: (42 commits)
  [jamf_pro] Fix `flattened` field types for non-object values (elastic#13985)
  [Netskope Alerts] Add text multi-field to netskope.alerts.breach.description field (elastic#13977)
  zscaler_zia: add strict field template mode for tcp and http_endpoint input data streams (elastic#13904)
  apm: Add config for tail-based sampling discard on write (elastic#13950)
  [CI] Add dev/coverage into backport script (elastic#13987)
  Update configuration updatecli for 8.x snapshot (elastic#13981)
  [Prometheus] Add username, password, and SSL related fields for query dataset (elastic#13969)
  o365: Ignore failures in rename processors for organization fields (elastic#13983)
  aws.firewall: Document ingested log types of AWS Network Firewall (elastic#13978)
  mimecast: resolve field data type conflicts between data streams (elastic#13825)
  [Infoblox NIOS] Handle the parsing of IPv6 address (elastic#13947)
  [Cribl] Fix handling of metric event type (elastic#13930)
  zscaler_zpa: fix handling of multiple remote IPs, and event categorisation (elastic#13755)
  Adding agentless deployment to the sublime security integration (elastic#13963)
  [integration/system] add use_performance_counters in system integration (elastic#13150)
  crowdstrike,m365_defender,microsoft_defender_{cloud,endpoint},sentinel_one: normalise severity handling (elastic#13955)
  [forgerock] Map `forgerock.response.elapsedTime` as a long not a date (elastic#13959)
  github: squelch errors from pagination ends (elastic#13965)
  cisco_secure_endpoint: squelch errors from pagination ends (elastic#13964)
  [Cloud Security] Cloud Asset Inventory:  fixed cloud formation URL (elastic#13971)
  ...
v1v added a commit that referenced this pull request May 26, 2025
@v1v
Merge branch 'feature/use-google-secrets' into test/use-google-secrets
81b8efa 
* feature/use-google-secrets: (43 commits)
  use -ci account
  [jamf_pro] Fix `flattened` field types for non-object values (#13985)
  [Netskope Alerts] Add text multi-field to netskope.alerts.breach.description field (#13977)
  zscaler_zia: add strict field template mode for tcp and http_endpoint input data streams (#13904)
  apm: Add config for tail-based sampling discard on write (#13950)
  [CI] Add dev/coverage into backport script (#13987)
  Update configuration updatecli for 8.x snapshot (#13981)
  [Prometheus] Add username, password, and SSL related fields for query dataset (#13969)
  o365: Ignore failures in rename processors for organization fields (#13983)
  aws.firewall: Document ingested log types of AWS Network Firewall (#13978)
  mimecast: resolve field data type conflicts between data streams (#13825)
  [Infoblox NIOS] Handle the parsing of IPv6 address (#13947)
  [Cribl] Fix handling of metric event type (#13930)
  zscaler_zpa: fix handling of multiple remote IPs, and event categorisation (#13755)
  Adding agentless deployment to the sublime security integration (#13963)
  [integration/system] add use_performance_counters in system integration (#13150)
  crowdstrike,m365_defender,microsoft_defender_{cloud,endpoint},sentinel_one: normalise severity handling (#13955)
  [forgerock] Map `forgerock.response.elapsedTime` as a long not a date (#13959)
  github: squelch errors from pagination ends (#13965)
  cisco_secure_endpoint: squelch errors from pagination ends (#13964)
  ...
anupratharamachandran pushed a commit to anupratharamachandran/integrations that referenced this pull request Jun 2, 2025
@efd6 @anupratharamachandran
crowdstrike,m365_defender,microsoft_defender_{cloud,endpoint},sentine…
0acc548 
…l_one: normalise severity handling (elastic#13955)

This change normalises the interpretation of severity names for the Crowdstrike,
Microsoft and Sentinel One EDR integrations modulo consistent semantics of the
terms used by those vendors.

Severity terms are also recovered from the vendor's severity scale if the term
is missing and a scale to term mapping is known.
@kcreddy kcreddy mentioned this pull request Jan 29, 2026
Closed
@kcreddy kcreddy mentioned this pull request Feb 12, 2026
Open
@kcreddy kcreddy mentioned this pull request Feb 23, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chrisberkhout chrisberkhout chrisberkhout approved these changes

Assignees

@efd6 efd6

Labels

enhancement New feature or request Integration:crowdstrike CrowdStrike Integration:m365_defender Microsoft Defender XDR Integration:microsoft_defender_cloud Microsoft Defender for Cloud Integration:microsoft_defender_endpoint Microsoft Defender for Endpoint Integration:sentinel_one SentinelOne Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Normalize Third-Party EDR Alert Severity to Elastic’s Severity Scale

4 participants

@efd6 @elasticmachine @chrisberkhout @jamiehynds