From my understanding, the 'agent' field holds information about the filebeat agent used to pull in data from the Fleet integration. However, the Crowdstrike integration makes several changes to the 'agent.type' and 'agent.id' fields in the Ingest Pipeline ' logs-crowdstrike.falcon-1.5.0-detection_summary'. It does the following....
{
"set": {
"field": "agent.type",
"value": "falcon"
}
},
{
"convert": {
"field": "crowdstrike.event.SensorId",
"target_field": "agent.id",
"type": "string",
"ignore_failure": true,
"ignore_missing": true
}
}
Should these be removed from the default pipeline so that updates to this pipeline don't revert my changes? Who needs to know so this can be fixed?
Edit: I also noticed similar processors in 'logs-crowdstrike.falcon-1.5.0-incident_summary'
Thanks,
Brian Dutill