[Crowdstrike Falcon] Fix parse of CommandLine in Falcon pipeline (elastic#4758)

sakurai-youhei · web-flow · commit f240fef0ef8d · 2022-12-06T10:04:20.000+09:00
* Fix parse of CommandLine in Falcon pipeline Closes elastic#4746 * Bump up the version * Revert the test case * Add a new test case
diff --git a/packages/crowdstrike/changelog.yml b/packages/crowdstrike/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.8.2"
+  changes:
+    - description: Fix parse of CommandLine in Falcon pipeline
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/4758
 - version: "1.8.1"
   changes:
     - description: Fix parse of flattened `process` fields in Falcon data stream.
diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-commandline.log b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-commandline.log
@@ -0,0 +1,5 @@
+{
+    "event": {
+        "CommandLine": "here are two spaces->  <-. see https://github.com/elastic/integrations/issues/4746"
+    }
+}
diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-commandline.log-expected.json b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-commandline.log-expected.json
@@ -0,0 +1,34 @@
+{
+    "expected": [
+        {
+            "crowdstrike": {
+                "event": {
+                    "CommandLine": "here are two spaces->  <-. see https://github.com/elastic/integrations/issues/4746"
+                }
+            },
+            "ecs": {
+                "version": "8.5.0"
+            },
+            "event": {
+                "original": "{\n    \"event\": {\n        \"CommandLine\": \"here are two spaces->  <-. see https://github.com/elastic/integrations/issues/4746\"\n    }\n}",
+                "outcome": "unknown"
+            },
+            "process": {
+                "args": [
+                    "here",
+                    "are",
+                    "two",
+                    "spaces->",
+                    "<-.",
+                    "see",
+                    "https://github.com/elastic/integrations/issues/4746"
+                ],
+                "command_line": "here are two spaces->  <-. see https://github.com/elastic/integrations/issues/4746",
+                "executable": "here"
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        }
+    ]
+}
diff --git a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml
@@ -309,7 +309,7 @@ processors:
           commandLine = commandLine.trim();
 
           if (commandLine != "") {
-            def args = Arrays.asList(/ /.split(commandLine));
+            def args = new ArrayList(Arrays.asList(/ /.split(commandLine)));
             args.removeIf(arg -> arg == "");
 
             ctx.process = [
diff --git a/packages/crowdstrike/manifest.yml b/packages/crowdstrike/manifest.yml
@@ -1,6 +1,6 @@
 name: crowdstrike
 title: CrowdStrike
-version: "1.8.1"
+version: "1.8.2"
 description: Collect logs from Crowdstrike with Elastic Agent.
 type: integration
 format_version: 1.0.0

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +{
 +    "event": {
 +        "CommandLine": "here are two spaces->  <-. see https://github.com/elastic/integrations/issues/4746"
 +    }
 +}