Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure Consistency Across Ingested Data for Analyzer Development #12562

Open
raqueltabuyo opened this issue Feb 3, 2025 · 0 comments
Open

Ensure Consistency Across Ingested Data for Analyzer Development #12562

raqueltabuyo opened this issue Feb 3, 2025 · 0 comments
Labels
enhancement New feature or request Integration:crowdstrike CrowdStrike Integration:m365_defender Microsoft M365 Defender Integration:microsoft_defender_endpoint Microsoft Defender for Endpoint Integration:sentinel_one SentinelOne Team:Service-Integrations Label for the Service Integrations team

Comments

@raqueltabuyo
Copy link

raqueltabuyo commented Feb 3, 2025
edited
Loading

Ensure Consistency Across Ingested Data for Analyzer Development

Description

To support the development of the analyzer, we need consistency in the ingested data across CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint. Specifically, the following fields should be consistently available and mapped to ECS.

Requirements

Ensure all three integrations provide the following fields:

  • process.entity_id
  • process.parent.entity_id
  • process.name
  • event.module
  • event.kind

Impact

  • Without consistency in these fields, entity correlation and attack chain visualization will be incomplete.
  • Missing or inconsistent data will affect the accuracy and reliability of the analyzer.

Next Steps

  1. Prioritize Microsoft
  2. Assess data coverage gaps for each vendor.
  3. Align ingestion pipelines to normalize these fields in ECS.
  4. Define any necessary transformations or enrichment to standardize missing data.
Image
@raqueltabuyo raqueltabuyo added enhancement New feature or request Integration:crowdstrike CrowdStrike Team:Service-Integrations Label for the Service Integrations team Integration:microsoft_defender_endpoint Microsoft Defender for Endpoint Integration:sentinel_one SentinelOne Integration:m365_defender Microsoft M365 Defender labels Feb 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request Integration:crowdstrike CrowdStrike Integration:m365_defender Microsoft M365 Defender Integration:microsoft_defender_endpoint Microsoft Defender for Endpoint Integration:sentinel_one SentinelOne Team:Service-Integrations Label for the Service Integrations team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@raqueltabuyo