crowdstrike: improve falcon data stream document collision behaviour

efd6 · efd6 · commit 61adc6454235 · 2025-05-06T15:45:53.000+09:30
The current set of fields that is used to define the _id for documents
is too small and the values are too dense to provide reasonable
guarantees that different documents will be assigned different IDs, so
increase the set to include fields that in conjunction should give good
de-collision behaviour:

* crowdstrike.metadata.offset
* crowdstrike.event.PID
* crowdstrike.event.RuleId
diff --git a/packages/crowdstrike/changelog.yml b/packages/crowdstrike/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.64.0"
+  changes:
+    - description: Improve handling of document collision.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/13779
 - version: "1.63.2"
   changes:
     - description: Fix the navigation links in `Table of Contents` section.
diff --git a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml
@@ -329,8 +329,11 @@ processors:
         - '@timestamp'
         - crowdstrike.event.SessionId
         - crowdstrike.event.DetectId
+        - crowdstrike.event.PID
+        - crowdstrike.event.RuleId
         - crowdstrike.metadata.eventType
         - crowdstrike.metadata.customerIDString
+        - crowdstrike.metadata.offset
       target_field: _id
       tag: fingerprint
       ignore_missing: true
diff --git a/packages/crowdstrike/manifest.yml b/packages/crowdstrike/manifest.yml
@@ -1,6 +1,6 @@
 name: crowdstrike
 title: CrowdStrike
-version: "1.63.2"
+version: "1.64.0"
 description: Collect logs from Crowdstrike with Elastic Agent.
 type: integration
 format_version: "3.3.1"
