crowdstrike: parse command line to populate process name in FDR logs (#15646)

This handles a special case occurs in Linux-based containerized environments
when the "runc" process clones itself to get into its own namespace.
The child process would have its executable path set to "/"
which was resulting in "process.name" being empty.

This change adds command line parsing to extract "process.name"
when "process.executable" is set to a slash ("/").

Adds fields definition for ChangeTime, OciContainerId and RootPath.

Author: navnit-elastic

packages/crowdstrike/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.6.0"
+  changes:
+    - description: Add a fallback parsing command_line to populate the process name in the FDR data stream.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15646
 - version: "2.5.2"
   changes:
     - description: Add `event.category` and `event.type` fields to process data in alerts.

packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-linux.log

@@ -2,3 +2,4 @@
 {"event_simpleName":"CriticalFileAccessed","ContextTimeStamp":"1757157936.727","GID":"0","ConfigStateHash":"1061106086","ContextProcessId":"1096090950008222800","ContextThreadId":"0","aip":"89.160.20.128","ConfigBuild":"2c8b.2.3366c72.4f","UID":"0","event_platform":"Lin","UnixMode":"61960","Entitlements":"26","name":"1532ae7e2a105adcc6ddbcf67","EventOrigin":"1","id":"01a3b1d4aa10d5329aef78ba9d3ec56f6d97","EffectiveTransmissionClass":"2","aid":"37b562b807a27cfb58dda71ec9a7eb22","timestamp":"1743508799999","cid":"4092825518eaf67377a6e4492ae44577","TargetFileName":"/812/0bb09d"}
 {"CapPrm":"3800192030037","ParentProcessId":"8081349242194000050","SourceProcessId":"8081349242194000050","aip":"81.2.69.192","SessionProcessId":"4102020000109002000","SyntheticPR2Flags":"4","event_platform":"Lin","ProcessEndTime":"1745972888.297","SVUID":"0","EventOrigin":"45","id":"fb9bd5f0314e46ce785f479aed8f3032fcd9","EffectiveTransmissionClass":"2","timestamp":"1743508799999","ProcessGroupId":"7001610480104066706","event_simpleName":"SyntheticProcessRollup2","RawProcessId":"8905032","ContextTimeStamp":"1752350302.359","GID":"0","ConfigStateHash":"5001020160","SVGID":"0","ConfigBuild":"2c8b.2.3366c72.4f","UID":"0","CommandLine":"e7f8eac7d","TargetProcessId":"6059002040716020903","ImageFileName":"/501e","RGID":"0","SourceThreadId":"0","Entitlements":"56","name":"4f32166a22f49735247598b45006","ProcessStartTime":"1745953229.264","RUID":"0","aid":"8c687fb6b1e8231200c77ef5e3175d0e","cid":"4092825518eaf67377a6e4492ae44577"}
 {"event_simpleName":"TerminateProcess","RawProcessId":"1070050","ContextTimeStamp":"1751300030.984","ConfigStateHash":"8001020160","ContextProcessId":"9960000700989070560","ContextThreadId":"0","aip":"89.160.20.128","ConfigBuild":"2c8b.2.3366c72.4f","event_platform":"Lin","TargetProcessId":"6960000700989070560","Entitlements":"36","name":"6b1c662a760f5ed9750d4","EventOrigin":"1","id":"3e71b26395f4386bcb6602ee6777bb5f3124","EffectiveTransmissionClass":"2","aid":"12111f24f25a2a99438b40765c236577","timestamp":"1743508799999","cid":"4092825518eaf67377a6e4492ae44577"}
+{"ChangeTime":"1731329600.968","OciContainerId":"sw345tf5e3455r7dw32w23t6t7fde34ed345rfe45rf0ew4fd","CapPrm":"123438954321","ParentProcessId":"12347782548906","SourceProcessId":"12347782548906","aip":"89.160.20.128","SessionProcessId":"1234915117961","SHA1HashData":"0000000000000000000000000000000000000000","event_platform":"Lin","ProcessEndTime":"1760406073.595","SVUID":"0","ParentBaseFileName":"runc","EventOrigin":"17","id":"1w23e4r-d03e-4003-bc75-71c6e819ca5f","EffectiveTransmissionClass":"2","Tags":"874, 17179870274, 12094627905582, 12094627906234, 212205744162400","timestamp":"1760406074201","ProcessGroupId":"1234915117961","LocalAddressIP4":"0.0.0.0","event_simpleName":"ProcessRollup2","RawProcessId":"1234","RootPath":"/","GID":"0","ConfigStateHash":"1026580567","UserName":"root","SVGID":"0","MD5HashData":"88922d50263b059696c2af5a99906562","SHA256HashData":"d4ff1c438e330777002332a305fcf965cfaa7d0dbeb899293d347298cbf6d4b6","ConfigBuild":"1007.4.0013701.1","UID":"0","CommandLine":"runc init","TargetProcessId":"12347783237538","ImageFileName":"/","RGID":"0","SourceThreadId":"0","Entitlements":"15","name":"ProcessRollup2LinV12","RUID":"0","ProcessStartTime":"1760406073.568","ComputerName":"comp2","aid":"ffffffff62714a708030d494ca0a7e60","cid":"ffffffff15754bcfb5f9152ec7ac90ac"}

packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-linux.log-expected.json

@@ -387,6 +387,170 @@
             "tags": [
                 "preserve_original_event"
             ]
+        },
+        {
+            "@timestamp": "2025-10-14T01:41:14.201Z",
+            "crowdstrike": {
+                "CapPrm": "123438954321",
+                "ChangeTime": "2024-11-11T12:53:20.968Z",
+                "ConfigStateHash": "1026580567",
+                "EffectiveTransmissionClass": "2",
+                "Entitlements": "15",
+                "EventOrigin": "17",
+                "LocalAddressIP4": [
+                    "0.0.0.0"
+                ],
+                "MD5HashData": "88922d50263b059696c2af5a99906562",
+                "OciContainerId": "sw345tf5e3455r7dw32w23t6t7fde34ed345rfe45rf0ew4fd",
+                "RGID": "0",
+                "RUID": "0",
+                "RootPath": "/",
+                "SHA256HashData": "d4ff1c438e330777002332a305fcf965cfaa7d0dbeb899293d347298cbf6d4b6",
+                "SVGID": "0",
+                "SVUID": "0",
+                "SessionProcessId": "1234915117961",
+                "SourceProcessId": "12347782548906",
+                "SourceThreadId": "0",
+                "Tags": [
+                    "874",
+                    "17179870274",
+                    "12094627905582",
+                    "12094627906234",
+                    "212205744162400"
+                ],
+                "cid": "ffffffff15754bcfb5f9152ec7ac90ac",
+                "id": "1w23e4r-d03e-4003-bc75-71c6e819ca5f",
+                "name": "ProcessRollup2LinV12"
+            },
+            "device": {
+                "id": "ffffffff62714a708030d494ca0a7e60"
+            },
+            "event": {
+                "action": "ProcessRollup2",
+                "category": [
+                    "process"
+                ],
+                "created": "2025-10-14T01:41:14.201Z",
+                "id": "1w23e4r-d03e-4003-bc75-71c6e819ca5f|ffffffff62714a708030d494ca0a7e60|ffffffff15754bcfb5f9152ec7ac90ac",
+                "kind": "event",
+                "original": "{\"ChangeTime\":\"1731329600.968\",\"OciContainerId\":\"sw345tf5e3455r7dw32w23t6t7fde34ed345rfe45rf0ew4fd\",\"CapPrm\":\"123438954321\",\"ParentProcessId\":\"12347782548906\",\"SourceProcessId\":\"12347782548906\",\"aip\":\"89.160.20.128\",\"SessionProcessId\":\"1234915117961\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"event_platform\":\"Lin\",\"ProcessEndTime\":\"1760406073.595\",\"SVUID\":\"0\",\"ParentBaseFileName\":\"runc\",\"EventOrigin\":\"17\",\"id\":\"1w23e4r-d03e-4003-bc75-71c6e819ca5f\",\"EffectiveTransmissionClass\":\"2\",\"Tags\":\"874, 17179870274, 12094627905582, 12094627906234, 212205744162400\",\"timestamp\":\"1760406074201\",\"ProcessGroupId\":\"1234915117961\",\"LocalAddressIP4\":\"0.0.0.0\",\"event_simpleName\":\"ProcessRollup2\",\"RawProcessId\":\"1234\",\"RootPath\":\"/\",\"GID\":\"0\",\"ConfigStateHash\":\"1026580567\",\"UserName\":\"root\",\"SVGID\":\"0\",\"MD5HashData\":\"88922d50263b059696c2af5a99906562\",\"SHA256HashData\":\"d4ff1c438e330777002332a305fcf965cfaa7d0dbeb899293d347298cbf6d4b6\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"0\",\"CommandLine\":\"runc init\",\"TargetProcessId\":\"12347783237538\",\"ImageFileName\":\"/\",\"RGID\":\"0\",\"SourceThreadId\":\"0\",\"Entitlements\":\"15\",\"name\":\"ProcessRollup2LinV12\",\"RUID\":\"0\",\"ProcessStartTime\":\"1760406073.568\",\"ComputerName\":\"comp2\",\"aid\":\"ffffffff62714a708030d494ca0a7e60\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}",
+                "outcome": "success",
