From 5631bff30b8ef539876f1b515ebe8125c50001cf Mon Sep 17 00:00:00 2001
From: Dan Kortschak <dan.kortschak@elastic.co>
Date: Wed, 17 Apr 2024 19:49:14 +0930
Subject: [PATCH] sentinel_one_cloud_funnel: fix original data preservation for
 gcs (#9627)

---
 packages/sentinel_one_cloud_funnel/changelog.yml            | 5 +++++
 .../data_stream/event/agent/stream/gcs.yml.hbs              | 6 ++++++
 .../elasticsearch/ingest_pipeline/pipeline-registry.yml     | 4 ++--
 packages/sentinel_one_cloud_funnel/manifest.yml             | 2 +-
 4 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/packages/sentinel_one_cloud_funnel/changelog.yml b/packages/sentinel_one_cloud_funnel/changelog.yml
index 43bfbfba90c..61c6a91c1ab 100644
--- a/packages/sentinel_one_cloud_funnel/changelog.yml
+++ b/packages/sentinel_one_cloud_funnel/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.14.1"
+  changes:
+    - description: Add missing event preservation template expansions for GCS input.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/9627
 - version: "0.14.0"
   changes:
     - description: Improve `event.type` and `event.action` mappings, fix missing `preserve_original_event` setting for GCS input.
diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/agent/stream/gcs.yml.hbs b/packages/sentinel_one_cloud_funnel/data_stream/event/agent/stream/gcs.yml.hbs
index f64ddd3b527..1fb54752f2f 100644
--- a/packages/sentinel_one_cloud_funnel/data_stream/event/agent/stream/gcs.yml.hbs
+++ b/packages/sentinel_one_cloud_funnel/data_stream/event/agent/stream/gcs.yml.hbs
@@ -32,6 +32,12 @@ timestamp_epoch: {{timestamp_epoch}}
 {{/if}}
 {{#if tags}}
 tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#if preserve_duplicate_custom_fields}}
+  - preserve_duplicate_custom_fields
+{{/if}}
 {{#each tags as |tag|}}
   - {{tag}}
 {{/each}}
diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-registry.yml b/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-registry.yml
index b205a0636df..7b6eb67432f 100644
--- a/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-registry.yml
+++ b/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-registry.yml
@@ -19,7 +19,7 @@ processors:
   - set:
       field: event.action
       value: [creation]
-      if: ctx.sentinel_one_cloud_funnel?.event?.type != null && 
+      if: ctx.sentinel_one_cloud_funnel?.event?.type != null &&
           (
             ctx.sentinel_one_cloud_funnel?.event?.meta_event_name.toLowerCase().contains('regvaluecreate') ||
             ctx.sentinel_one_cloud_funnel?.event?.meta_event_name.toLowerCase().contains('regkeycreate')
@@ -31,7 +31,7 @@ processors:
   - set:
       field: event.action
       value: [deletion]
-      if: ctx.sentinel_one_cloud_funnel?.event?.type != null && 
+      if: ctx.sentinel_one_cloud_funnel?.event?.type != null &&
           (
             ctx.sentinel_one_cloud_funnel?.event?.meta_event_name.toLowerCase().contains('regvaluedelete') ||
             ctx.sentinel_one_cloud_funnel?.event?.meta_event_name.toLowerCase().contains('regkeydelete')
diff --git a/packages/sentinel_one_cloud_funnel/manifest.yml b/packages/sentinel_one_cloud_funnel/manifest.yml
index bf4cf05e47c..f1d606e2e15 100644
--- a/packages/sentinel_one_cloud_funnel/manifest.yml
+++ b/packages/sentinel_one_cloud_funnel/manifest.yml
@@ -1,7 +1,7 @@
 format_version: "3.0.2"
 name: sentinel_one_cloud_funnel
 title: SentinelOne Cloud Funnel
-version: "0.14.0"
+version: "0.14.1"
 description: Collect logs from SentinelOne Cloud Funnel with Elastic Agent.
 type: integration
 categories: ["security", "edr_xdr"]