Skip to content

Map crowdstrike.alert.detection_context as flattened#18158

Merged
chrisberkhout merged 7 commits intoelastic:mainfrom
chrisberkhout:crowdstrike-alert-mapping-simplification
Apr 17, 2026
Merged

Map crowdstrike.alert.detection_context as flattened#18158
chrisberkhout merged 7 commits intoelastic:mainfrom
chrisberkhout:crowdstrike-alert-mapping-simplification

Conversation

@chrisberkhout
Copy link
Copy Markdown
Contributor

@chrisberkhout chrisberkhout commented Mar 31, 2026
edited
Loading

Proposed commit message

Map crowdstrike.alert.detection_context as flattened

The flattened type was chosen because a complete list of subfield names
is not known.

Also restructures the alert pipeline to deserialize JSON straight into
`crowdstrike.alert.*` rather than putting it elsewhere and renaming
individual fields to their final destinations. Since there are a number
of known fields that were intentionally not mapped into the vendor
namespace, those are explicitly removed.

This may lead to additional dynamically mapped fields if there are more
unknown fields in the API's alert payloads.

Note to reviewers

Can be read commit-by-commit.

If the last point in the proposed commit message is a problem, we can change to a Painless processor that retains only whitelisted fields under crowdstrike.alert.*.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

@chrisberkhout chrisberkhout self-assigned this Mar 31, 2026
@chrisberkhout chrisberkhout requested a review from a team as a code owner March 31, 2026 14:53
@chrisberkhout chrisberkhout added enhancement New feature or request Integration:crowdstrike CrowdStrike Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Mar 31, 2026
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Mar 31, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@chrisberkhout chrisberkhout changed the title Crowdstrike alert mapping simplification Map crowdstrike.alert.detection_context as flattened Mar 31, 2026
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Mar 31, 2026
edited
Loading

💔 Build Failed

Failed CI Steps

History

cc @chrisberkhout

@chrisberkhout chrisberkhout force-pushed the crowdstrike-alert-mapping-simplification branch from f602476 to 0c38b94 Compare April 10, 2026 11:40
@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Apr 10, 2026
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod Bot commented Apr 10, 2026

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

kcreddy
kcreddy approved these changes Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just a note on changelog (which is also not a blocker).

Comment thread packages/crowdstrike/changelog.yml Outdated
# newer versions go on top
- version: "3.15.0"
changes:
- description: Map `crowdstrike.alert.detection_context` as flattened.
Copy link
Copy Markdown
Contributor

@kcreddy kcreddy Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should also callout this in the changelog: new/unknown fields from the CrowdStrike API will now surface in the index (dynamically mapping) rather than being silently dropped. Because this behavior change may lead to mapping explosion. WDYT?

Copy link
Copy Markdown
Contributor Author

@chrisberkhout chrisberkhout Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed. Done during rebase, as:

Map crowdstrike.alert.detection_context as flattened. Keep new/unknown alert fields under the crowdstrike.alert prefix.

@chrisberkhout chrisberkhout force-pushed the crowdstrike-alert-mapping-simplification branch 2 times, most recently from 13dee6e to 30d44f9 Compare April 16, 2026 14:30
@chrisberkhout chrisberkhout enabled auto-merge (squash) April 16, 2026 14:31
@chrisberkhout chrisberkhout force-pushed the crowdstrike-alert-mapping-simplification branch from 30d44f9 to 1c7cdda Compare April 17, 2026 08:56
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Apr 17, 2026

💚 Build Succeeded

History

cc @chrisberkhout

@chrisberkhout chrisberkhout merged commit 151ebf0 into elastic:main Apr 17, 2026
10 checks passed
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod Bot commented Apr 17, 2026

Package crowdstrike - 3.15.0 containing this change is available at https://epr.elastic.co/package/crowdstrike/3.15.0/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kcreddy kcreddy kcreddy approved these changes

Assignees

@chrisberkhout chrisberkhout

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:crowdstrike CrowdStrike Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@chrisberkhout @elasticmachine @kcreddy @andrewkroh