crowdstrike: add support for NG-SIEM Correlation Detection events

packages/crowdstrike/changelog.yml

@@ -1,4 +1,12 @@
 # newer versions go on top
+- version: "3.25.0"
+  changes:
+    - description: Add support for NG-SIEM correlation-detection alerts in the Alert data stream.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/19494
+    - description: Populate `event.duration` ECS field from `event.start` and `event.end` fields in the Alert data streams.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/19494
 - version: "3.24.0"
   changes:
     - description: Make max_executions configurable for all CEL data streams to allow high-volume environments to complete pagination within a single interval.

packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json

@@ -433,7 +433,7 @@
                     "source_vendors": [
                         "CrowdStrike"
                     ],
-                    "start_time": "2024-08-19T18:43:44.242Z",
+                    "start_time": "2024-08-16T18:43:44.242Z",
                     "status": "new",
                     "tactic": "Credential Access",
                     "tactic_id": "TA0006",
@@ -470,12 +470,13 @@
                 "version": "8.17.0"
             },
             "event": {
+                "duration": 0,
                 "end": "2024-08-16T18:43:44.242Z",
                 "id": "ind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9",
                 "kind": "alert",
-                "original": "{\"agent_id\":\"38293534662e48c99f33c61631b3536d\",\"aggregate_id\":\"aggind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9\",\"cid\":\"4446934rf3fdb64ec3056ddfb96e\",\"composite_id\":\"874694c2ff8c43fdb64ef3056ddfb96d:ind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9\",\"confidence\":80,\"context_timestamp\":\"2024-08-16T18:43:44.242Z\",\"crawled_timestamp\":\"2024-08-16T18:49:02.798354466Z\",\"created_timestamp\":\"2024-08-16T18:45:02.987127397Z\",\"data_domains\":[\"Identity\"],\"description\":\"A user denied a policy identity verification request\",\"display_name\":\"Identity verification denied\",\"end_time\":\"2024-08-16T18:43:44.242Z\",\"falcon_host_link\":\"https://falcon.crowdstrike.com/identity-protection/detections/4446934rf3fdb64ec3056ddfb96e:ind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9?_cid=g0300034lfy3zjobdz7ewb4xjqyjsy5a\",\"id\":\"ind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9\",\"idp_policy_mfa_factor_type\":\"32769\",\"idp_policy_mfa_provider\":\"14\",\"idp_policy_rule_id\":\"1B82F2DE-2A08-49E0-8F85-AD46996F9A65\",\"idp_policy_rule_name\":\"admin - RDP Access to TIER-0 Servers\",\"name\":\"IdpPolicyIdentityVerificationDenied\",\"objective\":\"Gain Access\",\"pattern_id\":51143,\"poly_id\":\"AAB3RpTC74xD_bZOwwVt37ltWwicqVJrn1DHb_UVfrn1QAAATiE4zCVgvIYhKPq8wZOGu5S3BVMzfSm_y5pv8n9CypfRuw==\",\"product\":\"idp\",\"scenario\":\"suspicious_activity\",\"seconds_to_resolved\":0,\"seconds_to_triaged\":0,\"severity\":79,\"severity_name\":\"High\",\"show_in_ui\":true,\"source_account_azure_id\":\"65ddx-c454-45f9-9034-Fdf34353\",\"source_account_domain\":\"NET.example.com\",\"source_account_name\":\"admin.example\",\"source_account_object_sid\":\"S-14-5424-21-dfaf3-234343-3434-1567733\",\"source_account_sam_account_name\":\"admin.abcdef\",\"source_account_upn\":\"admin.abcdef@example.com\",\"source_endpoint_account_object_guid\":\"E436B3F0-078C-4629-9437-D3E3169147C0\",\"source_endpoint_address_ip4\":\"81.2.69.144\",\"source_endpoint_host_name\":\"ABDC454.net.example.com\",\"source_endpoint_ip_address\":\"81.2.69.144\",\"source_endpoint_sensor_id\":\"38293534662e48c99f33c61631b3536d\",\"source_products\":[\"Falcon