ti_crowdstrike.intel: Fix mapping of vulnerability field (elastic#14010)

ti_crowdstrike.intel: Copy vulnerabilities into vulnerability.id instead of vulnerability.category.

The raw data and API documentation indicates vulnerabilities field
contains an array of "CVE-" numbers. It is incorrectly mapped to
vulnerability.category. Fix the mapping by copying vulnerabilities 
field into vulnerability.id instead.

Updated pipeline and system test sample logs accordingly.

Author: kcreddy

packages/ti_crowdstrike/_dev/deploy/docker/files/config.yml

@@ -115,7 +115,8 @@ rules:
                           "InformationStealer"
                       ],
                       "vulnerabilities": [
-                          "vuln"
+                          "CVE-2020-14882",
+                          "CVE-2021-41773"
                       ]
                   }
               ]
@@ -217,7 +218,8 @@ rules:
                           "CredentialHarvesting"
                       ],
                       "vulnerabilities": [
-                          "vuln"
+                          "CVE-2020-14882",
+                          "CVE-2021-41773"
                       ]
                   }
               ]

packages/ti_crowdstrike/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.4.3"
+  changes:
+    - description: Copy `ti_crowdstrike.intel.vulnerabilities` into `vulnerability.id` instead of `vulnerability.category`.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/14010
 - version: "2.4.2"
   changes:
     - description: Fix default request trace enabled behavior.

packages/ti_crowdstrike/data_stream/intel/_dev/test/pipeline/test-intel.log

@@ -401,7 +401,7 @@ processors:
       if: ctx.ti_crowdstrike?.intel?.vulnerabilities instanceof List
       processor:
         append:
-          field: vulnerability.category
+          field: vulnerability.id
           tag: append_vulnerabilities_into_vulnerability-category
           value: '{{{_ingest._value}}}'
           allow_duplicates: false

packages/ti_crowdstrike/data_stream/intel/_dev/test/pipeline/test-intel.log-expected.json

