Skip to content

crowdstrike: remove all statically set constant keyword fields in fdr at beginning of ingest#16240

Merged
efd6 merged 3 commits intoelastic:mainfrom
efd6:s6698-crowdstrike
Dec 5, 2025
Merged

crowdstrike: remove all statically set constant keyword fields in fdr at beginning of ingest#16240
efd6 merged 3 commits intoelastic:mainfrom
efd6:s6698-crowdstrike

Conversation

@efd6
Copy link
Contributor

@efd6 efd6 commented Dec 4, 2025
edited
Loading

Proposed commit message

crowdstrike: remove all statically set constant keyword fields in fdr at beginning of ingest

In cases where an unrecoverable error occurs in the ingest pipeline, the
previous code would skip removal of ecs.version, resulting in a mapping
failure since beats sets this value to 8.0.0, which does not match the
static value. So remove this value at the beginning of the ingest
pipeline to avoid this. Also remove all other statically defined
constant keyword field values in case they have been set.

Also fix a rename processor failure that is uncovered by this change
where a condition attempts to access the ctx.crowdstrike?.User?.Name
field through a string ctx.crowdstrike?.User field, resulting in a
painless dynamic getter error.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@efd6 efd6 self-assigned this Dec 4, 2025
@efd6 efd6 added Integration:crowdstrike CrowdStrike bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Dec 4, 2025
@efd6 efd6 force-pushed the s6698-crowdstrike branch 2 times, most recently from 6d96b8b to 54d5517 Compare December 4, 2025 03:11
@efd6
crowdstrike: remove all statically set constant keyword fields in fdr…
dad2ec1 
… at beginning of ingest

In cases where an unrecoverable error occurs in the ingest pipeline, the
previous code would skip removal of ecs.version, resulting in a mapping
failure since beats sets this value to 8.0.0, which does not match the
static value. So remove this value at the beginning of the ingest
pipeline to avoid this. Also remove all other statically defined
constant keyword field values in case they have been set.

Also fix a rename processor failure that is uncovered by this change
where a condition attempt to access the ctx.crowdstrike?.User?.Name
field through a string ctx.crowdstrike?.User field, resulting in a
painless dynamic getter error.
@efd6 efd6 force-pushed the s6698-crowdstrike branch from 54d5517 to dad2ec1 Compare December 4, 2025 04:28
@efd6 efd6 force-pushed the s6698-crowdstrike branch from 1c0274f to 9dc5a16 Compare December 4, 2025 04:59
@efd6
adjust test hit count assertion
fc37d8f 
This bugfix finally explains why the test hit count assertion has always
been confusing.
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Dec 4, 2025

🚀 Benchmarks report

Package crowdstrike 👍(3) 💚(4) 💔(3)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
falcon 5714.29 3571.43 -2142.86 (-37.5%) 💔
host 4761.9 3278.69 -1483.21 (-31.15%) 💔
host 4761.9 3816.79 -945.11 (-19.85%) 💔

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link

elasticmachine commented Dec 4, 2025

💚 Build Succeeded

History

cc @efd6

@efd6 efd6 marked this pull request as ready for review December 4, 2025 06:48
@efd6 efd6 requested a review from a team as a code owner December 4, 2025 06:48
@elasticmachine
Copy link

elasticmachine commented Dec 4, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@efd6 efd6 merged commit 900548c into elastic:main Dec 5, 2025
7 checks passed
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Dec 5, 2025

Package crowdstrike - 2.10.1 containing this change is available at https://epr.elastic.co/package/crowdstrike/2.10.1/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees

@efd6 efd6

Labels

bugfix Pull request that fixes a bug issue Integration:crowdstrike CrowdStrike Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@efd6 @elasticmachine @andrewkroh