[CrowdStrike] Add Support of Crowdstrike Event Stream #11773
Conversation
andrewkroh
added
Crest
enhancement
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
| processors: | ||
| {{#if processors}} | ||
| {{processors}} | ||
| {{/if}} |
| redact: | ||
| fields: ~ | ||
| program: | | ||
| bytes(state.response).decode_json().as(body,{ |
There was a problem hiding this comment.
| bytes(state.response).decode_json().as(body,{ | |
| state.response.decode_json().as(body,{ |
We should not need the conversion since we are now on 8.16 which has mito v1.15.0 and the newer type checker.
Add new line at last in input file. Remove the byte conversion.
Thank you for pointing that out! I've removed the comment from the PR description. It has been tested on the CrowdStrike Live Instance using the Event Stream API. |
As far as the input is concerned, chunked and non-chunked connections are the same. It should be possible to simulate the behaviour of the API with stream as it currently exists. |
|
/test |
🚀 Benchmarks reportTo see the full report comment with |
Add system test.
There was a problem hiding this comment.
Have you tried just using stream?
If we do need to use this, please put callers before callees. Other comments below.
There was a problem hiding this comment.
I was encountering issues with using the stream , as it wasn't matching the requests and ended up in a loop. To resolve this, I implemented a different approach.
There was a problem hiding this comment.
Is this because stream is not adequately stateful?
| // Mock OAuth2 client credentials | ||
| var mockClientID = "xxxx" | ||
| var mockClientSecret = "xxxx" | ||
| var datafeedCalled bool = false | ||
|
|
||
| // Mock OAuth2 token | ||
| var mockAccessToken = "abcd" | ||
| var mockSessionToken = "xyz" |
There was a problem hiding this comment.
Let's use flag for these so that they can be controlled in the docker-compos.yml file.
| @@ -0,0 +1,3 @@ | |||
| module streaming-mock-service | |||
|
|
|||
| go 1.21.3 | |||
There was a problem hiding this comment.
Let's use a more recent version.
| data := []string{ | ||
| `{"metadata":{"customerIDString":"abcabcabc22221","offset":8695284,"eventType":"RemoteResponseSessionStartEvent","eventCreationTime":1698932494000,"version":"1.0"},"event":{"SessionId":"1111-fffff-4bb4-99c1-74c13cfc3e5a","HostnameField":"UKCHUDL00206","UserName":"[email protected]","StartTimestamp":1698932494,"AgentIdString":"fffffffff33333"}}`, | ||
| `{"metadata":{"customerIDString":"abcabcabc22222","offset":8695285,"eventType":"RemoteResponseSessionStartEvent","eventCreationTime":1698932494000,"version":"1.0"},"event":{"SessionId":"1111-fffff-4bb4-99c1-74c13cfc3e5a","HostnameField":"UKCHUDL00206","UserName":"[email protected]","StartTimestamp":1698932494,"AgentIdString":"fffffffff33333"}}`, | ||
| `{"metadata":{"customerIDString":"abcabcabc22223","offset":8695286,"eventType":"RemoteResponseSessionStartEvent","eventCreationTime":1698932494000,"version":"1.0"},"event":{"SessionId":"1111-fffff-4bb4-99c1-74c13cfc3e5a","HostnameField":"UKCHUDL00206","UserName":"[email protected]","StartTimestamp":1698932494,"AgentIdString":"fffffffff33333"}}`, | ||
| } |
There was a problem hiding this comment.
Either read this from a file with flag-provided path, or use embed to get the text from a text file so that changes in the future are simpler.
1. Update golang version. 2. Use caller before calee. 3. Replace logs with log files.
packages/crowdstrike/changelog.yml
Outdated
| - description: Update the minimum kibana version to 8.16.0. | ||
| type: enhancement | ||
| link: https://github.com/elastic/integrations/pull/11773 |
There was a problem hiding this comment.
I don't think we need to include this.
| func main() { | ||
| flag.Parse() | ||
| // Setup routes | ||
| http.HandleFunc("/oauth2/token", mockTokenHandler) // Token endpoint |
There was a problem hiding this comment.
| http.HandleFunc("/oauth2/token", mockTokenHandler) // Token endpoint | |
| http.HandleFunc("POST /oauth2/token", mockTokenHandler) |
- make use of the METHOD pattern feature of the mux
- the code is adequately self-commenting
| // Only allow POST method | ||
| if r.Method != http.MethodPost { | ||
| http.Error(w, "Invalid request method", http.StatusMethodNotAllowed) | ||
| return | ||
| } |
There was a problem hiding this comment.
Can be dropped when using the METHOD pattern feature of the mux.
| chunk := s.data[s.index] | ||
| s.index++ | ||
| copy(p, chunk) |
There was a problem hiding this comment.
This is not safe if len(p) < len(chunk).
1. Remove kibana version from changelog. 2. Utilize pattern feature of the MUX. 3. Add len check of chunk safety check.
| if len(chunk) > len(p) { | ||
| p = append(p, make([]byte, len(chunk)-len(p))...) | ||
| } |
|
It's still not clear to me why you can't use |
I have sent you the full configuration file in DM that I tried earlier to use the |
| func resourceHandler(w http.ResponseWriter, r *http.Request) { | ||
| log.Printf("Received request: Method=%s, URL=%s", r.Method, r.URL.String()) | ||
| log.Printf("Headers: %+v", r.Header) | ||
| if *datafeedCalled { |
There was a problem hiding this comment.
This is racy in the context of L82.
| "events": { | ||
| "message": body.encode_json(), | ||
| } |
There was a problem hiding this comment.
| "events": { | |
| "message": body.encode_json(), | |
| } | |
| ?"cursor": body.?metadata.optMap(m, {"offset": m.offset}), | |
| "events": [{ | |
| "message": body.encode_json(), | |
| }], |
Apply the patch file sent by Dan. 1. Update the system test, use stream instead of custom mock. 2. Add offset in curson in data collection.
|
/test |
💚 Build Succeeded
History
|
|
Type of change
Proposed Commit Message
Add support of new input type to collect logs for the falcon dataset- CrowdStrike Event Stream via streaming input.
Update the minimum kibana version to 8.16.0
Add the entry of the crowdstrike event stream in readme
Checklist
changelog.ymlfile.Screenshots