crowdstrike: map command line fields as multi-fields with match_only …

…text (#11012)
elastic · Sep 16, 2024 · cae44e9 · cae44e9
1 parent 7da7dc9
commit cae44e9
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 1 deletion.
diff --git a/packages/crowdstrike/changelog.yml b/packages/crowdstrike/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.41.0"
+  changes:
+    - description: Map `crowdstrike.CommandHistory`, `crowdstrike.ParentCommandLine` and `crowdstrike.GrandparentCommandLine` as multi-fields with `match_only_text`.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/11012
 - version: "1.40.1"
   changes:
     - description: Fix mapping for assessment events.

diff --git a/packages/crowdstrike/data_stream/fdr/fields/fields.yml b/packages/crowdstrike/data_stream/fdr/fields/fields.yml
@@ -51,6 +51,11 @@
       type: version
     - name: ClientComputerName
       type: keyword
+    - name: CommandHistory
+      type: keyword
+      multi_fields:
+        - name: text
+          type: match_only_text
     - name: CompletionEventId
       type: keyword
     - name: ConfigBuild
@@ -148,6 +153,9 @@
       type: keyword
     - name: GrandparentCommandLine
       type: keyword
+      multi_fields:
+        - name: text
+          type: match_only_text
     - name: GrandparentImageFileName
       type: keyword
     - name: HostGroups
@@ -262,6 +270,9 @@
       type: keyword
     - name: ParentCommandLine
       type: keyword
+      multi_fields:
+        - name: text
+          type: match_only_text
     - name: ParentImageFileName
       type: keyword
     - name: PasswordLastSet

diff --git a/packages/crowdstrike/docs/README.md b/packages/crowdstrike/docs/README.md
@@ -1093,6 +1093,8 @@ and/or `session_token`.
 | crowdstrike.ChasisManufacturer |  | keyword |
 | crowdstrike.ChassisType |  | keyword |
 | crowdstrike.ClientComputerName |  | keyword |
+| crowdstrike.CommandHistory |  | keyword |
+| crowdstrike.CommandHistory.text | Multi-field of `crowdstrike.CommandHistory`. | match_only_text |
 | crowdstrike.CompletionEventId |  | keyword |
 | crowdstrike.ConHostId |  | keyword |
 | crowdstrike.ConHostProcessId |  | keyword |
@@ -1167,6 +1169,7 @@ and/or `session_token`.
 | crowdstrike.GenericFileWrittenCount |  | long |
 | crowdstrike.GrandParentBaseFileName |  | keyword |
 | crowdstrike.GrandparentCommandLine |  | keyword |
+| crowdstrike.GrandparentCommandLine.text | Multi-field of `crowdstrike.GrandparentCommandLine`. | match_only_text |
 | crowdstrike.GrandparentImageFileName |  | keyword |
 | crowdstrike.HostGroups |  | keyword |
 | crowdstrike.HostHiddenStatus |  | keyword |
@@ -1263,6 +1266,7 @@ and/or `session_token`.
 | crowdstrike.Parameter3 |  | keyword |
 | crowdstrike.ParentAuthenticationId |  | keyword |
 | crowdstrike.ParentCommandLine |  | keyword |
+| crowdstrike.ParentCommandLine.text | Multi-field of `crowdstrike.ParentCommandLine`. | match_only_text |
 | crowdstrike.ParentImageFileName |  | keyword |
 | crowdstrike.PasswordLastSet |  | keyword |
 | crowdstrike.PatternDispositionDescription |  | keyword |

diff --git a/packages/crowdstrike/manifest.yml b/packages/crowdstrike/manifest.yml
@@ -1,6 +1,6 @@
 name: crowdstrike
 title: CrowdStrike
-version: "1.40.1"
+version: "1.41.0"
 description: Collect logs from Crowdstrike with Elastic Agent.
 type: integration
 format_version: "3.0.3"