+                "type": [
+                    "start"
+                ]
+            },
+            "group": {
+                "Ext": {
+                    "real": {
+                        "id": "0"
+                    }
+                },
+                "id": "0"
+            },
+            "host": {
+                "hostname": "comp2",
+                "id": "ffffffff62714a708030d494ca0a7e60",
+                "name": "comp2",
+                "os": {
+                    "type": "linux"
+                }
+            },
+            "message": "ProcessRollup2",
+            "observer": {
+                "address": [
+                    "89.160.20.128"
+                ],
+                "geo": {
+                    "city_name": "Linköping",
+                    "continent_name": "Europe",
+                    "country_iso_code": "SE",
+                    "country_name": "Sweden",
+                    "location": {
+                        "lat": 58.4167,
+                        "lon": 15.6167
+                    },
+                    "region_iso_code": "SE-E",
+                    "region_name": "Östergötland County"
+                },
+                "ip": [
+                    "89.160.20.128"
+                ],
+                "serial_number": "ffffffff62714a708030d494ca0a7e60",
+                "version": "1007.4.0013701.1"
+            },
+            "process": {
+                "args": [
+                    "runc",
+                    "init"
+                ],
+                "args_count": 2,
+                "command_line": "runc init",
+                "end": "2025-10-14T01:41:13.595Z",
+                "entity_id": "12347783237538",
+                "executable": "/",
+                "group": {
+                    "id": "0"
+                },
+                "group_leader": {
+                    "entity_id": "1234915117961"
+                },
+                "hash": {
+                    "md5": "88922d50263b059696c2af5a99906562",
+                    "sha256": "d4ff1c438e330777002332a305fcf965cfaa7d0dbeb899293d347298cbf6d4b6"
+                },
+                "name": "runc",
+                "parent": {
+                    "entity_id": "12347782548906",
+                    "name": "runc"
+                },
+                "pgid": 1234915117961,
+                "pid": 1234,
+                "real_group": {
+                    "id": "0"
+                },
+                "real_user": {
+                    "id": "0"
+                },
+                "start": "2025-10-14T01:41:13.568Z",
+                "uptime": 0
+            },
+            "related": {
+                "hash": [
+                    "88922d50263b059696c2af5a99906562",
+                    "d4ff1c438e330777002332a305fcf965cfaa7d0dbeb899293d347298cbf6d4b6",
+                    "1026580567"
+                ],
+                "hosts": [
+                    "comp2"
+                ],
+                "ip": [
+                    "89.160.20.128",
+                    "0.0.0.0"
+                ],
+                "user": [
+                    "root",
+                    "0"
+                ]
+            },
+            "source": {
+                "address": "0.0.0.0",
+                "ip": "0.0.0.0"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "user": {
+                "Ext": {
+                    "real": {
+                        "id": "0"
+                    }
+                },
+                "group": {
+                    "id": "0"
+                },
+                "id": "0",
+                "name": "root"
+            }
         }
     ]
 }

packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml

@@ -240,6 +240,22 @@ processors:
         - append:
             field: error.message
             value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - date:
+      tag: date-change-time
+      field: crowdstrike.ChangeTime
+      target_field: crowdstrike.ChangeTime
+      formats:
+        - UNIX
+      if: >
+        ctx.crowdstrike?.ChangeTime != null &&
+        ctx.crowdstrike.ChangeTime != ""
+      on_failure:
+        - remove:
+            field: crowdstrike.ChangeTime
+            ignore_failure: true
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
   - rename:
       tag: rename-message
       field: crowdstrike.message
@@ -2059,6 +2075,28 @@ processors:
           name = executable.splitOnToken("/")[-1];
         }
         ctx.process.put("name", name);
+
+  # This handles a special case occurs in Linux-based containerized environments
+  # when the "runc" process clones itself to get into its own namespace.
+  # The child process would have its executable path set to "/"
+  # and consequently, the process name would not be set.
+  # For more details, see https://terenceli.github.io/%E6%8A%80%E6%9C%AF/2021/12/28/runc-internals-3.
+  - script:
+      tag: parse_process_name_from_command_line
+      description: Extract process.name from command line if not already present.
+      lang: painless
+      if: >-
+        ctx.process?.executable == '/' &&
+        (ctx.process.name == null || ctx.process.name == '') &&
+        (ctx.process.args instanceof List && ctx.process.args.length > 0)
+      source: |-
+        ctx.process.name = ctx.process.args[0];
+
+        // Clean up path separators.
+        int lastSlash = ctx.process.name.lastIndexOf("/");
+        if (lastSlash != -1) {
+            ctx.process.name = ctx.process.name.substring(lastSlash + 1);
+        }
   - convert:
       field: crowdstrike.ExitCode
       type: long

packages/crowdstrike/data_stream/fdr/fields/fields.yml

@@ -170,6 +170,8 @@
       type: version
     - name: ChangedPcrBitmap
       type: match_only_text
+    - name: ChangeTime
+      type: date
     - name: ChannelDiffStatus
       type: keyword
     - name: ChannelId
@@ -921,6 +923,8 @@
       type: match_only_text
     - name: OciContainerHostConfigReadOnlyRootfs
       type: match_only_text
+    - name: OciContainerId
+      type: match_only_text
     - name: OciContainerImageId
       type: match_only_text
     - name: OciContainerInfoRetransmitted
@@ -1207,6 +1211,8 @@
       type: keyword
     - name: RGID
       type: keyword
+    - name: RootPath
+      type: keyword
     - name: RouteAge
       type: keyword
     - name: RouteMetric

packages/crowdstrike/docs/README.md

@@ -1480,6 +1480,7 @@ If the severity name is not available from the original document, it is determin
 | crowdstrike.CertificatePublisher |  | keyword |
 | crowdstrike.CertificateSignatureHash |  | keyword |
 | crowdstrike.CertificateSignatureHashAlgorithm |  | keyword |
+| crowdstrike.ChangeTime |  | date |
 | crowdstrike.ChangedPcrBitmap |  | match_only_text |
 | crowdstrike.ChannelDiffStatus |  | keyword |
 | crowdstrike.ChannelId |  | keyword |
@@ -1839,6 +1840,7 @@ If the severity name is not available from the original document, it is determin
 | crowdstrike.OciContainerHostConfigPrivileged |  | match_only_text |
 | crowdstrike.OciContainerHostConfigPublishAllPorts |  | match_only_text |
 | crowdstrike.OciContainerHostConfigReadOnlyRootfs |  | match_only_text |
+| crowdstrike.OciContainerId |  | match_only_text |
 | crowdstrike.OciContainerImageId |  | match_only_text |
 | crowdstrike.OciContainerInfoRetransmitted |  | match_only_text |
 | crowdstrike.OciContainerMounts |  | match_only_text |
@@ -2001,6 +2003,7 @@ If the severity name is not available from the original document, it is determin
 | crowdstrike.ResendToCloud |  | keyword |
 | crowdstrike.RespondingDnsServer |  | keyword |
 | crowdstrike.RetransmitTime |  | keyword |
+| crowdstrike.RootPath |  | keyword |
 | crowdstrike.RouteAge |  | keyword |
 | crowdstrike.RouteMetric |  | keyword |
 | crowdstrike.RouteOrigin |  | keyword |

packages/crowdstrike/manifest.yml

@@ -1,6 +1,6 @@
 name: crowdstrike
 title: CrowdStrike
-version: "2.5.2"
+version: "2.6.0"
 description: Collect logs from Crowdstrike with Elastic Agent.
 type: integration
 format_version: "3.4.0"