Identity Protection\"],\"source_vendors\":[\"CrowdStrike\"],\"start_time\":\"2024-08-19T18:43:44.242Z\",\"status\":\"new\",\"tactic\":\"Credential Access\",\"tactic_id\":\"TA0006\",\"technique\":\"Brute Force\",\"technique_id\":\"T1110\",\"tags\":[\"falcon_complete\"],\"target_account_name\":\"HFJFJFFFFFFF$\",\"target_endpoint_account_object_guid\":\"AAAAAAAA-0000-FFFFF-000000-A302EFCC8E6E\",\"target_endpoint_account_object_sid\":\"S-1-5-21-746137067-1844237615-1801674531-298236\",\"target_endpoint_host_name\":\"GH787.net.example.com\",\"target_endpoint_sensor_id\":\"ac89a368e77a4fa5837b53c7f11fc9e7\",\"timestamp\":\"2024-08-19T18:44:01.1Z\",\"type\":\"idp-user-endpoint-app-info\",\"updated_timestamp\":\"2024-08-19T18:49:02.798344752Z\",\"user_name\":\"admin.abcdef\",\"activity_browser\":\"Edge 126.0.0\",\"activity_device\":\"LAPTOP-AP7299QV\",\"activity_os\":\"Windows\",\"active_directory_authentication_method\":\"5\",\"activity_id\":\"2A8A7C96-0F17-412C-8105-94542784E00D\",\"alert_attributes\":\"0\",\"location_country_code\":\"US\",\"location_latitude_as_int\":340726,\"location_longitude_as_int\":-1182610,\"model_anomaly_indicators\":[\"ACCOUNT_IMPOSSIBLE_VELOCITY\",\"ENVIRONMENT_UNUSUAL_IP\",\"ENVIRONMENT_UNUSUAL_ISP_DOMAIN\",\"ISP_DATACENTER_CLASSIFICATION\"],\"ldap_search_query_attack\":\"16\",\"protocol_anomaly_classification\":\"1\",\"source_account_object_guid\":\"9F2CE16C-4A78-42E6-8565-87147707EE79\",\"source_endpoint_account_object_sid\":\"S-1-5-21-111111111-2222222-1417001333-101158\",\"source_endpoint_ip_reputation\":\"128\",\"source_ip_isp_classification\":\"9\",\"source_ip_isp_domain\":\"sioru.com\",\"target_domain_controller_host_name\":\"APINTAL19DC01\",\"target_domain_controller_object_guid\":\"45A24DB7-6CD3-48C5-974F-A97159E7E2B2\",\"target_domain_controller_object_sid\":\"S-1-5-21-111111111-2222222-1417001333-85512\",\"target_service_access_identifier\":\"HOST/admin.example.com\"}",
+                "original": "{\"agent_id\":\"38293534662e48c99f33c61631b3536d\",\"aggregate_id\":\"aggind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9\",\"cid\":\"4446934rf3fdb64ec3056ddfb96e\",\"composite_id\":\"874694c2ff8c43fdb64ef3056ddfb96d:ind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9\",\"confidence\":80,\"context_timestamp\":\"2024-08-16T18:43:44.242Z\",\"crawled_timestamp\":\"2024-08-16T18:49:02.798354466Z\",\"created_timestamp\":\"2024-08-16T18:45:02.987127397Z\",\"data_domains\":[\"Identity\"],\"description\":\"A user denied a policy identity verification request\",\"display_name\":\"Identity verification denied\",\"end_time\":\"2024-08-16T18:43:44.242Z\",\"falcon_host_link\":\"https://falcon.crowdstrike.com/identity-protection/detections/4446934rf3fdb64ec3056ddfb96e:ind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9?