Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix flattened process fields in default ingest pipeline #4709

Merged
merged 4 commits into from
Nov 29, 2022
Merged

fix flattened process fields in default ingest pipeline #4709

merged 4 commits into from
Nov 29, 2022

Conversation

leandrojmp
Copy link
Contributor

@leandrojmp leandrojmp commented Nov 23, 2022
edited
Loading

What does this PR do?

Fix the parse of flattened process fields in the default Falcon ingest pipeline.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@leandrojmp leandrojmp requested a review from a team as a code owner November 23, 2022 13:23
@elasticmachine
Copy link

elasticmachine commented Nov 23, 2022
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-11-29T12:52:12.780+0000

  • Duration: 16 min 58 sec

Test stats 🧪

Test Results
Failed 0
Passed 13
Skipped 0
Total 13

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

leandrojmp
leandrojmp commented Nov 28, 2022
View reviewed changes
Copy link
Contributor Author

@leandrojmp leandrojmp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed the pull request to use the suggested code.

packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml Outdated Show resolved Hide resolved
efd6
efd6 reviewed Nov 29, 2022
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will need to have the test expectations updated. The diff for this is

diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-events.log-expected.json b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-events.log-expected.json
index 2e0dfc996..bef0cf123 100644
--- a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-events.log-expected.json
+++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-events.log-expected.json
@@ -85,14 +85,14 @@
             },
             "message": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.",
             "process": {
+                "args": [
+                    "C:\\Windows\\Explorer.EXE"
+                ],
+                "command_line": "C:\\Windows\\Explorer.EXE",
+                "executable": "C:\\Windows\\Explorer.EXE",
                 "name": "explorer.exe",
                 "pid": 38684386611
             },
-            "process.args": [
-                "C:\\Windows\\Explorer.EXE"
-            ],
-            "process.command_line": "C:\\Windows\\Explorer.EXE",
-            "process.executable": "C:\\Windows\\Explorer.EXE",
             "related": {
                 "hash": [
                     "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a",
diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json
index 918cae671..df0299c3d 100644
--- a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json
+++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json
@@ -512,6 +512,11 @@
             },
             "message": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.",
             "process": {
+                "args": [
+                    "\"C:\\ProgramData\\file\\path\\filename.exe\""
+                ],
+                "command_line": "\"C:\\ProgramData\\file\\path\\filename.exe\"",
+                "executable": "\"C:\\ProgramData\\file\\path\\filename.exe\"",
                 "name": "filename.exe",
                 "parent": {
                     "command_line": "C:\\Windows\\Explorer.EXE",
@@ -519,11 +524,6 @@
                 },
                 "pid": 663790158277
             },
-            "process.args": [
-                "\"C:\\ProgramData\\file\\path\\filename.exe\""
-            ],
-            "process.command_line": "\"C:\\ProgramData\\file\\path\\filename.exe\"",
-            "process.executable": "\"C:\\ProgramData\\file\\path\\filename.exe\"",
             "related": {
                 "hash": [

packages/crowdstrike/changelog.yml Show resolved Hide resolved
packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml Outdated Show resolved Hide resolved
@andrewkroh
Copy link
Member

/test

@elasticmachine
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (2/2) 💚
Files 100.0% (9/9) 💚
Classes 100.0% (9/9) 💚
Methods 100.0% (53/53) 💚
Lines 95.127% (2655/2791)
Conditionals 100.0% (0/0) 💚

andrewkroh
andrewkroh approved these changes Nov 29, 2022
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@andrewkroh andrewkroh merged commit 188d92a into elastic:main Nov 29, 2022
@elasticmachine
Copy link

Package crowdstrike - 1.8.1 containing this change is available at https://epr.elastic.co/search?package=crowdstrike

@leandrojmp leandrojmp deleted the fix_crowdstrike_process_fields_parsing branch March 16, 2023 02:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@efd6 efd6 efd6 left review comments

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees
No one assigned
Labels
Integration:crowdstrike CrowdStrike
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[ Crowdstrike Falcon ] Parse of process field is wrong.
4 participants
@leandrojmp @elasticmachine @andrewkroh @efd6