Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crowdstrike/fdr: Prevent ingesting documents without @timestamp #3484

Merged
merged 1 commit into from
Jun 13, 2022
Merged

crowdstrike/fdr: Prevent ingesting documents without @timestamp #3484

merged 1 commit into from
Jun 13, 2022

Conversation

adriansr
Copy link
Contributor

@adriansr adriansr commented Jun 8, 2022
edited
Loading

What does this PR do?

In some cases, FDR documents can lack the @timestamp field due to
missing timestamp source fields (timestamp/CreationTimestamp).

This adds support for the UTCTimestamp field and also adds a
last-chance processor to set @timestamp to the ingest timestamp in
case all fields are missing.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

@adriansr adriansr marked this pull request as ready for review June 8, 2022 11:07
@adriansr adriansr requested a review from a team as a code owner June 8, 2022 11:07
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@elasticmachine
Copy link

elasticmachine commented Jun 8, 2022
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-06-13T07:27:27.590+0000

  • Duration: 15 min 39 sec

Test stats 🧪

Test Results
Failed 0
Passed 13
Skipped 0
Total 13

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@elasticmachine
Copy link

elasticmachine commented Jun 8, 2022
edited
Loading

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (2/2) 💚
Files 100.0% (9/9) 💚 3.546
Classes 100.0% (9/9) 💚 3.546
Methods 100.0% (53/53) 💚 10.707
Lines 95.099% (2639/2775) 👍 4.296
Conditionals 100.0% (0/0) 💚

@adriansr adriansr requested a review from andrewkroh June 9, 2022 08:40
andrewkroh
andrewkroh reviewed Jun 9, 2022
View reviewed changes
packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-notimestamp.log-expected.json Outdated
"@timestamp": "2022-06-08T10:59:53.840983900Z",
"crowdstrike": {
"AgentLoadFlags": "0",
"AgentLocalTime": "2021-11-09T05:47:19.952Z",
Copy link
Member

@andrewkroh andrewkroh Jun 9, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you consider using AgentLocalTime?

I think Time could also be considered (probably before the _ingest.timestamp). That is supposed to be the timestamp of when the event was received by CrowdStrike cloud. (docs are hard to come by and I don't know what type of event this is, but I'm looking at this page)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. For now I used AgentLocalTime. This covers all our samples.

@adriansr
crowdstrike/fdr: Add alternatives timestamps
f54c1dd 
In some cases, FDR documents can lack the `@timestamp` field due to
missing timestamp source fields (`timestamp`/`CreationTimestamp`).

This adds support for the `UTCTimestamp` field and also adds a
last-chance processor to set `@timestamp` to the ingest timestamp in
case all fields are missing.
@adriansr adriansr requested a review from andrewkroh June 13, 2022 07:55
@adriansr adriansr merged commit f3fa88e into elastic:main Jun 13, 2022
@andrewkroh andrewkroh mentioned this pull request Jun 22, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@adriansr @elasticmachine @andrewkroh