_cid=g0300034lfy3zjobdz7ewb4xjqyjsy5a\",\"id\":\"ind:4446934rf3fdb64ec3056ddfb96e:5876E98F-D91B-48AC-8FFC-1191C663A1E9\",\"idp_policy_mfa_factor_type\":\"32769\",\"idp_policy_mfa_provider\":\"14\",\"idp_policy_rule_id\":\"1B82F2DE-2A08-49E0-8F85-AD46996F9A65\",\"idp_policy_rule_name\":\"admin - RDP Access to TIER-0 Servers\",\"name\":\"IdpPolicyIdentityVerificationDenied\",\"objective\":\"Gain Access\",\"pattern_id\":51143,\"poly_id\":\"AAB3RpTC74xD_bZOwwVt37ltWwicqVJrn1DHb_UVfrn1QAAATiE4zCVgvIYhKPq8wZOGu5S3BVMzfSm_y5pv8n9CypfRuw==\",\"product\":\"idp\",\"scenario\":\"suspicious_activity\",\"seconds_to_resolved\":0,\"seconds_to_triaged\":0,\"severity\":79,\"severity_name\":\"High\",\"show_in_ui\":true,\"source_account_azure_id\":\"65ddx-c454-45f9-9034-Fdf34353\",\"source_account_domain\":\"NET.example.com\",\"source_account_name\":\"admin.example\",\"source_account_object_sid\":\"S-14-5424-21-dfaf3-234343-3434-1567733\",\"source_account_sam_account_name\":\"admin.abcdef\",\"source_account_upn\":\"admin.abcdef@example.com\",\"source_endpoint_account_object_guid\":\"E436B3F0-078C-4629-9437-D3E3169147C0\",\"source_endpoint_address_ip4\":\"81.2.69.144\",\"source_endpoint_host_name\":\"ABDC454.net.example.com\",\"source_endpoint_ip_address\":\"81.2.69.144\",\"source_endpoint_sensor_id\":\"38293534662e48c99f33c61631b3536d\",\"source_products\":[\"Falcon Identity Protection\"],\"source_vendors\":[\"CrowdStrike\"],\"start_time\":\"2024-08-16T18:43:44.242Z\",\"status\":\"new\",\"tactic\":\"Credential Access\",\"tactic_id\":\"TA0006\",\"technique\":\"Brute Force\",\"technique_id\":\"T1110\",\"tags\":[\"falcon_complete\"],\"target_account_name\":\"HFJFJFFFFFFF$\",\"target_endpoint_account_object_guid\":\"AAAAAAAA-0000-FFFFF-000000-A302EFCC8E6E\",\"target_endpoint_account_object_sid\":\"S-1-5-21-746137067-1844237615-1801674531-298236\",\"target_endpoint_host_name\":\"GH787.net.example.com\",\"target_endpoint_sensor_id\":\"ac89a368e77a4fa5837b53c7f11fc9e7\",\"timestamp\":\"2024-08-19T18:44:01.1Z\",\"type\":\"idp-user-endpoint-app-info\",\"updated_timestamp\":\"2024-08-19T18:49:02.798344752Z\",\"user_name\":\"admin.abcdef\",\"activity_browser\":\"Edge 126.0.0\",\"activity_device\":\"LAPTOP-AP7299QV\",\"activity_os\":\"Windows\",\"active_directory_authentication_method\":\"5\",\"activity_id\":\"2A8A7C96-0F17-412C-8105-94542784E00D\",\"alert_attributes\":\"0\",\"location_country_code\":\"US\",\"location_latitude_as_int\":340726,\"location_longitude_as_int\":-1182610,\"model_anomaly_indicators\":[\"ACCOUNT_IMPOSSIBLE_VELOCITY\",\"ENVIRONMENT_UNUSUAL_IP\",\"ENVIRONMENT_UNUSUAL_ISP_DOMAIN\",\"ISP_DATACENTER_CLASSIFICATION\"],\"ldap_search_query_attack\":\"16\",\"protocol_anomaly_classification\":\"1\",\"source_account_object_guid\":\"9F2CE16C-4A78-42E6-8565-87147707EE79\",\"source_endpoint_account_object_sid\":\"S-1-5-21-111111111-2222222-1417001333-101158\",\"source_endpoint_ip_reputation\":\"128\",\"source_ip_isp_classification\":\"9\",\"source_ip_isp_domain\":\"sioru.com\",\"target_domain_controller_host_name\":\"APINTAL19DC01\",\"target_domain_controller_object_guid\":\"45A24DB7-6CD3-48C5-974F-A97159E7E2B2\",\"target_domain_controller_object_sid\":\"S-1-5-21-111111111-2222222-1417001333-85512\",\"target_service_access_identifier\":\"HOST/admin.example.com\"}",
                 "severity": 73,
-                "start": "2024-08-19T18:43:44.242Z"
+                "start": "2024-08-16T18:43:44.242Z"
             },
             "host": {
                 "id": "38293534662e48c99f33c61631b3536d"
@@ -668,6 +669,7 @@
                 "version": "8.17.0"
             },
             "event": {
+                "duration": 0,
                 "end": "2024-08-19T18:43:44.242Z",
                 "id": "ind:4446934rf3fdb64ec3056ddfb96e:87934F-M00B-48CC-0AAC-dfafd3429",
                 "kind": "alert",

packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-automated-lead.log-expected.json

