Skip to content

crowdstrike: append preserve_original_event in pipeline on_failure handlers#17780

Draft
navnit-elastic wants to merge 1 commit intoelastic:mainfrom
navnit-elastic:17690-crowdstrike
Draft

crowdstrike: append preserve_original_event in pipeline on_failure handlers#17780
navnit-elastic wants to merge 1 commit intoelastic:mainfrom
navnit-elastic:17690-crowdstrike

Conversation

@navnit-elastic
Copy link
Contributor

@navnit-elastic navnit-elastic commented Mar 12, 2026

Proposed commit message

crowdstrike: append preserve_original_event in pipeline on_failure handlers

- Add top-level on_failure with preserve_original_event to falcon and fdr pipelines
  that were missing it.
- Fix fim_rule_matched to append preserve_original_event to tags (not
  event.kind) in both the conditional processor and on_failure block.

Ensures failed events can be corrected and debugged per Fleet package
code review guidance.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Pipeline test results:

--- Test results for package: crowdstrike - START ---
╭─────────────┬─────────────┬───────────┬──────────────────────────────────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE     │ DATA STREAM │ TEST TYPE │ TEST NAME                                                                    │ RESULT │ TIME ELAPSED │
├─────────────┼─────────────┼───────────┼──────────────────────────────────────────────────────────────────────────────┼────────┼──────────────┤
│ crowdstrike │ falcon      │ pipeline  │ (ingest pipeline warnings test-event-stream.log)                             │ PASS   │ 352.987834ms │
│ crowdstrike │ falcon      │ pipeline  │ (ingest pipeline warnings test-falcon-audit-events.log)                      │ PASS   │ 391.308125ms │
│ crowdstrike │ falcon      │ pipeline  │ (ingest pipeline warnings test-falcon-auth-activity.log)                     │ PASS   │ 384.316292ms │
│ crowdstrike │ falcon      │ pipeline  │ (ingest pipeline warnings test-falcon-cspmioa-streaming.log)                 │ PASS   │ 340.380625ms │
│ crowdstrike │ falcon      │ pipeline  │ (ingest pipeline warnings test-falcon-cspmsearch-streaming.log)              │ PASS   │ 406.377042ms │
│ crowdstrike │ falcon      │ pipeline  │ (ingest pipeline warnings test-falcon-customer-ioc-event.log)                │ PASS   │ 413.569417ms │
│ crowdstrike │ falcon      │ pipeline  │ (ingest pipeline warnings test-falcon-data-protection-detection-summary.log) │ PASS   │ 404.570458ms │
│ crowdstrike │ falcon      │ pipeline  │ (ingest pipeline warnings test-falcon-detection-summary.log)                 │ PASS   │ 390.008291ms │
│ crowdstrike │ falcon      │ pipeline  │ (ingest pipeline warnings test-falcon-epp-detection-summary.log)             │ PASS   │    413.744ms │
│ crowdstrike │ falcon      │ pipeline  │ (ingest pipeline warnings test-falcon-events.log)                            │ PASS   │ 371.417709ms │
│ crowdstrike │ falcon      │ pipeline  │ (ingest pipeline warnings test-falcon-firewall.log)                          │ PASS   │ 405.174791ms │
│ crowdstrike │ falcon      │ pipeline  │ (ingest pipeline warnings test-falcon-identity-protection-incident.log)      │ PASS   │ 422.778834ms │
│ crowdstrike │ falcon      │ pipeline  │ (ingest pipeline warnings test-falcon-incident-summary.log)                  │ PASS   │ 391.342041ms │
│ crowdstrike │ falcon      │ pipeline  │ (ingest pipeline warnings test-falcon-ipd-summary.log)                       │ PASS   │ 377.737709ms │
│ crowdstrike │ falcon      │ pipeline  │ (ingest pipeline warnings test-falcon-mobile-detection-summary.log)          │ PASS   │ 358.021375ms │
│ crowdstrike │ falcon      │ pipeline  │ (ingest pipeline warnings test-falcon-non-object-dropped.log)                │ PASS   │ 400.200125ms │
│ crowdstrike │ falcon      │ pipeline  │ (ingest pipeline warnings test-falcon-recon-notification.log)                │ PASS   │ 413.563334ms │
│ crowdstrike │ falcon      │ pipeline  │ (ingest pipeline warnings test-falcon-remote-response.log)                   │ PASS   │ 409.077833ms │
│ crowdstrike │ falcon      │ pipeline  │ (ingest pipeline warnings test-falcon-sample.log)                            │ PASS   │ 480.416833ms │
│ crowdstrike │ falcon      │ pipeline  │ (ingest pipeline warnings test-falcon-tags-list.log)                         │ PASS   │ 455.884875ms │
│ crowdstrike │ falcon      │ pipeline  │ (ingest pipeline warnings test-falcon-tags.log)                              │ PASS   │ 377.759375ms │
│ crowdstrike │ falcon      │ pipeline  │ (ingest pipeline warnings test-falcon-user-activity.log)                     │ PASS   │  411.21725ms │
│ crowdstrike │ falcon      │ pipeline  │ (ingest pipeline warnings test-falcon-xdr-detection-summary.log)             │ PASS   │ 425.370584ms │
