Skip to content

crowdstrike: stop overwriting event.action with generic values in fdr data stream#19927

Open
efd6 wants to merge 2 commits into
elastic:mainfrom
efd6:19807-crowdstrike
Open

crowdstrike: stop overwriting event.action with generic values in fdr data stream#19927
efd6 wants to merge 2 commits into
elastic:mainfrom
efd6:19807-crowdstrike

Conversation

@efd6

@efd6 efd6 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Proposed commit message

crowdstrike: stop overwriting event.action with generic values in fdr data stream

Three processors in the FDR ingest pipeline overwrote event.action
with generic ECS vocabulary (load, modification, creation, deletion,
open, query) instead of preserving the CrowdStrike event_simpleName.
This lost the specificity needed by detection rules which filter on
the original SimpleEventName values.

Remove the driver event.action="load" processor, the *Written
event.action="creation" processor, and the event.action assignment
from the registry RegOperationType script. The event.type assignments
from these processors were already correct and are retained.

Remove the processor that copied event_simpleName into message. The
crowdstrike.event_simpleName keyword field serves the same purpose
without abusing a match_only_text field.

Add creation to the MachOFileWritten event.type in the categorize
pipeline, closing the one gap the *Written processor was covering.

Note

This is a counter proposal to #19808.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@efd6 efd6 self-assigned this Jul 2, 2026
@efd6 efd6 added breaking change Integration:crowdstrike CrowdStrike bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Jul 2, 2026
… data stream

Three processors in the FDR ingest pipeline overwrote event.action
with generic ECS vocabulary (load, modification, creation, deletion,
open, query) instead of preserving the CrowdStrike event_simpleName.
This lost the specificity needed by detection rules which filter on
the original SimpleEventName values.

Remove the driver event.action="load" processor, the *Written
event.action="creation" processor, and the event.action assignment
from the registry RegOperationType script. The event.type assignments
from these processors were already correct and are retained.

Remove the processor that copied event_simpleName into message. The
crowdstrike.event_simpleName keyword field serves the same purpose
without abusing a match_only_text field.

Add creation to the MachOFileWritten event.type in the categorize
pipeline, closing the one gap the *Written processor was covering.
@efd6 efd6 force-pushed the 19807-crowdstrike branch from 4a1e07d to 5e992a7 Compare July 2, 2026 02:45
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Elastic Docs Style Checker (Vale)

Summary: 1 warning found

⚠️ Warnings (1): Fix when the suggestion improves clarity or correctness.
File Line Rule Message
packages/crowdstrike/changelog.yml 5 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.

The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale.

@elastic-vault-github-plugin-prod

Copy link
Copy Markdown

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@efd6 efd6 marked this pull request as ready for review July 2, 2026 04:25
@efd6 efd6 requested review from a team as code owners July 2, 2026 04:25
@infra-vault-gh-plugin-prod

Copy link
Copy Markdown

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@vera-review-bot

Copy link
Copy Markdown

No issues across the latest commits 5e992a7.

I'll pick up this PR for review again after 15 minutes.

🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills

⚠️ Automated review — verify suggestions before applying.

@navnit-elastic navnit-elastic left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit only - Regenerate the sample_event.json to remove message field for consistency.

@mergify

mergify Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Tick the box to add this pull request to the merge queue (same as @mergifyio queue).

  • Queue this pull request

@elastic-vault-github-plugin-prod

Copy link
Copy Markdown

✅ All changelog entries have the correct PR link.

@efd6

efd6 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

@navnit-elastic, for the event that was chosen, event.action does not get populated, but I've gone through all the generated output from the system test and it is properly generated in most of them, what it looks like is happening is that a host metadata document was chosen.

@efd6 efd6 requested a review from navnit-elastic July 2, 2026 05:42
@infra-vault-gh-plugin-prod

Copy link
Copy Markdown

💚 Build Succeeded

History

cc @efd6

@navnit-elastic navnit-elastic left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, Thanks!

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

breaking change bugfix Pull request that fixes a bug issue documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:crowdstrike CrowdStrike Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[CrowdStrike]: event.action, event.type, and message

3 participants