[EDR Workflows] Enable crowdstrike in analyzer (#174590)

elastic · Feb 12, 2024 · f07df41 · f07df41
1 parent 226b3f3
commit f07df41
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 1 deletion.
diff --git a/x-pack/plugins/security_solution/common/experimental_features.ts b/x-pack/plugins/security_solution/common/experimental_features.ts
@@ -174,6 +174,11 @@ export const allowedExperimentalValues = Object.freeze({
    */
   sentinelOneManualHostActionsEnabled: true,
 
+  /*
+   * Enables experimental Crowdstrike integration data to be available in Analyzer
+   */
+  crowdstrikeDataInAnalyzerEnabled: false,
+
   /*
    * Enables experimental "Updates" tab in the prebuilt rule upgrade flyout.
    * This tab shows the JSON diff between the installed prebuilt rule

diff --git a/...on/public/detections/components/alerts_table/timeline_actions/investigate_in_resolver.tsx b/...on/public/detections/components/alerts_table/timeline_actions/investigate_in_resolver.tsx
@@ -14,9 +14,13 @@ export const useIsInvestigateInResolverActionEnabled = (ecsData?: Ecs) => {
   const sentinelOneDataInAnalyzerEnabled = useIsExperimentalFeatureEnabled(
     'sentinelOneDataInAnalyzerEnabled'
   );
+  const crowdstrikeDataInAnalyzerEnabled = useIsExperimentalFeatureEnabled(
+    'crowdstrikeDataInAnalyzerEnabled'
+  );
   return useMemo(() => {
     const fileBeatModules = [
       ...(sentinelOneDataInAnalyzerEnabled ? ['sentinel_one_cloud_funnel', 'sentinel_one'] : []),
+      ...(crowdstrikeDataInAnalyzerEnabled ? ['crowdstrike'] : []),
     ] as const;
 
     const agentType = get(['agent', 'type', 0], ecsData);
@@ -36,5 +40,5 @@ export const useIsInvestigateInResolverActionEnabled = (ecsData?: Ecs) => {
       processEntityIds != null && processEntityIds.length === 1 && firstProcessEntityId !== '';
 
     return isAcceptedAgentType && hasProcessEntityId;
-  }, [ecsData, sentinelOneDataInAnalyzerEnabled]);
+  }, [crowdstrikeDataInAnalyzerEnabled, ecsData, sentinelOneDataInAnalyzerEnabled]);
 };
diff --git a/...ugins/security_solution/server/endpoint/routes/resolver/entity/utils/supported_schemas.ts b/...ugins/security_solution/server/endpoint/routes/resolver/entity/utils/supported_schemas.ts
@@ -35,11 +35,13 @@ export const getSupportedSchemas = (
   experimentalFeatures: ExperimentalFeatures | undefined
 ): SupportedSchema[] => {
   const sentinelOneDataInAnalyzerEnabled = experimentalFeatures?.sentinelOneDataInAnalyzerEnabled;
+  const crowdstrikeDataInAnalyzerEnabled = experimentalFeatures?.crowdstrikeDataInAnalyzerEnabled;
 
   const supportedFileBeatDataSets = [
     ...(sentinelOneDataInAnalyzerEnabled
       ? ['sentinel_one_cloud_funnel.event', 'sentinel_one.alert']
       : []),
+    ...(crowdstrikeDataInAnalyzerEnabled ? ['crowdstrike.falcon', 'crowdstrike.fdr'] : []),
   ];
 
   return [