Skip to content

crowdstrike: remove all statically set constant keyword fields in fdr at beginning of ingest #16240

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

crowdstrike: remove all statically set constant keyword fields in fdr at beginning of ingest #16240

wants to merge 2 commits into from
+24 −3

Conversation

@efd6
Copy link
Contributor

@efd6 efd6 commented Dec 4, 2025
edited
Loading

Proposed commit message

crowdstrike: remove all statically set constant keyword fields in fdr at beginning of ingest

In cases where an unrecoverable error occurs in the ingest pipeline, the
previous code would skip removal of ecs.version, resulting in a mapping
failure since beats sets this value to 8.0.0, which does not match the
static value. So remove this value at the beginning of the ingest
pipeline to avoid this. Also remove all other statically defined
constant keyword field values in case they have been set.

Also fix a rename processor failure that is uncovered by this change
where a condition attempts to access the ctx.crowdstrike?.User?.Name
field through a string ctx.crowdstrike?.User field, resulting in a
painless dynamic getter error.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@efd6 efd6 self-assigned this Dec 4, 2025
@efd6 efd6 added Integration:crowdstrike CrowdStrike bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Dec 4, 2025
@efd6 efd6 force-pushed the s6698-crowdstrike branch 2 times, most recently from 6d96b8b to 54d5517 Compare December 4, 2025 03:11
@efd6
crowdstrike: remove all statically set constant keyword fields in fdr…
dad2ec1 
… at beginning of ingest

In cases where an unrecoverable error occurs in the ingest pipeline, the
previous code would skip removal of ecs.version, resulting in a mapping
failure since beats sets this value to 8.0.0, which does not match the
static value. So remove this value at the beginning of the ingest
pipeline to avoid this. Also remove all other statically defined
constant keyword field values in case they have been set.

Also fix a rename processor failure that is uncovered by this change
where a condition attempt to access the ctx.crowdstrike?.User?.Name
field through a string ctx.crowdstrike?.User field, resulting in a
painless dynamic getter error.
@efd6 efd6 force-pushed the s6698-crowdstrike branch from 54d5517 to dad2ec1 Compare December 4, 2025 04:28
andrewkroh
andrewkroh reviewed Dec 4, 2025
View reviewed changes
packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml Outdated
target_field: user.name
ignore_missing: true
if: ctx.crowdstrike?.User?.Name != null && ctx.user?.name == null
if: '!(ctx.crowdstrike?.User instanceof String) && ctx.crowdstrike?.User?.Name != null && ctx.user?.name == null'
Copy link
Member

@andrewkroh andrewkroh Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if: '!(ctx.crowdstrike?.User instanceof String) && ctx.crowdstrike?.User?.Name != null && ctx.user?.name == null'
if: 'ctx.crowdstrike?.User instanceof Map && ctx.crowdstrike?.User?.Name != null && ctx.user?.name == null'

If ctx.crowdstrike.User were an array or another type without a Name field, attempting to read .Name could fail.

@efd6 efd6 force-pushed the s6698-crowdstrike branch from 1c0274f to 9dc5a16 Compare December 4, 2025 04:59
@elasticmachine
Copy link

elasticmachine commented Dec 4, 2025
edited
Loading

💔 Build Failed

Failed CI Steps

History

cc @efd6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrewkroh andrewkroh andrewkroh left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@efd6 efd6

Labels

bugfix Pull request that fixes a bug issue Integration:crowdstrike CrowdStrike Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@efd6 @elasticmachine @andrewkroh