diff --git a/packages/crowdstrike/changelog.yml b/packages/crowdstrike/changelog.yml index 555cf2b4a12..8b1d204585c 100644 --- a/packages/crowdstrike/changelog.yml +++ b/packages/crowdstrike/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.6.0" + changes: + - description: Add a fallback parsing command_line to populate the process name in the FDR data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/15646 - version: "2.5.2" changes: - description: Add `event.category` and `event.type` fields to process data in alerts. diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-linux.log b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-linux.log index 4ba49239c2a..6ab6c2e5419 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-linux.log +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-linux.log @@ -2,3 +2,4 @@ {"event_simpleName":"CriticalFileAccessed","ContextTimeStamp":"1757157936.727","GID":"0","ConfigStateHash":"1061106086","ContextProcessId":"1096090950008222800","ContextThreadId":"0","aip":"89.160.20.128","ConfigBuild":"2c8b.2.3366c72.4f","UID":"0","event_platform":"Lin","UnixMode":"61960","Entitlements":"26","name":"1532ae7e2a105adcc6ddbcf67","EventOrigin":"1","id":"01a3b1d4aa10d5329aef78ba9d3ec56f6d97","EffectiveTransmissionClass":"2","aid":"37b562b807a27cfb58dda71ec9a7eb22","timestamp":"1743508799999","cid":"4092825518eaf67377a6e4492ae44577","TargetFileName":"/812/0bb09d"} {"CapPrm":"3800192030037","ParentProcessId":"8081349242194000050","SourceProcessId":"8081349242194000050","aip":"81.2.69.192","SessionProcessId":"4102020000109002000","SyntheticPR2Flags":"4","event_platform":"Lin","ProcessEndTime":"1745972888.297","SVUID":"0","EventOrigin":"45","id":"fb9bd5f0314e46ce785f479aed8f3032fcd9","EffectiveTransmissionClass":"2","timestamp":"1743508799999","ProcessGroupId":"7001610480104066706","event_simpleName":"SyntheticProcessRollup2","RawProcessId":"8905032","ContextTimeStamp":"1752350302.359","GID":"0","ConfigStateHash":"5001020160","SVGID":"0","ConfigBuild":"2c8b.2.3366c72.4f","UID":"0","CommandLine":"e7f8eac7d","TargetProcessId":"6059002040716020903","ImageFileName":"/501e","RGID":"0","SourceThreadId":"0","Entitlements":"56","name":"4f32166a22f49735247598b45006","ProcessStartTime":"1745953229.264","RUID":"0","aid":"8c687fb6b1e8231200c77ef5e3175d0e","cid":"4092825518eaf67377a6e4492ae44577"} {"event_simpleName":"TerminateProcess","RawProcessId":"1070050","ContextTimeStamp":"1751300030.984","ConfigStateHash":"8001020160","ContextProcessId":"9960000700989070560","ContextThreadId":"0","aip":"89.160.20.128","ConfigBuild":"2c8b.2.3366c72.4f","event_platform":"Lin","TargetProcessId":"6960000700989070560","Entitlements":"36","name":"6b1c662a760f5ed9750d4","EventOrigin":"1","id":"3e71b26395f4386bcb6602ee6777bb5f3124","EffectiveTransmissionClass":"2","aid":"12111f24f25a2a99438b40765c236577","timestamp":"1743508799999","cid":"4092825518eaf67377a6e4492ae44577"} +{"ChangeTime":"1731329600.968","OciContainerId":"sw345tf5e3455r7dw32w23t6t7fde34ed345rfe45rf0ew4fd","CapPrm":"123438954321","ParentProcessId":"12347782548906","SourceProcessId":"12347782548906","aip":"89.160.20.128","SessionProcessId":"1234915117961","SHA1HashData":"0000000000000000000000000000000000000000","event_platform":"Lin","ProcessEndTime":"1760406073.595","SVUID":"0","ParentBaseFileName":"runc","EventOrigin":"17","id":"1w23e4r-d03e-4003-bc75-71c6e819ca5f","EffectiveTransmissionClass":"2","Tags":"874, 17179870274, 12094627905582, 12094627906234, 212205744162400","timestamp":"1760406074201","ProcessGroupId":"1234915117961","LocalAddressIP4":"0.0.0.0","event_simpleName":"ProcessRollup2","RawProcessId":"1234","RootPath":"/","GID":"0","ConfigStateHash":"1026580567","UserName":"root","SVGID":"0","MD5HashData":"88922d50263b059696c2af5a99906562","SHA256HashData":"d4ff1c438e330777002332a305fcf965cfaa7d0dbeb899293d347298cbf6d4b6","ConfigBuild":"1007.4.0013701.1","UID":"0","CommandLine":"runc init","TargetProcessId":"12347783237538","ImageFileName":"/","RGID":"0","SourceThreadId":"0","Entitlements":"15","name":"ProcessRollup2LinV12","RUID":"0","ProcessStartTime":"1760406073.568","ComputerName":"comp2","aid":"ffffffff62714a708030d494ca0a7e60","cid":"ffffffff15754bcfb5f9152ec7ac90ac"} diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-linux.log-expected.json b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-linux.log-expected.json index aea42d07832..f0114c88668 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-linux.log-expected.json +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-linux.log-expected.json @@ -387,6 +387,170 @@ "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2025-10-14T01:41:14.201Z", + "crowdstrike": { + "CapPrm": "123438954321", + "ChangeTime": "2024-11-11T12:53:20.968Z", + "ConfigStateHash": "1026580567", + "EffectiveTransmissionClass": "2", + "Entitlements": "15", + "EventOrigin": "17", + "LocalAddressIP4": [ + "0.0.0.0" + ], + "MD5HashData": "88922d50263b059696c2af5a99906562", + "OciContainerId": "sw345tf5e3455r7dw32w23t6t7fde34ed345rfe45rf0ew4fd", + "RGID": "0", + "RUID": "0", + "RootPath": "/", + "SHA256HashData": "d4ff1c438e330777002332a305fcf965cfaa7d0dbeb899293d347298cbf6d4b6", + "SVGID": "0", + "SVUID": "0", + "SessionProcessId": "1234915117961", + "SourceProcessId": "12347782548906", + "SourceThreadId": "0", + "Tags": [ + "874", + "17179870274", + "12094627905582", + "12094627906234", + "212205744162400" + ], + "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "id": "1w23e4r-d03e-4003-bc75-71c6e819ca5f", + "name": "ProcessRollup2LinV12" + }, + "device": { + "id": "ffffffff62714a708030d494ca0a7e60" + }, + "event": { + "action": "ProcessRollup2", + "category": [ + "process" + ], + "created": "2025-10-14T01:41:14.201Z", + "id": "1w23e4r-d03e-4003-bc75-71c6e819ca5f|ffffffff62714a708030d494ca0a7e60|ffffffff15754bcfb5f9152ec7ac90ac", + "kind": "event", + "original": "{\"ChangeTime\":\"1731329600.968\",\"OciContainerId\":\"sw345tf5e3455r7dw32w23t6t7fde34ed345rfe45rf0ew4fd\",\"CapPrm\":\"123438954321\",\"ParentProcessId\":\"12347782548906\",\"SourceProcessId\":\"12347782548906\",\"aip\":\"89.160.20.128\",\"SessionProcessId\":\"1234915117961\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"event_platform\":\"Lin\",\"ProcessEndTime\":\"1760406073.595\",\"SVUID\":\"0\",\"ParentBaseFileName\":\"runc\",\"EventOrigin\":\"17\",\"id\":\"1w23e4r-d03e-4003-bc75-71c6e819ca5f\",\"EffectiveTransmissionClass\":\"2\",\"Tags\":\"874, 17179870274, 12094627905582, 12094627906234, 212205744162400\",\"timestamp\":\"1760406074201\",\"ProcessGroupId\":\"1234915117961\",\"LocalAddressIP4\":\"0.0.0.0\",\"event_simpleName\":\"ProcessRollup2\",\"RawProcessId\":\"1234\",\"RootPath\":\"/\",\"GID\":\"0\",\"ConfigStateHash\":\"1026580567\",\"UserName\":\"root\",\"SVGID\":\"0\",\"MD5HashData\":\"88922d50263b059696c2af5a99906562\",\"SHA256HashData\":\"d4ff1c438e330777002332a305fcf965cfaa7d0dbeb899293d347298cbf6d4b6\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"0\",\"CommandLine\":\"runc