Closed andrewkroh closed 2 days ago
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)
~Those aid and cid values do not look right.~ Fixed
Sanitization problems on my end. Took it from JSON -> YAML -> Edit things -> JSON :bomb:. And since I changed the aid/cid to all numbers yq
properly interpreted it as number.
Integration Name
CrowdStrike [crowdstrike]
Dataset Name
crowdstrike.fdr
Integration Version
1.40.0
Agent Version
8.15.0
Agent Output Type
elasticsearch
Elasticsearch Version
8.15.0
OS Version and Architecture
AWS Linux on EC2
Software/API Version
No response
Error Message
There are
_ignored
valuesEvent Original
What did you do?
Ingested FDR data from AWS S3.
What did you see?
The are
_ignored
fields being flagged by the data quality dashboard.What did you expect to see?
No
_ignored
fields.And regarding the timestamp, the file containing this event is from Aug 30, but the ZeroTrustHostAssessment data all has the time at which it was read from S3 (Sep 5). There's only one timestamp in the document and it is from Feb, so that would likely be misleading to use as the
@timestamp
. My ideal behavior would be have the S3 input configured to include theLast-Modified
metadata from the object and use that as the@timestamp
. But this is a lesser concern to the ignored field.Anything else?
No response