@@ -72,6 +72,7 @@
                 "category": [
                     "threat"
                 ],
+                "duration": 93000000000,
                 "end": "2026-05-11T05:13:20.000Z",
                 "id": "automated-lead:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc",
                 "kind": "alert",

packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-correlation-detection.log

@@ -0,0 +1,2 @@
+{"cid":"a1b2c3d4e5f6478990a1b2c3d4e5f6a70","composite_id":"a1b2c3d4e5f6478990a1b2c3d4e5f6a70:ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a01","correlation_rule_case_template_id":"3f4edfe2e016466b91e9ae0813ccb5f41","correlation_rule_create_case":true,"correlation_rule_execution_id":"019a643539d97c47b027d43d3c0cbecc","correlation_rule_id":"019a06bf00e67be489340eca8c435140","correlation_rule_user_id":"user@example.com","correlation_rule_user_uuid":"89a1d5c1-2b3e-4f67-8a9b-0c1d2e3f4a5b","correlation_rule_version_id":"019a640c01667962b764a645e8da1d4e","crawled_timestamp":"2026-05-26T12:14:38.196350129Z","created_timestamp":"2026-05-26T12:14:38.196340969Z","data_domains":["Network"],"detection_id":"019a643539d97c47b027d43d3c0cbecc","display_name":"UC1-InboundThreatDetection(GreyNoiseEnriched)","end_time":"2026-05-26T12:10:17.112Z","enriched_entities":{},"event_ids":"exAMPLEidEMvYiu5RwcppZtQpb_2_0_1779797417","falcon_host_link":"https://falcon.us-2.crowdstrike.com/unified-detections/a1b2c3d4e5f6478990a1b2c3d4e5f6a70:ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a01?_cid=g04000examplecidtoken00000000001","has_truncated_entities":false,"id":"ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a01","linked_case_ids":["AAAAAAAAAAFt-9l_iefg-exampleCaseId01LNB-6fURYtjTZZxnwlTzsy7TpXEtzEfwHgC8TADgpKgZba19utb1ZLqs7wixNuYGlRGS5rA1XrYo"],"mitre_attack":[],"name":"UC1-InboundThreatDetection(GreyNoiseEnriched)","origin_cid":"a1b2c3d4e5f6478990a1b2c3d4e5f6a70","original_correlation_rules_entities_count":5,"original_indicator_entities_count":1,"pattern_id":400000,"poly_id":"AAAexamplePolyId01Dv6tw1w_eU1ZFa2wZnzQ-9droqwAATiGsJlVWZAiLF2lh-ipnt9szIsU5GAZL9nIJdRo2DfsAUQ==","priority_details":{},"product":"ngsiem","seconds_to_resolved":0,"seconds_to_triaged":0,"severity":30,"severity_name":"Low","show_in_ui":true,"source_hosts":["censys.io"],"source_ips":["198.51.100.10"],"source_products":["FirewallLogs PaloAlto"],"source_vendors":["FirewallLogs"],"start_time":"2026-05-26T12:10:17.112Z","status":"new","timestamp":"2026-05-26T12:14:34Z","type":"correlation-detection","updated_timestamp":"2026-05-26T12:14:40.786363829Z","users":[],"vendor_pattern_id":"100012"}
+{"cid":"a1b2c3d4e5f6478990a1b2c3d4e5f6a70","comment":"Enrichment\"|EnrichmentAdvanceddescription:logCensys.port=443|data#repo=fusion|Censys.hostname=host-nas-01.example.localenrichmentsearchviewworkflow,andby\"WritedetailseventCensys.iprepo\"|Generatedbelowinmorequerytail(1)Workflow\"CensysWorkflowRunCensys.hostname=host-desktop-01.example.local\"203.0.113.20\"|action.nameatname:Censys.hostname=slack.comCensys.port=80|Censys\"definition_name\"definition_nameprefix=Censys.)|tohttps://falcon.us-2.crowdstrike.com/workflow/fusion/aaaaaaaa21821d4087982228e5c0cd2fe5/executions/bbbbbbbb7eb9f15510680ce4415cbccaceDetection=parseJson(field=action.input.raw_json,","comments":[{"falcon_user_id":"cs-workflow-executor-example-main-p-20200826","timestamp":"2026-06-02T02:42:46.39293629Z","value":"RunbelowqueryinAdvancedeventsearchtoviewenrichmentdata#repo=fusion|\"definition_name\"=\"CensysDetectionEnrichment\"|action.name=\"Writetologrepo\"|parseJson(field=action.input.raw_json,prefix=Censys.)