crowdstrike: add ignore_above for flattened fields

packages/crowdstrike/changelog.yml

@@ -1,4 +1,12 @@
 # newer versions go on top
+- version: "3.0.0"
+  changes:
+    - description: Add ignore_above for "Attributes" and "ResourceAttributes" flattened fields.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1
+    - description: Change "crowdstrike.event.ExecutablesWritten.Timestamp" field type to date.
+      type: breaking-change
+      link: https://github.com/elastic/integrations/pull/1
 - version: "2.10.1"
   changes:
     - description: Remove all constant keyword fields that have statically defined values.

packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-common-config.yml

@@ -4,7 +4,6 @@ fields:
   tags:
     - preserve_original_event
 numeric_keyword_fields:
-  - crowdstrike.event.ExecutablesWritten.Timestamp
   - crowdstrike.event.MobileAppsDetails.IsBeingDebugged
   - crowdstrike.event.MobileAppsDetails.IsContainerized
   - crowdstrike.event.NetworkAccesses.AccessTimestamp

packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json

@@ -415,22 +415,22 @@
                         {
                             "FileName": "NEURO_200_J1939Configuration.mexw64",
                             "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder",
-                            "Timestamp": 1595002290
+                            "Timestamp": "2020-07-17T16:11:30.000Z"
                         },
                         {
                             "FileName": "NEURO_200_J1939Configuration.mexw64",
                             "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder",
-                            "Timestamp": 1595002290
+                            "Timestamp": "2020-07-17T16:11:30.000Z"
                         },
                         {
                             "FileName": "NEURO_200_J1939CanPackMessage.mexw64",
                             "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder",
-                            "Timestamp": 1595002290
+                            "Timestamp": "2020-07-17T16:11:30.000Z"
                         },
                         {
                             "FileName": "NEURO_200_J1939CanPackMessage.mexw64",
                             "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder",
-                            "Timestamp": 1595002290
+                            "Timestamp": "2020-07-17T16:11:30.000Z"
                         }
                     ],
                     "GrandparentCommandLine": "C:\\Windows\\system32\\userinit.exe",

packages/crowdstrike/data_stream/falcon/_dev/test/system/test-logfile-config.yml

@@ -5,3 +5,5 @@ data_stream:
     preserve_original_event: true
     paths:
       - "{{SERVICE_LOGS_DIR}}/falcon-*.log"
+assert:
+  hit_count: 24

packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/detection_summary.yml

@@ -49,6 +49,24 @@ processors:
         - UNIX
       tag: date_process_end_time
       if: 'ctx.crowdstrike?.event?.ProcessEndTime != null && String.valueOf(ctx.crowdstrike.event.ProcessEndTime).length() <= 11'
+  - foreach:
+      field: crowdstrike.event.ExecutablesWritten
+      tag: convert_crowdstrike_executablewritten_timestamp_array
+      if: ctx.crowdstrike?.event?.ExecutablesWritten instanceof List
+      processor:
+        date:
+          field: _ingest._value.Timestamp
+          target_field: _ingest._value.Timestamp
+          formats:
+            - UNIX
+          tag: convert_crowdstrike_executablewritten_timestamp
+          on_failure:
+            - remove:
+                field: _ingest._value.Timestamp
+                ignore_failure: true
+            - append:
+                field: error.message
+                value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
   - rename:
       field: crowdstrike.event.LocalIP
       target_field: source.ip

packages/crowdstrike/data_stream/falcon/fields/fields.yml

@@ -91,7 +91,7 @@
         - name: FilePath
           type: keyword
         - name: Timestamp
-          type: keyword
+          type: date
     - name: FalconHostLink
       type: keyword
     - name: FileName
@@ -556,6 +556,7 @@
       type: flattened
       description: |
         A JSON blob with all resource attributes.
+      ignore_above: 1024
     - name: ResourceId
       type: keyword
       description: |
@@ -690,6 +691,7 @@
       type: flattened
       description: |
         JSON objects containing additional information about the event.
+      ignore_above: 1024
     - name: SessionId
       type: keyword
       description: |

