Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Standardize Ingested Data for Response Actions #12563

Open
raqueltabuyo opened this issue Feb 3, 2025 · 1 comment
Open

Standardize Ingested Data for Response Actions #12563

raqueltabuyo opened this issue Feb 3, 2025 · 1 comment
Labels
enhancement New feature or request Integration:crowdstrike CrowdStrike Integration:m365_defender Microsoft M365 Defender Integration:microsoft_defender_endpoint Microsoft Defender for Endpoint Integration:sentinel_one SentinelOne mapping/pipeline issue Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations]

Comments

@raqueltabuyo
Copy link

raqueltabuyo commented Feb 3, 2025
edited
Loading

Standardize Ingested Data for Response Actions

Description

To improve bidirectional response actions, we need consistent data ingestion from CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint. This includes host listings, machine action tracking, and essential identifiers.

Requirements

Ensure all three integrations provide:

  • A list of hosts (following SentinelOne’s current approach).
  • List of action statuses (e.g., "Machine Actions" in Microsoft Defender).
  • agent.id - Some systems (e.g,. SentinelOne) have multiple “agent”/“Host” ID, the one needed to be captured is the ID that in turn is used with the external system’s API.
  • host.os.type

Impact

  • Inconsistent data limits the effectiveness of automated response actions.
  • Without standard fields, response workflows may not work uniformly across vendors.

Next Steps

  1. Identify discrepancies in host listings, action status tracking, and key identifiers across vendors.
  2. Ensure proper ECS mapping and normalization for these fields.
  3. Implement required transformations or enrichments to fill data gaps.
  4. Prioritize Microsof Defender.
@raqueltabuyo raqueltabuyo added enhancement New feature or request Integration:crowdstrike CrowdStrike Integration:microsoft_defender_endpoint Microsoft Defender for Endpoint Integration:sentinel_one SentinelOne Integration:m365_defender Microsoft M365 Defender Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations] labels Feb 3, 2025
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request Integration:crowdstrike CrowdStrike Integration:m365_defender Microsoft M365 Defender Integration:microsoft_defender_endpoint Microsoft Defender for Endpoint Integration:sentinel_one SentinelOne mapping/pipeline issue Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations]
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@narph @elasticmachine @raqueltabuyo