Skip to content

crowdstrike: preserve event_simpleName field in FDR pipeline#18196

Merged
efd6 merged 1 commit intoelastic:mainfrom
efd6:s7057-crowdstrike
Apr 8, 2026
Merged

crowdstrike: preserve event_simpleName field in FDR pipeline#18196
efd6 merged 1 commit intoelastic:mainfrom
efd6:s7057-crowdstrike

Conversation

@efd6
Copy link
Copy Markdown
Contributor

@efd6 efd6 commented Apr 2, 2026

Proposed commit message

crowdstrike: preserve event_simpleName field in FDR pipeline

The FDR ingest pipeline renamed crowdstrike.event_simpleName into
event.action, destroying the source field. For registry, driver,
and *Written events, event.action is then overwritten with a
generic operation name (per TRaDe requirements), leaving the
original CrowdStrike event name inaccessible as a keyword field.

Change the rename to a copy so crowdstrike.event_simpleName
survives in the indexed document alongside event.action.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@efd6 efd6 self-assigned this Apr 2, 2026
@efd6 efd6 added Integration:crowdstrike CrowdStrike bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Apr 2, 2026
@efd6 efd6 force-pushed the s7057-crowdstrike branch from 62aa4bf to a408d17 Compare April 2, 2026 02:01
@efd6
crowdstrike: preserve event_simpleName field in FDR pipeline
7b6b8ee 
The FDR ingest pipeline renamed crowdstrike.event_simpleName into
event.action, destroying the source field. For registry, driver,
and *Written events, event.action is then overwritten with a
generic operation name (per TRaDe requirements), leaving the
original CrowdStrike event name inaccessible as a keyword field.

Change the rename to a copy so crowdstrike.event_simpleName
survives in the indexed document alongside event.action.
@efd6 efd6 force-pushed the s7057-crowdstrike branch from a408d17 to 7b6b8ee Compare April 2, 2026 06:53
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 2, 2026

✅ Vale Linting Results

No issues found on modified lines!

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod bot commented Apr 2, 2026

🚀 Benchmarks report

Package crowdstrike 👍(6) 💚(2) 💔(2)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
falcon 5555.56 3127.93 -2427.63 (-43.7%) 💔
host 4444.44 3603.6 -840.84 (-18.92%) 💔

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Apr 2, 2026

💚 Build Succeeded

History

cc @efd6

@efd6 efd6 marked this pull request as ready for review April 2, 2026 07:55
@efd6 efd6 requested a review from a team as a code owner April 2, 2026 07:55
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Apr 2, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@efd6 efd6 requested a review from w0rk3r April 2, 2026 07:55
@github-actions github-actions bot mentioned this pull request Apr 2, 2026
Closed
6 tasks
@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Apr 2, 2026
w0rk3r
w0rk3r approved these changes Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@w0rk3r w0rk3r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM as it seems to not affect the way we populate the event.action. An alternative would be to append to the field, as that would preserve both TRaDE values and the original ones

@efd6 efd6 merged commit e12a654 into elastic:main Apr 8, 2026
11 checks passed
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod bot commented Apr 8, 2026

Package crowdstrike - 3.13.1 containing this change is available at https://epr.elastic.co/package/crowdstrike/3.13.1/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kcreddy kcreddy kcreddy approved these changes

@w0rk3r w0rk3r w0rk3r approved these changes

Assignees

@efd6 efd6

Labels

bugfix Pull request that fixes a bug issue documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:crowdstrike CrowdStrike Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@efd6 @elasticmachine @kcreddy @w0rk3r @andrewkroh