|Censys.ip=\"203.0.113.20\"|tail(1)WorkflowWorkfloname:CensysDetectionEnrichmentWorkflowdescription:Generatedbyworkflow,moredetailsathttps://falcon.us-2.crowdstrike.com/workflow/fusion/aaaaaaaa21821d4087982228e5c0cd2fe5/executions/bbbbbbbb7eb9f15510680ce4415cbccace"},{"falcon_user_id":"cs-workflow-executor-example-main-p-20200826","timestamp":"2026-06-02T02:43:40.620005158Z","value":"RunbelowqueryinAdvancedeventsearchtoviewenrichmentdata#repo=fusion|definition_name=\"CensysDetectionEnrichment\"|action.name=\"Writetologrepo\"|parseJson(field=action.input.raw_json,prefix=Censys.)|Censys.hostname=host-nas-01.example.localandCensys.port=443|tail(1)WorkflowWorkfloname:CensysDetectionEnrichmentWorkflowdescription:Generatedbyworkflow,moredetailsathttps://falcon.us-2.crowdstrike.com/workflow/fusion/aaaaaaaa21821d4087982228e5c0cd2fe5/executions/bbbbbbbb7eb9f15510680ce4415cbccace"}],"composite_id":"a1b2c3d4e5f6478990a1b2c3d4e5f6a70:ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a02","correlation_rule_create_case":true,"correlation_rule_execution_id":"019b8635817e7c77948a4d7b8ff24fad","correlation_rule_id":"019b830f23e07c6d8f1809baceb9ccb9","correlation_rule_user_id":"admin@example.org","correlation_rule_user_uuid":"a1b2c3d4-e5f6-4789-90ab-c1d2e3f4a5b6","correlation_rule_version_id":"019b862fbed67b15921a6b79eea654eb","crawled_timestamp":"2026-06-02T02:42:39.854765052Z","created_timestamp":"2026-06-02T02:42:39.85475758Z","data_domains":["Network"],"destination_hosts":["host-nas-01.example.local"],"detection_id":"019b8635817e7c77948a4d7b8ff24fad:f1e2d3c4b5a6478990a1b2c3d4e5f6a02","display_name":"POCdomainparsingforcase","end_time":"2026-06-01T17:22:21.334Z","enriched_entities":{},"event_ids":"exAMPLEk1foCKxiZ0OFPxTT2rp_1_1_1780334541","falcon_host_link":"https://falcon.us-2.crowdstrike.com/unified-detections/a1b2c3d4e5f6478990a1b2c3d4e5f6a70:ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a02?_cid=g04000examplecidtoken00000000001","has_truncated_entities":false,"host_names":["host-desktop-01.example.local"],"id":"ngsiem:a1b2c3d4e5f6478990a1b2c3d4e5f6a70:f1e2d3c4b5a6478990a1b2c3d4e5f6a02","linked_case_ids":["AAAAAAAAAAGlDA4Qk2AQyH9lgZtRA78B4OF_exampleCaseId02Dsv1ucmvWv-fdtMG-HtzxtqksbDu9BuWC3wrsNFQ1zgv0aXfTdHMlnt2I"],"mitre_attack":[],"name":"POCdomainparsingforcase","origin_cid":"a1b2c3d4e5f6478990a1b2c3d4e5f6a70","original_correlation_rules_entities_count":11,"original_indicator_entities_count":3,"pattern_id":400000,"poly_id":"AAAexamplePolyId01Dv6twg2uHHj3JLnZDIXfJztg-5wAATiEjyzmWTNhOwDjIbiBs5-wkSdF3ktUG0GmNU69XKQrTgw==","priority_details":{},"product":"ngsiem","seconds_to_resolved":0,"seconds_to_triaged":4664,"severity":50,"severity_name":"Medium","show_in_ui":true,"source_hosts":["slack.com","host-desktop-01.example.local"],"source_ips":["198.51.100.11"],"source_products":["CorelightNdr"],"source_vendors":["Corelight"],"start_time":"2026-06-01T17:22:21.334Z","status":"new","timestamp":"2026-06-02T02:42:32Z","type":"correlation-detection","updated_timestamp":"2026-06-02T04:16:23.064931208Z","user_names":["example-user"],"usernames":["example-user"],"users":[{"aid":"","full_name":"","full_name_is_enriched":false,"idp_id":"","idp_id_is_enriched":false,"sid":"","user_name":"example-user"}],"vendor_pattern_id":"100012"}