search

elastic / integrations

Elastic Integrations
https://www.elastic.co/integrations
Other
194 stars 418 forks source link

[ti_crowdstrike.ioc]: field [original] not present as part of path [event.original]] #10575

Open buzzdeee opened 1 month ago

buzzdeee commented 1 month ago

Integration Name

CrowdStrike Falcon Intelligence [ti_crowdstrike]

Integration Version

1.1.2

Agent Version

8.14.2

Agent Output Type

elasticsearch

Elasticsearch Version

8.14.2

OS Version and Architecture

Ubuntu 22.04.4 LTS

Software/API Version

No response

Error Message

[failed eval: internal error: runtime error: invalid memory address or nil pointer dereference, Processor json with tag json_event_original in pipeline logs-ti_crowdstrike.ioc-1.1.2 failed with message: field [original] not present as part of path [event.original]]

Event Original

not having "Preserve original event" enabled, have enabled it now, not sure if I'll see it again.

Anything else?

No response

elasticmachine commented 1 month ago

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

efd6 commented 1 month ago

@buzzdeee This is a known issue with the input. It is fixed by elastic/beats#40144 which will be in the next 8.15 release. It is indicative of HTTP retry max-outs, so the work around in the meantime is to increase the max retries and investigate if there are any issues with your network.