Skip to content

crowdstrike.fdr: fix processing of crowdstrike.User.Name field #15272

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 11, 2025
Merged

crowdstrike.fdr: fix processing of crowdstrike.User.Name field #15272

merged 1 commit into from
Sep 11, 2025

Conversation

chemamartinez
Copy link
Contributor

Proposed commit message

Following error appears:

failed to parse field [crowdstrike.User] of type [keyword] in document with id '[doc_id]'. Preview of field's value: '{Name=[user]}'

when a Crowdstrike FDR event contains the following set of fields:

{ "Policy": { "RuleGroupName": "[name]", "RuleBasePath": "[path]", "Name": "[name]" }, "eid": "[eid]", "User": { "Name": "[user]" }, "Prevalence": { "Key": "[KEY]" }, "CustomerIdString": "[id]", "EventUUID": "[id]", "EventType": "Event_ExternalApiEvent", "Suppression": { "Suppressed": false }, "UTCTimestamp": 1756291914047, "Host": { "Name": "[host]" }, "ContentDiff": { "SHA256": "", "Exists": false }, "ExternalApiType": "Event_FileIntegrityMonitorRuleMatchedEnriched", "ChangeId": "[id]", "Nonce": "num", "AgentIdString": "[id]", "cid": "[id]", "timestamp": "2025-08-27T10:51:54Z" }

crowdstrike.User.Name is not processed so it conflicts when ingesting the event as crowdstrike.User is expected to be a keyword.

This PR renames the crowdstrike.User.Name field to user.name.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

@chemamartinez chemamartinez self-assigned this Sep 10, 2025
@chemamartinez chemamartinez added Integration:crowdstrike CrowdStrike bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Sep 10, 2025
@chemamartinez chemamartinez force-pushed the crowdstrike-fdr-fix-mapping-user-field branch 2 times, most recently from ae62592 to c5d8edf Compare September 10, 2025 15:40
@chemamartinez chemamartinez force-pushed the crowdstrike-fdr-fix-mapping-user-field branch from c5d8edf to 3b0ac34 Compare September 11, 2025 08:00
@elasticmachine
Copy link

💚 Build Succeeded

History

cc @chemamartinez

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
33.3% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@chemamartinez chemamartinez marked this pull request as ready for review September 11, 2025 08:57
@chemamartinez chemamartinez requested a review from a team as a code owner September 11, 2025 08:57
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

chrisberkhout
chrisberkhout approved these changes Sep 11, 2025
View reviewed changes
Copy link
Contributor

@chrisberkhout chrisberkhout left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good 👍

I was wondering what happens to the crowdstrike.User: {} wrapper, but that's cleaned up by the remove-nulls script at the end.

@chemamartinez chemamartinez merged commit cb79853 into elastic:main Sep 11, 2025
9 checks passed
@chemamartinez chemamartinez deleted the crowdstrike-fdr-fix-mapping-user-field branch September 11, 2025 12:15
@elastic-vault-github-plugin-prod
Copy link

Package crowdstrike - 2.2.1 containing this change is available at https://epr.elastic.co/package/crowdstrike/2.2.1/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chrisberkhout chrisberkhout chrisberkhout approved these changes

Assignees

@chemamartinez chemamartinez

Labels
bugfix Pull request that fixes a bug issue Integration:crowdstrike CrowdStrike Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@chemamartinez @elasticmachine @chrisberkhout