Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] Crowdstrike ingest pipeline wrongly creates process flattened fields. #27622

Closed
leandrojmp opened this issue Aug 27, 2021 · 2 comments · Fixed by #27623
Closed

[Filebeat] Crowdstrike ingest pipeline wrongly creates process flattened fields. #27622

leandrojmp opened this issue Aug 27, 2021 · 2 comments · Fixed by #27623
Assignees
@P1llus @r00tu53r

Comments

@leandrojmp
Copy link
Contributor

The Crowdstrike ingest pipeline has a script processor that creates the fields process.command_line, process.args and process.executable as flattened fields, with a dot in the name.

A secondary pipeline processor creates the fields process.pid, process.parent and process.name as nested fields.

The final document would have the following output for these fields:

{
    "process.args": "value for the field",
    "process.command_line": "value for the field",
    "process.executable": "value for the field",
    "process": {
        "name": "value for the field",
        "pid": "value for the field",
        "parent": {
            "executable": "value for the field",
            "command_line": "value for the field"
        }
    }
}

This is confusing and could lead to errors in queries or automated processes that expects that the fields args, command_line and executable to be nested inside the process object.

This is the expected output:

{
    "process": {
        "args": "value for the field",
        "command_line": "value for the field",
        "executable": "value for the field",
        "name": "value for the field",
        "pid": "value for the field",
        "parent": {
            "executable": "value for the field",
            "command_line": "value for the field"
        }
    }
}
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Aug 27, 2021
@leandrojmp leandrojmp mentioned this issue Aug 27, 2021
Merged
6 tasks
@leandrojmp leandrojmp changed the title [ Filebeat ] Crowdstrike ingest pipeline wrongly creates process flattened fields. [Filebeat] Crowdstrike ingest pipeline wrongly creates process flattened fields. Aug 30, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Aug 30, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@leandrojmp leandrojmp mentioned this issue Nov 23, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@P1llus P1llus

@r00tu53r r00tu53r

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[filebeat] fix crowdstrike ingest pipeline
6 participants
@ruflin @leandrojmp @andrewkroh @P1llus @elasticmachine @r00tu53r