@@ -1,24 +1,24 @@
 {
     "@timestamp": "2023-11-21T06:16:01.000Z",
     "agent": {
-        "ephemeral_id": "6d3e7b87-a3f6-47b1-81a5-0264e901b3f9",
-        "id": "36b03887-7783-4bc4-b8c5-6f8997e4cd1a",
-        "name": "docker-fleet-agent",
+        "ephemeral_id": "0a4081d5-cebd-4aa5-88f3-4056061d594d",
+        "id": "0845386f-5916-4313-8f9d-2690b283c317",
+        "name": "elastic-agent-91284",
         "type": "filebeat",
-        "version": "8.13.0"
+        "version": "8.18.0"
     },
     "data_stream": {
         "dataset": "ti_crowdstrike.intel",
-        "namespace": "36922",
+        "namespace": "57429",
         "type": "logs"
     },
     "ecs": {
         "version": "8.11.0"
     },
     "elastic_agent": {
-        "id": "36b03887-7783-4bc4-b8c5-6f8997e4cd1a",
+        "id": "0845386f-5916-4313-8f9d-2690b283c317",
         "snapshot": false,
-        "version": "8.13.0"
+        "version": "8.18.0"
     },
     "event": {
         "agent_id_status": "verified",
@@ -27,9 +27,9 @@
         ],
         "dataset": "ti_crowdstrike.intel",
         "id": "hash_sha256_c98e1a7f563824cd448b47613743dcd1c853742b78f42b000192b83d",
-        "ingested": "2024-08-01T08:31:15Z",
+        "ingested": "2025-05-27T04:25:28Z",
         "kind": "enrichment",
-        "original": "{\"_marker\":\"17005473618d17ae6353d123235e4158c5c81f25f0\",\"actors\":[\"SALTYSPIDER\"],\"deleted\":false,\"domain_types\":[\"abc.com\"],\"id\":\"hash_sha256_c98e1a7f563824cd448b47613743dcd1c853742b78f42b000192b83d\",\"indicator\":\"c98e192bf71a7f97563824cd448b47613743dcd1c853742b78f42b000192b83d\",\"ip_address_types\":[\"81.2.69.192\"],\"kill_chains\":[\"Installation\",\"C2\"],\"labels\":[{\"created_on\":1700547356,\"last_valid_on\":1700547360,\"name\":\"MaliciousConfidence/High\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"Malware/Mofksys\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"ThreatType/Commodity\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"ThreatType/CredentialHarvesting\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"ThreatType/InformationStealer\"}],\"last_updated\":1700547361,\"malicious_confidence\":\"high\",\"malware_families\":[\"Mofksys\"],\"published_date\":1700547356,\"relations\":[{\"created_date\":1700547339,\"id\":\"domain.com.yy\",\"indicator\":\"domain.ds\",\"last_valid_date\":1700547339,\"type\":\"domain\"},{\"created_date\":1700547339,\"id\":\"domain.xx.yy\",\"indicator\":\"domain.xx.fd\",\"last_valid_date\":1700547339,\"type\":\"domain\"}],\"reports\":[\"reports\"],\"targets\":[\"abc\"],\"threat_types\":[\"Commodity\",\"CredentialHarvesting\",\"InformationStealer\"],\"type\":\"hash_sha256\",\"vulnerabilities\":[\"vuln\"]}",
+        "original": "{\"_marker\":\"17005473618d17ae6353d123235e4158c5c81f25f0\",\"actors\":[\"SALTYSPIDER\"],\"deleted\":false,\"domain_types\":[\"abc.com\"],\"id\":\"hash_sha256_c98e1a7f563824cd448b47613743dcd1c853742b78f42b000192b83d\",\"indicator\":\"c98e192bf71a7f97563824cd448b47613743dcd1c853742b78f42b000192b83d\",\"ip_address_types\":[\"81.2.69.192\"],\"kill_chains\":[\"Installation\",\"C2\"],\"labels\":[{\"created_on\":1700547356,\"last_valid_on\":1700547360,\"name\":\"MaliciousConfidence/High\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"Malware/Mofksys\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"ThreatType/Commodity\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"ThreatType/CredentialHarvesting\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"ThreatType/InformationStealer\"}],\"last_updated\":1700547361,\"malicious_confidence\":\"high\",\"malware_families\":[\"Mofksys\"],\"published_date\":1700547356,\"relations\":[{\"created_date\":1700547339,\"id\":\"domain.com.yy\",\"indicator\":\"domain.ds\",\"last_valid_date\":1700547339,\"type\":\"domain\"},{\"created_date\":1700547339,\"id\":\"domain.xx.yy\",\"indicator\":\"domain.xx.fd\",\"last_valid_date\":1700547339,\"type\":\"domain\"}],\"reports\":[\"reports\"],\"targets\":[\"abc\"],\"threat_types\":[\"Commodity\",\"CredentialHarvesting\",\"InformationStealer\"],\"type\":\"hash_sha256\",\"vulnerabilities\":[\"CVE-2020-14882\",\"CVE-2021-41773\"]}",
         "type": [
             "indicator"
         ]
@@ -147,13 +147,15 @@
             "type": "hash_sha256",
             "value": "c98e192bf71a7f97563824cd448b47613743dcd1c853742b78f42b000192b83d",
             "vulnerabilities": [
-                "vuln"
+                "CVE-2020-14882",
+                "CVE-2021-41773"
             ]
         }
     },
     "vulnerability": {
-        "category": [
-            "vuln"
+        "id": [
+            "CVE-2020-14882",
+            "CVE-2021-41773"
         ]
     }
-}
+}

packages/ti_crowdstrike/data_stream/intel/elasticsearch/ingest_pipeline/default.yml

