Hi all,
I have an ELK stack running with fleet installed.
In our fleet is an elastic agent configured.
The current verions are:
-Elasticsearch 8.13.2
-Fleet and Agent verions: 8.13.4
-Crowdstrike Integration: 1.34.2
We are making use of the Crowdstrike integration which is pushed to the agent via the agent policy.
This integration needs the following info, and has been configured in the integration policy.
- Client ID
- Client Secret
- Token url
- API Endpoint url
The Crowdstrike API key has all permissions (for debugging purposes).
This integration should make 2 data streams;
- Alerts
- Hosts
The Hosts data stream is working perfect, but the alerts datastream is failing. (this error is parsed into elasticsearch).
[
{
"meta": {
"query_time": 0.002167201,
"writes": {
"resources_affected": 0
},
"powered_by": "detectsapi",
"trace_id": "971eace0-aab5-4708-8b29-eac80ac467ac"
},
"errors": [
{
"code": 400,
"message": "failed to read and parse request"
}
],
"resources": []
},
Processor json with tag json_event_original in pipeline logs-crowdstrike.alert-1.34.2 failed with message: field [original] not present as part of path [event.original]
]
Does someone knows what i am doing wrong?