Skip to content

[CrowdStrike] Handle deprecating Threat fields #15856

New issue
New issue
Open
Enhancement
Open
[CrowdStrike] Handle deprecating Threat fields#15856
Enhancement
Assignees
navnit-elastic
Labels
Integration:crowdstrikeCrowdStrikeTeam:Security-Service IntegrationsSecurity Service Integrations team [elastic/security-service-integrations]Team:Sit-CrestCrest developers on the Security Integrations team [elastic/sit-crest-contractors]enhancementNew feature or request
@navnit-elastic

Description

@navnit-elastic
navnit-elastic
opened on Nov 4, 2025

The crowdstrike.falcon integration is using TacticId, TacticIds, Tactic, Tactics, TechniqueId, TechniqueIds Technique and Techniques fields to populate threat.* ECS fields for various detection events.

According to CrowdStirke documentation these fields are deprecated and these fields are moved under MitreAttack object.

Though the deprecating fields are still show up in the live logs, It would be good to switch to the recommended fields.

Deprecating note and schema for MitreAttack object:
Image

Metadata

Metadata

Assignees

Labels

Integration:crowdstrikeCrowdStrikeTeam:Security-Service IntegrationsSecurity Service Integrations team [elastic/security-service-integrations]Team:Sit-CrestCrest developers on the Security Integrations team [elastic/sit-crest-contractors]enhancementNew feature or request

Type

Enhancement

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions