Crowdstrike Fleet Integration Ingest Pipeline Modifies Agent Fields

From my understanding, the 'agent' field holds information about the filebeat agent used to pull in data from the Fleet integration. However, the Crowdstrike integration makes several changes to the 'agent.type' and 'agent.id' fields in the Ingest Pipeline ' logs-crowdstrike.falcon-1.5.0-detection_summary'. It does the following....

{
    "set": {
      "field": "agent.type",
      "value": "falcon"
    }
  },
{
    "convert": {
      "field": "crowdstrike.event.SensorId",
      "target_field": "agent.id",
      "type": "string",
      "ignore_failure": true,
      "ignore_missing": true
    }
  }

Should these be removed from the default pipeline so that updates to this pipeline don't revert my changes? Who needs to know so this can be fixed?

Edit: I also noticed similar processors in 'logs-crowdstrike.falcon-1.5.0-incident_summary'

Thanks,
Brian Dutill

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.