@@ -101,24 +101,24 @@ An example event for `intel` looks as following:
 {
     "@timestamp": "2023-11-21T06:16:01.000Z",
     "agent": {
-        "ephemeral_id": "6d3e7b87-a3f6-47b1-81a5-0264e901b3f9",
-        "id": "36b03887-7783-4bc4-b8c5-6f8997e4cd1a",
-        "name": "docker-fleet-agent",
+        "ephemeral_id": "0a4081d5-cebd-4aa5-88f3-4056061d594d",
+        "id": "0845386f-5916-4313-8f9d-2690b283c317",
+        "name": "elastic-agent-91284",
         "type": "filebeat",
-        "version": "8.13.0"
+        "version": "8.18.0"
     },
     "data_stream": {
         "dataset": "ti_crowdstrike.intel",
-        "namespace": "36922",
+        "namespace": "57429",
         "type": "logs"
     },
     "ecs": {
         "version": "8.11.0"
     },
     "elastic_agent": {
-        "id": "36b03887-7783-4bc4-b8c5-6f8997e4cd1a",
+        "id": "0845386f-5916-4313-8f9d-2690b283c317",
         "snapshot": false,
-        "version": "8.13.0"
+        "version": "8.18.0"
     },
     "event": {
         "agent_id_status": "verified",
@@ -127,9 +127,9 @@ An example event for `intel` looks as following:
         ],
         "dataset": "ti_crowdstrike.intel",
         "id": "hash_sha256_c98e1a7f563824cd448b47613743dcd1c853742b78f42b000192b83d",
-        "ingested": "2024-08-01T08:31:15Z",
+        "ingested": "2025-05-27T04:25:28Z",
         "kind": "enrichment",
-        "original": "{\"_marker\":\"17005473618d17ae6353d123235e4158c5c81f25f0\",\"actors\":[\"SALTYSPIDER\"],\"deleted\":false,\"domain_types\":[\"abc.com\"],\"id\":\"hash_sha256_c98e1a7f563824cd448b47613743dcd1c853742b78f42b000192b83d\",\"indicator\":\"c98e192bf71a7f97563824cd448b47613743dcd1c853742b78f42b000192b83d\",\"ip_address_types\":[\"81.2.69.192\"],\"kill_chains\":[\"Installation\",\"C2\"],\"labels\":[{\"created_on\":1700547356,\"last_valid_on\":1700547360,\"name\":\"MaliciousConfidence/High\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"Malware/Mofksys\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"ThreatType/Commodity\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"ThreatType/CredentialHarvesting\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"ThreatType/InformationStealer\"}],\"last_updated\":1700547361,\"malicious_confidence\":\"high\",\"malware_families\":[\"Mofksys\"],\"published_date\":1700547356,\"relations\":[{\"created_date\":1700547339,\"id\":\"domain.com.yy\",\"indicator\":\"domain.ds\",\"last_valid_date\":1700547339,\"type\":\"domain\"},{\"created_date\":1700547339,\"id\":\"domain.xx.yy\",\"indicator\":\"domain.xx.fd\",\"last_valid_date\":1700547339,\"type\":\"domain\"}],\"reports\":[\"reports\"],\"targets\":[\"abc\"],\"threat_types\":[\"Commodity\",\"CredentialHarvesting\",\"InformationStealer\"],\"type\":\"hash_sha256\",\"vulnerabilities\":[\"vuln\"]}",
+        "original": "{\"_marker\":\"17005473618d17ae6353d123235e4158c5c81f25f0\",\"actors\":[\"SALTYSPIDER\"],\"deleted\":false,\"domain_types\":[\"abc.com\"],\"id\":\"hash_sha256_c98e1a7f563824cd448b47613743dcd1c853742b78f42b000192b83d\",\"indicator\":\"c98e192bf71a7f97563824cd448b47613743dcd1c853742b78f42b000192b83d\",\"ip_address_types\":[\"81.2.69.192\"],\"kill_chains\":[\"Installation\",\"C2\"],\"labels\":[{\"created_on\":1700547356,\"last_valid_on\":1700547360,\"name\":\"MaliciousConfidence/High\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"Malware/Mofksys\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"ThreatType/Commodity\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"ThreatType/CredentialHarvesting\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"ThreatType/InformationStealer\"}],\"last_updated\":1700547361,\"malicious_confidence\":\"high\",\"malware_families\":[\"Mofksys\"],\"published_date\":1700547356,\"relations\":[{\"created_date\":1700547339,\"id\":\"domain.com.yy\",\"indicator\":\"domain.ds\",\"last_valid_date\":1700547339,\"type\":\"domain\"},{\"created_date\":1700547339,\"id\":\"domain.xx.yy\",\"indicator\":\"domain.xx.fd\",\"last_valid_date\":1700547339,\"type\":\"domain\"}],\"reports\":[\"reports\"],\"targets\":[\"abc\"],\"threat_types\":[\"Commodity\",\"CredentialHarvesting\",\"InformationStealer\"],\"type\":\"hash_sha256\",\"vulnerabilities\":[\"CVE-2020-14882\",\"CVE-2021-41773\"]}",
         "type": [
             "indicator"
         ]
@@ -247,13 +247,15 @@ An example event for `intel` looks as following:
             "type": "hash_sha256",
             "value": "c98e192bf71a7f97563824cd448b47613743dcd1c853742b78f42b000192b83d",
             "vulnerabilities": [
-                "vuln"
+                "CVE-2020-14882",
+                "CVE-2021-41773"
             ]
         }
     },
     "vulnerability": {
-        "category": [
-            "vuln"
+        "id": [
+            "CVE-2020-14882",
+            "CVE-2021-41773"
         ]
     }
 }

packages/ti_crowdstrike/data_stream/intel/sample_event.json

@@ -1,7 +1,7 @@
 format_version: 3.0.3
 name: ti_crowdstrike
 title: CrowdStrike Falcon Intelligence
-version: "2.4.2"
+version: "2.4.3"
 description: Collect logs from CrowdStrike Falcon Intelligence with Elastic Agent.
 type: integration
 categories: