Skip to content

crowdstrike: parse command line to populate process name in FDR logs #15646

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 24, 2025
Merged

crowdstrike: parse command line to populate process name in FDR logs #15646

merged 3 commits into from
Oct 24, 2025

Conversation

@navnit-elastic
Copy link
Contributor

Proposed commit message

crowdstrike: parse command line to populate process name in FDR logs

This handles a special case occurs in Linux-based containerized environments
when the "runc" process clones itself to get into its own namespace.
The child process would have its executable path set to "/"
which was resulting in "process.name" being empty.

This change adds command line parsing to extract "process.name"
when "process.executable" is set to a slash ("/").

Adds fields definition for ChangeTime, OciContainerId and RootPath.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Pipeline Tests:

--- Test results for package: crowdstrike - START ---
╭─────────────┬─────────────┬───────────┬───────────────────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE     │ DATA STREAM │ TEST TYPE │ TEST NAME                                                     │ RESULT │ TIME ELAPSED │
├─────────────┼─────────────┼───────────┼───────────────────────────────────────────────────────────────┼────────┼──────────────┤
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-data.log)                      │ PASS   │ 412.693449ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdr-epp-detection-summary.log) │ PASS   │ 338.948915ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdr-lengthy-field-delete.log)  │ PASS   │ 344.048521ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdr-lengthy-field-index.log)   │ PASS   │ 337.829426ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdr.log)                       │ PASS   │ 352.047773ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdrv2-notmanaged.log)          │ PASS   │ 354.948319ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-linux.log)                     │ PASS   │ 339.636941ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-macos.log)                     │ PASS   │ 365.635581ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-tags-formats.log)              │ PASS   │  367.98951ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-windows.log)                   │ PASS   │ 372.760256ms │
│ crowdstrike │ fdr         │ pipeline  │ test-data.log                                                 │ PASS   │ 228.059035ms │
│ crowdstrike │ fdr         │ pipeline  │ test-fdr-epp-detection-summary.log                            │ PASS   │ 480.252546ms │
│ crowdstrike │ fdr         │ pipeline  │ test-fdr-lengthy-field-delete.log                             │ PASS   │ 142.563423ms │
│ crowdstrike │ fdr         │ pipeline  │ test-fdr-lengthy-field-index.log                              │ PASS   │ 155.706309ms │
│ crowdstrike │ fdr         │ pipeline  │ test-fdr.log                                                  │ PASS   │  2.37638572s │
│ crowdstrike │ fdr         │ pipeline  │ test-fdrv2-notmanaged.log                                     │ PASS   │ 140.196696ms │
│ crowdstrike │ fdr         │ pipeline  │ test-linux.log                                                │ PASS   │ 272.310776ms │
│ crowdstrike │ fdr         │ pipeline  │ test-macos.log                                                │ PASS   │ 421.985696ms │
│ crowdstrike │ fdr         │ pipeline  │ test-tags-formats.log                                         │ PASS   │ 184.819217ms │
│ crowdstrike │ fdr         │ pipeline  │ test-windows.log                                              │ PASS   │  2.40098861s │
╰─────────────┴─────────────┴───────────┴───────────────────────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: crowdstrike - END   ---
Done

Related issues

Screenshots

@navnit-elastic navnit-elastic self-assigned this Oct 14, 2025
@navnit-elastic navnit-elastic added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:crowdstrike CrowdStrike Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Oct 14, 2025
@elastic-vault-github-plugin-prod
Copy link

🚀 Benchmarks report

Package crowdstrike 👍(4) 💚(3) 💔(3)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
falcon 4405.29 3392.13 -1013.16 (-23%) 💔
host 4566.21 2896.03 -1670.18 (-36.58%) 💔
fdr 1459.85 1044.93 -414.92 (-28.42%) 💔

To see the full report comment with /test benchmark fullreport

@navnit-elastic navnit-elastic mentioned this pull request Oct 14, 2025
Closed
tomsonpl
tomsonpl approved these changes Oct 14, 2025
View reviewed changes
Copy link
Contributor

@tomsonpl tomsonpl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, this looks great!

@tomsonpl
Copy link
Contributor

@navnit-elastic hey, just wanted to check in and see when is it planned to be released? :) Thank you!

efd6
efd6 reviewed Oct 23, 2025
View reviewed changes
@navnit-elastic
Merge branch 'main' into 15466-crowdstrike-2.6.0
054b26f 
Conflicts:
	packages/crowdstrike/changelog.yml
	packages/crowdstrike/manifest.yml
@navnit-elastic
address review comments
e8e1760
@navnit-elastic navnit-elastic marked this pull request as ready for review October 23, 2025 18:52
@navnit-elastic navnit-elastic requested a review from a team as a code owner October 23, 2025 18:52
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@elasticmachine
Copy link

💚 Build Succeeded

History

cc @navnit-elastic

@navnit-elastic navnit-elastic merged commit 1acfa77 into elastic:main Oct 24, 2025
7 checks passed
@elastic-vault-github-plugin-prod
Copy link

Package crowdstrike - 2.6.0 containing this change is available at https://epr.elastic.co/package/crowdstrike/2.6.0/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tomsonpl tomsonpl tomsonpl approved these changes

@efd6 efd6 efd6 approved these changes

Assignees

@navnit-elastic navnit-elastic

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:crowdstrike CrowdStrike Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@navnit-elastic @tomsonpl @elasticmachine @efd6