From a249bb99f4c3b31c4b96df4cac4fa2b609180727 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Mon, 5 May 2025 15:27:31 +0930 Subject: [PATCH] crowdstrike: improve falcon data stream document collision behaviour The current set of fields that is used to define the _id for documents is too small and the values are too dense to provide reasonable guarantees that different documents will be assigned different IDs, so increase the set to include fields that in conjunction should give good de-collision behaviour: * crowdstrike.metadata.offset * crowdstrike.event.PID * crowdstrike.event.RuleId --- packages/crowdstrike/changelog.yml | 5 +++++ .../falcon/elasticsearch/ingest_pipeline/default.yml | 3 +++ packages/crowdstrike/manifest.yml | 2 +- 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/packages/crowdstrike/changelog.yml b/packages/crowdstrike/changelog.yml index 2a70fd99964..f7d89347ea8 100644 --- a/packages/crowdstrike/changelog.yml +++ b/packages/crowdstrike/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.65.0" + changes: + - description: Improve handling of document collision. + type: enhancement + link: https://github.com/elastic/integrations/pull/13779 - version: "1.64.0" changes: - description: Enhance `device.id` ECS mappings for FDR data stream. diff --git a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml index 4f4dc1046c8..fbcae17f13a 100644 --- a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml +++ b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml @@ -329,8 +329,11 @@ processors: - '@timestamp' - crowdstrike.event.SessionId - crowdstrike.event.DetectId + - crowdstrike.event.PID + - crowdstrike.event.RuleId - crowdstrike.metadata.eventType - crowdstrike.metadata.customerIDString + - crowdstrike.metadata.offset target_field: _id tag: fingerprint ignore_missing: true diff --git a/packages/crowdstrike/manifest.yml b/packages/crowdstrike/manifest.yml index d6bf94c9df3..c0cbfff740b 100644 --- a/packages/crowdstrike/manifest.yml +++ b/packages/crowdstrike/manifest.yml @@ -1,6 +1,6 @@ name: crowdstrike title: CrowdStrike -version: "1.64.0" +version: "1.65.0" description: Collect logs from Crowdstrike with Elastic Agent. type: integration format_version: "3.3.1"