│ crowdstrike │ falcon      │ pipeline  │ test-event-stream.log                                                        │ PASS   │ 163.538541ms │
│ crowdstrike │ falcon      │ pipeline  │ test-falcon-audit-events.log                                                 │ PASS   │ 116.011375ms │
│ crowdstrike │ falcon      │ pipeline  │ test-falcon-auth-activity.log                                                │ PASS   │  76.128458ms │
│ crowdstrike │ falcon      │ pipeline  │ test-falcon-cspmioa-streaming.log                                            │ PASS   │  80.341083ms │
│ crowdstrike │ falcon      │ pipeline  │ test-falcon-cspmsearch-streaming.log                                         │ PASS   │  72.620667ms │
│ crowdstrike │ falcon      │ pipeline  │ test-falcon-customer-ioc-event.log                                           │ PASS   │ 129.022042ms │
│ crowdstrike │ falcon      │ pipeline  │ test-falcon-data-protection-detection-summary.log                            │ PASS   │  91.583666ms │
│ crowdstrike │ falcon      │ pipeline  │ test-falcon-detection-summary.log                                            │ PASS   │     97.335ms │
│ crowdstrike │ falcon      │ pipeline  │ test-falcon-epp-detection-summary.log                                        │ PASS   │ 273.770875ms │
│ crowdstrike │ falcon      │ pipeline  │ test-falcon-events.log                                                       │ PASS   │  98.430375ms │
│ crowdstrike │ falcon      │ pipeline  │ test-falcon-firewall.log                                                     │ PASS   │  80.604041ms │
│ crowdstrike │ falcon      │ pipeline  │ test-falcon-identity-protection-incident.log                                 │ PASS   │  70.279125ms │
│ crowdstrike │ falcon      │ pipeline  │ test-falcon-incident-summary.log                                             │ PASS   │  67.396625ms │
│ crowdstrike │ falcon      │ pipeline  │ test-falcon-ipd-summary.log                                                  │ PASS   │  77.056042ms │
│ crowdstrike │ falcon      │ pipeline  │ test-falcon-mobile-detection-summary.log                                     │ PASS   │  79.566209ms │
│ crowdstrike │ falcon      │ pipeline  │ test-falcon-non-object-dropped.log                                           │ PASS   │  64.864834ms │
│ crowdstrike │ falcon      │ pipeline  │ test-falcon-recon-notification.log                                           │ PASS   │  68.753333ms │
│ crowdstrike │ falcon      │ pipeline  │ test-falcon-remote-response.log                                              │ PASS   │   72.75875ms │
│ crowdstrike │ falcon      │ pipeline  │ test-falcon-sample.log                                                       │ PASS   │ 115.595833ms │
│ crowdstrike │ falcon      │ pipeline  │ test-falcon-tags-list.log                                                    │ PASS   │  63.322666ms │
│ crowdstrike │ falcon      │ pipeline  │ test-falcon-tags.log                                                         │ PASS   │  67.568125ms │
│ crowdstrike │ falcon      │ pipeline  │ test-falcon-user-activity.log                                                │ PASS   │  68.502459ms │
│ crowdstrike │ falcon      │ pipeline  │ test-falcon-xdr-detection-summary.log                                        │ PASS   │  80.815208ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-data.log)                                     │ PASS   │ 439.525583ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdr-cspm-ioa.log)                             │ PASS   │ 377.378458ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdr-cspm-iom-evaluation.log)                  │ PASS   │ 415.875958ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdr-cspm-iom.log)                             │ PASS   │ 464.898625ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdr-data-protection-detection-summary.log)    │ PASS   │   398.8725ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdr-epp-detection-summary.log)                │ PASS   │ 483.355416ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdr-fim-rule-matched-enriched.log)            │ PASS   │ 437.466334ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdr-fim-rule-matched-linux.log)               │ PASS   │ 378.407583ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdr-fim-rule-matched-windows.log)             │ PASS   │ 400.540791ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdr-geoip-disabled.log)                       │ PASS   │ 402.739334ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdr-lengthy-field-delete.log)                 │ PASS   │ 460.896875ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdr-lengthy-field-index.log)                  │ PASS   │    389.805ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdr.log)                                      │ PASS   │ 420.643334ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdrv2-notmanaged.log)                         │ PASS   │ 390.062334ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-linux.log)                                    │ PASS   │ 407.910625ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-macos.log)                                    │ PASS   │ 402.158667ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-tags-formats.log)                             │ PASS   │ 398.439834ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-user-map.log)                                 │ PASS   │ 395.999959ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-windows.log)                                  │ PASS   │ 396.920417ms │
│ crowdstrike │ fdr         │ pipeline  │ test-data.log                                                                │ PASS   │ 135.687458ms │
│ crowdstrike │ fdr         │ pipeline  │ test-fdr-cspm-ioa.log                                                        │ PASS   │ 111.996667ms │
│ crowdstrike │ fdr         │ pipeline  │ test-fdr-cspm-iom-evaluation.log                                             │ PASS   │   93.97875ms │
│ crowdstrike │ fdr         │ pipeline  │ test-fdr-cspm-iom.log                                                        │ PASS   │  99.310041ms │
│ crowdstrike │ fdr         │ pipeline  │ test-fdr-data-protection-detection-summary.log                               │ PASS   │   93.61525ms │
│ crowdstrike │ fdr         │ pipeline  │ test-fdr-epp-detection-summary.log                                           │ PASS   │ 335.037625ms │
│ crowdstrike │ fdr         │ pipeline  │ test-fdr-fim-rule-matched-enriched.log                                       │ PASS   │  105.53325ms │
│ crowdstrike │ fdr         │ pipeline  │ test-fdr-fim-rule-matched-linux.log                                          │ PASS   │ 172.108792ms │
│ crowdstrike │ fdr         │ pipeline  │ test-fdr-fim-rule-matched-windows.log                                        │ PASS   │ 115.724333ms │
│ crowdstrike │ fdr         │ pipeline  │ test-fdr-geoip-disabled.log                                                  │ PASS   │   97.56975ms │
│ crowdstrike │ fdr         │ pipeline  │ test-fdr-lengthy-field-delete.log                                            │ PASS   │  86.342292ms │
│ crowdstrike │ fdr         │ pipeline  │ test-fdr-lengthy-field-index.log                                             │ PASS   │  81.759375ms │
│ crowdstrike │ fdr         │ pipeline  │ test-fdr.log                                                                 │ PASS   │ 1.402790959s │
│ crowdstrike │ fdr         │ pipeline  │ test-fdrv2-notmanaged.log                                                    │ PASS   │  80.011958ms │
│ crowdstrike │ fdr         │ pipeline  │ test-linux.log                                                               │ PASS   │ 146.016375ms │
│ crowdstrike │ fdr         │ pipeline  │ test-macos.log                                                               │ PASS   │ 241.224459ms │
│ crowdstrike │ fdr         │ pipeline  │ test-tags-formats.log                                                        │ PASS   │  78.452792ms │
│ crowdstrike │ fdr         │ pipeline  │ test-user-map.log                                                            │ PASS   │     81.606ms │
│ crowdstrike │ fdr         │ pipeline  │ test-windows.log                                                             │ PASS   │ 1.329215917s │
╰─────────────┴─────────────┴───────────┴──────────────────────────────────────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: crowdstrike - END   ---
Done

Related issues

Screenshots

@navnit-elastic navnit-elastic self-assigned this Mar 12, 2026
@navnit-elastic navnit-elastic added enhancement New feature or request Integration:crowdstrike CrowdStrike Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:SDE-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Mar 12, 2026
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Mar 12, 2026

🚀 Benchmarks report

Package crowdstrike 👍(5) 💚(2) 💔(3)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
falcon 4132.23 3052.5 -1079.73 (-26.13%) 💔
host 4424.78 2985.97 -1438.81 (-32.52%) 💔
alert 1647.45 1367.99 -279.46 (-16.96%) 💔

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link

elasticmachine commented Mar 12, 2026

💚 Build Succeeded

History

cc @navnit-elastic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@navnit-elastic navnit-elastic

Labels

enhancement New feature or request Integration:crowdstrike CrowdStrike Team:SDE-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[CrowdStrike] Add preserve_original_event to pipeline on_failure handlers

2 participants

@navnit-elastic @elasticmachine