Md Azam

The earlier implementation might have missed some constraints. Escaping values needs to be fixed in query constructor based on the datasource query constraints that @pcoccoli mentioned: https://github.com/opencybersecurityalliance/stix-shifter/blob/8fed1fa2fc4130d3d5a6065110628c4973c9da98/stix_shifter_modules/elastic_ecs/stix_translation/query_constructor.py#L69

@muellpanda would you please resolve the conflicts. we would like to verify the changes and see if this can be merged

@leexuan this is a very common test command. It should work. Can you please update your fork from the latest develop and try again.

In this case, the only way to set `is_multipart` and `content_type` is inside `stix_shifter_modules/elastic_ecs/stix_transmission/connector.py` as part of results processing. there are few connectors that does the same. For example: https://github.com/opencybersecurityalliance/stix-shifter/blob/705881737ee698277a7fcb3245042a733c3065f8/stix_shifter_modules/gcp_chronicle/stix_transmission/results_connector.py#L381...

Correct. add additional fields in the raw data and map those fields in to_stix. Results translator class should automatically pick them up while translating to stix observable.

Not really sure if it is a Crowdstrike connector issue. Connects queries the detection API. This is the readme of the connector: https://github.com/opencybersecurityalliance/stix-shifter/blob/develop/stix_shifter_modules/crowdstrike/README.md @frequent6198 Can you run results CLI commands...