init\",\"TargetProcessId\":\"12347783237538\",\"ImageFileName\":\"/\",\"RGID\":\"0\",\"SourceThreadId\":\"0\",\"Entitlements\":\"15\",\"name\":\"ProcessRollup2LinV12\",\"RUID\":\"0\",\"ProcessStartTime\":\"1760406073.568\",\"ComputerName\":\"comp2\",\"aid\":\"ffffffff62714a708030d494ca0a7e60\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", + "outcome": "success", + "type": [ + "start" + ] + }, + "group": { + "Ext": { + "real": { + "id": "0" + } + }, + "id": "0" + }, + "host": { + "hostname": "comp2", + "id": "ffffffff62714a708030d494ca0a7e60", + "name": "comp2", + "os": { + "type": "linux" + } + }, + "message": "ProcessRollup2", + "observer": { + "address": [ + "89.160.20.128" + ], + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": [ + "89.160.20.128" + ], + "serial_number": "ffffffff62714a708030d494ca0a7e60", + "version": "1007.4.0013701.1" + }, + "process": { + "args": [ + "runc", + "init" + ], + "args_count": 2, + "command_line": "runc init", + "end": "2025-10-14T01:41:13.595Z", + "entity_id": "12347783237538", + "executable": "/", + "group": { + "id": "0" + }, + "group_leader": { + "entity_id": "1234915117961" + }, + "hash": { + "md5": "88922d50263b059696c2af5a99906562", + "sha256": "d4ff1c438e330777002332a305fcf965cfaa7d0dbeb899293d347298cbf6d4b6" + }, + "name": "runc", + "parent": { + "entity_id": "12347782548906", + "name": "runc" + }, + "pgid": 1234915117961, + "pid": 1234, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "start": "2025-10-14T01:41:13.568Z", + "uptime": 0 + }, + "related": { + "hash": [ + "88922d50263b059696c2af5a99906562", + "d4ff1c438e330777002332a305fcf965cfaa7d0dbeb899293d347298cbf6d4b6", + "1026580567" + ], + "hosts": [ + "comp2" + ], + "ip": [ + "89.160.20.128", + "0.0.0.0" + ], + "user": [ + "root", + "0" + ] + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "Ext": { + "real": { + "id": "0" + } + }, + "group": { + "id": "0" + }, + "id": "0", + "name": "root" + } } ] } diff --git a/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml index 47656d8bb7f..61d40a460e3 100644 --- a/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml +++ b/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml @@ -240,6 +240,22 @@ processors: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + tag: date-change-time + field: crowdstrike.ChangeTime + target_field: crowdstrike.ChangeTime + formats: + - UNIX + if: > + ctx.crowdstrike?.ChangeTime != null && + ctx.crowdstrike.ChangeTime != "" + on_failure: + - remove: + field: crowdstrike.ChangeTime + ignore_failure: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: tag: rename-message field: crowdstrike.message @@ -2059,6 +2075,28 @@ processors: name = executable.splitOnToken("/")[-1]; } ctx.process.put("name", name); + + # This handles a special case occurs in Linux-based containerized environments + # when the "runc" process clones itself to get into its own namespace. + # The child process would have its executable path set to "/" + # and consequently, the process name would not be set. + # For more details, see https://terenceli.github.io/%E6%8A%80%E6%9C%AF/2021/12/28/runc-internals-3. + - script: + tag: parse_process_name_from_command_line + description: Extract process.name from command line if not already present. + lang: painless + if: >- + ctx.process?.executable == '/' && + (ctx.process.name == null || ctx.process.name == '') && + (ctx.process.args instanceof List && ctx.process.args.length > 0) + source: |- + ctx.process.name = ctx.process.args[0]; + + // Clean up path separators. + int lastSlash = ctx.process.name.lastIndexOf("/"); + if (lastSlash != -1) { + ctx.process.name = ctx.process.name.substring(lastSlash + 1); + } - convert: field: crowdstrike.ExitCode type: long diff --git a/packages/crowdstrike/data_stream/fdr/fields/fields.yml b/packages/crowdstrike/data_stream/fdr/fields/fields.yml index 23500988712..45dfa7c7e51 100644 --- a/packages/crowdstrike/data_stream/fdr/fields/fields.yml +++ b/packages/crowdstrike/data_stream/fdr/fields/fields.yml @@ -170,6 +170,8 @@ type: version - name: ChangedPcrBitmap type: match_only_text + - name: ChangeTime + type: date - name: ChannelDiffStatus type: keyword - name: ChannelId @@ -921,6 +923,8 @@ type: match_only_text - name: OciContainerHostConfigReadOnlyRootfs type: match_only_text + - name: OciContainerId + type: match_only_text - name: OciContainerImageId type: match_only_text - name: OciContainerInfoRetransmitted @@ -1207,6 +1211,8 @@ type: keyword - name: RGID type: keyword + - name: RootPath + type: keyword - name: RouteAge type: keyword - name: RouteMetric diff --git a/packages/crowdstrike/docs/README.md b/packages/crowdstrike/docs/README.md index 64ed14d4567..c9c3de52bcf 100644 --- a/packages/crowdstrike/docs/README.md +++ b/packages/crowdstrike/docs/README.md @@ -1480,6 +1480,7 @@ If the severity name is not available from the original document, it is determin | crowdstrike.CertificatePublisher | | keyword | | crowdstrike.CertificateSignatureHash | | keyword | | crowdstrike.CertificateSignatureHashAlgorithm | | keyword | +| crowdstrike.ChangeTime | | date | | crowdstrike.ChangedPcrBitmap | | match_only_text | | crowdstrike.ChannelDiffStatus | | keyword | | crowdstrike.ChannelId | | keyword | @@ -1839,6 +1840,7 @@ If the severity name is not available from the original document, it is determin | crowdstrike.OciContainerHostConfigPrivileged | | match_only_text | | crowdstrike.OciContainerHostConfigPublishAllPorts | | match_only_text | | crowdstrike.OciContainerHostConfigReadOnlyRootfs | | match_only_text | +| crowdstrike.OciContainerId | | match_only_text | | crowdstrike.OciContainerImageId | | match_only_text | | crowdstrike.OciContainerInfoRetransmitted | | match_only_text | | crowdstrike.OciContainerMounts | | match_only_text | @@ -2001,6 +2003,7 @@ If the severity name is not available from the original document, it is determin | crowdstrike.ResendToCloud | | keyword | | crowdstrike.RespondingDnsServer | | keyword | | crowdstrike.RetransmitTime | | keyword | +| crowdstrike.RootPath | | keyword | | crowdstrike.RouteAge | | keyword | | crowdstrike.RouteMetric | | keyword | | crowdstrike.RouteOrigin | | keyword | diff --git a/packages/crowdstrike/manifest.yml b/packages/crowdstrike/manifest.yml index a998373b9dc..28f0fbe348f 100644 --- a/packages/crowdstrike/manifest.yml +++ b/packages/crowdstrike/manifest.yml @@ -1,6 +1,6 @@ name: crowdstrike title: CrowdStrike -version: "2.5.2" +version: "2.6.0" description: Collect logs from Crowdstrike with Elastic Agent. type: integration format_version: "3.4.0"