[filebeat] fix crowdstrike ingest pipeline (#27623) (#27729)

* fix: fix crowdstrike ingest pipeline fix process fields that were being created as flattened fields * docs: add line to changelog.next added line about the pr in the changelog.next file * docs: add links in changelog corrected the links to the issue and pr in changelog * Update CHANGELOG.next.asciidoc Fixed capitalization. (cherry picked from commit 825bfb2) Co-authored-by: Leandro Maciel <leandrojmp@gmail.com> Co-authored-by: Marius Iversen <marius.iversen@elastic.co>
elastic · Oct 25, 2021 · aa75e6c · aa75e6c
1 parent 5e13001
commit aa75e6c
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -48,6 +48,9 @@ to `legacy`. {pull}28538[28538]
 - Disable the option of running --machine-learning on its own. {pull}20241[20241]
 - Fix PANW field spelling "veredict" to "verdict" on event.action {pull}18808[18808]
 - Add support for GMT timezone offsets in `decode_cef`. {pull}20993[20993]
+- Remove all alias fields pointing to ECS fields from modules. This affects the Suricata and Traefik modules. {issue}10535[10535] {pull}26627[26627]
+- Add option for S3 input to work without SQS notification {issue}18205[18205] {pull}27332[27332]
+- Fix Crowdstrike ingest pipeline that was creating flattened `process` fields. {issue}27622[27622] {pull}27623[27623]
 
 *Heartbeat*
 

diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml
@@ -284,9 +284,10 @@ processors:
  def args = Arrays.asList(/ /.split(commandLine));
  args.removeIf(arg -> arg == "");
 
- ctx["process.command_line"] = commandLine;
- ctx["process.args"] = args;
- ctx["process.executable"] = args.get(0);
+ ctx['process'] = new HashMap();
+ ctx.process.command_line = commandLine;
+ ctx.process.args = args;
+ ctx.process.executable = args.get(0);
  }
  }
  - pipeline: