Skip to content

Add system test for CrowdStrike Falcon#429

Merged
andrewkroh merged 2 commits intoelastic:masterfrom
andrewkroh:crowdstrike-system-test
Dec 9, 2020
Merged

Add system test for CrowdStrike Falcon#429
andrewkroh merged 2 commits intoelastic:masterfrom
andrewkroh:crowdstrike-system-test

Conversation

@andrewkroh
Copy link
Copy Markdown
Member

@andrewkroh andrewkroh commented Dec 2, 2020

What does this PR do?

Add a system test for CrowdStrike Falcon and fix the issues it detected.
These were the errors initially detected.

crowdstrike/falcon :
[0] field "crowdstrike.event.PatternDispositionFlags.Detect" is undefined
[1] field "crowdstrike.event.PatternDispositionFlags.InddetMask" is undefined
[2] field "crowdstrike.event.PatternDispositionFlags.Indicator" is undefined
[3] field "crowdstrike.event.PatternDispositionFlags.KillParent" is undefined
[4] field "crowdstrike.event.PatternDispositionFlags.KillProcess" is undefined
[5] field "crowdstrike.event.PatternDispositionFlags.KillSubProcess" is undefined
[6] field "crowdstrike.event.PatternDispositionFlags.OperationBlocked" is undefined
[7] field "crowdstrike.event.PatternDispositionFlags.PolicyDisabled" is undefined
[8] field "crowdstrike.event.PatternDispositionFlags.ProcessBlocked" is undefined
[9] field "crowdstrike.event.PatternDispositionFlags.QuarantineFile" is undefined
[10] field "crowdstrike.event.PatternDispositionFlags.QuarantineMachine" is undefined
[11] field "crowdstrike.event.PatternDispositionFlags.Rooting" is undefined
[12] field "crowdstrike.event.PatternDispositionFlags.SensorOnly" is undefined
[13] parsing field value failed: field "crowdstrike.event.LocalPort"''s Go type, string, does not match the expected field type: long
[14] parsing field value failed: field "crowdstrike.event.PID"''s Go type, string, does not match the expected field type: long
[15] parsing field value failed: field "crowdstrike.event.ProcessEndTime"''s Go type, float64, does not match the expected field type: date
[16] parsing field value failed: field "crowdstrike.event.RemotePort"''s Go type, string, does not match the expected field type: long
[17] parsing field value failed: field "destination.port"''s Go type, string, does not match the expected field type: long
[18] parsing field value failed: field "process.pid"''s Go type, string, does not match the expected field type: long
[19] parsing field value failed: field "source.port"''s Go type, string, does not match the expected field type: long

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all datasets collect metrics or logs.

How to test this PR locally

elastic-package stack up -d
$(elastic-package stack shellinit)
cd crowdstrike/data_stream/falcon
elastic-package test system -v

Related issues

@andrewkroh
Add system test for CrowdStrike Falcon
66dcb1c 
Add a system test for CrowdStrike Falcon and fix the issues it detected.
These were the errors initially detected.

    crowdstrike/falcon :
    [0] field "crowdstrike.event.PatternDispositionFlags.Detect" is undefined
    [1] field "crowdstrike.event.PatternDispositionFlags.InddetMask" is undefined
    [2] field "crowdstrike.event.PatternDispositionFlags.Indicator" is undefined
    [3] field "crowdstrike.event.PatternDispositionFlags.KillParent" is undefined
    [4] field "crowdstrike.event.PatternDispositionFlags.KillProcess" is undefined
    [5] field "crowdstrike.event.PatternDispositionFlags.KillSubProcess" is undefined
    [6] field "crowdstrike.event.PatternDispositionFlags.OperationBlocked" is undefined
    [7] field "crowdstrike.event.PatternDispositionFlags.PolicyDisabled" is undefined
    [8] field "crowdstrike.event.PatternDispositionFlags.ProcessBlocked" is undefined
    [9] field "crowdstrike.event.PatternDispositionFlags.QuarantineFile" is undefined
    [10] field "crowdstrike.event.PatternDispositionFlags.QuarantineMachine" is undefined
    [11] field "crowdstrike.event.PatternDispositionFlags.Rooting" is undefined
    [12] field "crowdstrike.event.PatternDispositionFlags.SensorOnly" is undefined
    [13] parsing field value failed: field "crowdstrike.event.LocalPort"''s Go type, string, does not match the expected field type: long
    [14] parsing field value failed: field "crowdstrike.event.PID"''s Go type, string, does not match the expected field type: long
    [15] parsing field value failed: field "crowdstrike.event.ProcessEndTime"''s Go type, float64, does not match the expected field type: date
    [16] parsing field value failed: field "crowdstrike.event.RemotePort"''s Go type, string, does not match the expected field type: long
    [17] parsing field value failed: field "destination.port"''s Go type, string, does not match the expected field type: long
    [18] parsing field value failed: field "process.pid"''s Go type, string, does not match the expected field type: long
    [19] parsing field value failed: field "source.port"''s Go type, string, does not match the expected field type: long
@andrewkroh
Copy link
Copy Markdown
Member Author

andrewkroh commented Dec 2, 2020
edited
Loading

The pipeline needs updated to correct the JSON data types to match the mapping.

@andrewkroh andrewkroh mentioned this pull request Dec 2, 2020
Closed
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Dec 2, 2020
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: Branch indexing

  • Start Time: 2020-12-08T22:28:41.977+0000

  • Duration: 18 min 3 sec

Test stats 🧪

Test Results
Failed 0
Passed 73
Skipped 0
Total 73

@leehinman
Fix types for crowdstrike
7a4e475 
- crowdstrike.event.LocalPort, long
- crowdstrike.event.PID, long
- crowdstrike.event.ProcessEndTime, delete if 0
- crowdstrike.event.RemotePort, long
- destination.port, long
- process.pid, long
- source.port, long
@leehinman leehinman marked this pull request as ready for review December 2, 2020 19:23
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Dec 2, 2020

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@leehinman
Copy link
Copy Markdown
Contributor

leehinman commented Dec 2, 2020

run tests

@andrewkroh andrewkroh merged commit 5a52482 into elastic:master Dec 9, 2020
@andrewkroh andrewkroh mentioned this pull request Jan 29, 2021
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@andrewstucki andrewstucki andrewstucki approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@andrewkroh @elasticmachine @leehinman @andrewstucki