packages/crowdstrike/data_stream/falcon/sample_event.json

@@ -1,84 +1,108 @@
 {
-    "@timestamp": "2023-11-02T13:41:34.000Z",
+    "@timestamp": "2020-02-12T21:29:10.000Z",
     "agent": {
-        "ephemeral_id": "8f4a039c-66d4-439c-a43f-c5a95f653dd4",
-        "id": "67072e92-576d-47d8-8a43-ebb347b4250b",
-        "name": "elastic-agent-93422",
+        "ephemeral_id": "71d3d06c-8406-4244-9dda-5bad540eacd9",
+        "id": "e2b3b238-ebf6-442c-9d42-99ab4b5fad8c",
+        "name": "elastic-agent-14370",
         "type": "filebeat",
-        "version": "8.18.1"
+        "version": "8.19.8"
     },
     "crowdstrike": {
         "event": {
-            "AgentIdString": "fffffffff33333",
-            "SessionId": "1111-fffff-4bb4-99c1-74c13cfc3e5a"
+            "AuditKeyValues": [
+                {
+                    "Key": "APIClientID",
+                    "ValueString": "1234567890abcdefghijklmnopqr"
+                },
+                {
+                    "Key": "partition",
+                    "ValueString": "0"
+                },
+                {
+                    "Key": "offset",
+                    "ValueString": "-1"
+                },
+                {
+                    "Key": "appId",
+                    "ValueString": "siem-connector-v2.0.0"
+                },
+                {
+                    "Key": "eventType",
+                    "ValueString": "[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]"
+                }
+            ],
+            "OperationName": "streamStarted",
+            "Success": true
         },
         "metadata": {
-            "customerIDString": "abcabcabc22221",
-            "eventType": "RemoteResponseSessionStartEvent",
-            "offset": 1,
+            "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
+            "eventType": "AuthActivityAuditEvent",
+            "offset": 0,
             "version": "1.0"
         }
     },
     "data_stream": {
         "dataset": "crowdstrike.falcon",
-        "namespace": "99576",
+        "namespace": "25260",
         "type": "logs"
     },
     "ecs": {
         "version": "8.17.0"
     },
     "elastic_agent": {
-        "id": "67072e92-576d-47d8-8a43-ebb347b4250b",
+        "id": "e2b3b238-ebf6-442c-9d42-99ab4b5fad8c",
         "snapshot": false,
-        "version": "8.18.1"
+        "version": "8.19.8"
     },
     "event": {
         "action": [
-            "remote_response_session_start_event"
+            "streamStarted"
         ],
         "agent_id_status": "verified",
         "category": [
-            "network",
-            "session"
+            "iam"
         ],
-        "created": "2023-11-02T13:41:34.000Z",
+        "created": "2020-02-12T21:29:10.710Z",
         "dataset": "crowdstrike.falcon",
-        "ingested": "2025-05-30T08:29:21Z",
+        "ingested": "2025-12-08T13:26:53Z",
         "kind": "event",
-        "original": "{\"event\":{\"AgentIdString\":\"fffffffff33333\",\"HostnameField\":\"UKCHUDL00206\",\"SessionId\":\"1111-fffff-4bb4-99c1-74c13cfc3e5a\",\"StartTimestamp\":1698932494,\"UserName\":\"[email protected]\"},\"metadata\":{\"customerIDString\":\"abcabcabc22221\",\"eventCreationTime\":1698932494000,\"eventType\":\"RemoteResponseSessionStartEvent\",\"offset\":1,\"version\":\"1.0\"}}",
-        "start": "2023-11-02T13:41:34.000Z",
-        "type": [
-            "start"
-        ]
-    },
-    "host": {
-        "name": "UKCHUDL00206"
+        "original": "{\n    \"metadata\": {\n        \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n        \"offset\": 0,\n        \"eventType\": \"AuthActivityAuditEvent\",\n        \"eventCreationTime\": 1581542950710,\n        \"version\": \"1.0\"\n    },\n    \"event\": {\n        \"UserId\": \"api-client-id:1234567890abcdefghijklmnopqrstuvwxyz\",\n        \"UserIp\": \"10.10.0.8\",\n        \"OperationName\": \"streamStarted\",\n        \"ServiceName\": \"Crowdstrike Streaming API\",\n        \"Success\": true,\n        \"UTCTimestamp\": 1581542950,\n        \"AuditKeyValues\": [\n            {\n                \"Key\": \"APIClientID\",\n                \"ValueString\": \"1234567890abcdefghijklmnopqr\"\n            },\n            {\n                \"Key\": \"partition\",\n                \"ValueString\": \"0\"\n            },\n            {\n                \"Key\": \"offset\",\n                \"ValueString\": \"-1\"\n            },\n            {\n                \"Key\": \"appId\",\n                \"ValueString\": \"siem-connector-v2.0.0\"\n            },\n            {\n                \"Key\": \"eventType\",\n                \"ValueString\": \"[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]\"\n            }\n        ]\n    }\n}",
+        "outcome": "success"
     },
     "input": {
-        "type": "streaming"
+        "type": "log"
+    },
+    "log": {
+        "file": {
+            "path": "/tmp/service_logs/falcon-audit-events.log"
+        },
+        "flags": [
+            "multiline"
+        ],
+        "offset": 910
     },
-    "message": "Remote response session started.",
+    "message": "Crowdstrike Streaming API",
     "observer": {
         "product": "Falcon",
         "vendor": "Crowdstrike"
     },
     "related": {
-        "hosts": [
-            "UKCHUDL00206"
+        "ip": [
+            "10.10.0.8"
         ],
         "user": [
-            "admin.rose",
-            "[email protected]"
+            "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz"
         ]
     },
+    "source": {
+        "ip": "10.10.0.8"
+    },
     "tags": [
         "preserve_original_event",
         "forwarded",
         "crowdstrike-falcon"
     ],
     "user": {
-        "domain": "example.com",
-        "email": "[email protected]",
-        "name": "admin.rose"
+        "name": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz"
     }
 }