From 31fe5f3a1f3183c2338f089cac741e553d5ce0cd Mon Sep 17 00:00:00 2001 From: Leandro Maciel Date: Thu, 26 Aug 2021 23:03:56 -0300 Subject: [PATCH 1/4] fix: fix crowdstrike ingest pipeline fix process fields that were being created as flattened fields --- .../filebeat/module/crowdstrike/falcon/ingest/pipeline.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml index 7e7efe5cd745..9aeb653b4888 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml @@ -284,9 +284,10 @@ processors: def args = Arrays.asList(/ /.split(commandLine)); args.removeIf(arg -> arg == ""); - ctx["process.command_line"] = commandLine; - ctx["process.args"] = args; - ctx["process.executable"] = args.get(0); + ctx['process'] = new HashMap(); + ctx.process.command_line = commandLine; + ctx.process.args = args; + ctx.process.executable = args.get(0); } } - pipeline: From 1810af22ae6ae24f393a44b6e14aa63516ae02f3 Mon Sep 17 00:00:00 2001 From: Leandro Maciel Date: Wed, 1 Sep 2021 10:08:15 -0300 Subject: [PATCH 2/4] docs: add line to changelog.next added line about the pr in the changelog.next file --- CHANGELOG.next.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index c7374637883b..0958ca676f81 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -82,6 +82,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - threatintel module: Changed the type of `threatintel.indicator.first_seen` from `keyword` to `date`. {pull}26765[26765] - Remove all alias fields pointing to ECS fields from modules. This affects the Suricata and Traefik modules. {issue}10535[10535] {pull}26627[26627] - Add option for S3 input to work without SQS notification {issue}18205[18205] {pull}27332[27332] +- Fix crowdstrike ingest pipeline that was creating flattened `process` fields. {issue}27623[27623] *Heartbeat* - Remove long deprecated `watch_poll` functionality. {pull}27166[27166] From de9d2057bd932c68964e1fd7c97dd3da095b86ba Mon Sep 17 00:00:00 2001 From: Leandro Maciel Date: Wed, 1 Sep 2021 10:11:23 -0300 Subject: [PATCH 3/4] docs: add links in changelog corrected the links to the issue and pr in changelog --- CHANGELOG.next.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 0958ca676f81..43ed4202adae 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -82,7 +82,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - threatintel module: Changed the type of `threatintel.indicator.first_seen` from `keyword` to `date`. {pull}26765[26765] - Remove all alias fields pointing to ECS fields from modules. This affects the Suricata and Traefik modules. {issue}10535[10535] {pull}26627[26627] - Add option for S3 input to work without SQS notification {issue}18205[18205] {pull}27332[27332] -- Fix crowdstrike ingest pipeline that was creating flattened `process` fields. {issue}27623[27623] +- Fix crowdstrike ingest pipeline that was creating flattened `process` fields. {issue}27622[27622] {pull}27623[27623] *Heartbeat* - Remove long deprecated `watch_poll` functionality. {pull}27166[27166] From 1b277eb3ce1c4a04b75b4ca84c218509ae3e21c8 Mon Sep 17 00:00:00 2001 From: Leandro Maciel Date: Wed, 1 Sep 2021 12:54:50 -0300 Subject: [PATCH 4/4] Update CHANGELOG.next.asciidoc Fixed capitalization. --- CHANGELOG.next.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 43ed4202adae..93b51f0c81a8 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -82,7 +82,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - threatintel module: Changed the type of `threatintel.indicator.first_seen` from `keyword` to `date`. {pull}26765[26765] - Remove all alias fields pointing to ECS fields from modules. This affects the Suricata and Traefik modules. {issue}10535[10535] {pull}26627[26627] - Add option for S3 input to work without SQS notification {issue}18205[18205] {pull}27332[27332] -- Fix crowdstrike ingest pipeline that was creating flattened `process` fields. {issue}27622[27622] {pull}27623[27623] +- Fix Crowdstrike ingest pipeline that was creating flattened `process` fields. {issue}27622[27622] {pull}27623[27623] *Heartbeat* - Remove long deprecated `watch_poll` functionality. {pull}27166[27166]