ti_crowdstrike: fix mapping type for ioc.value field (elastic#11703)

The ingest pipeline handles both IP and hash IOCs, but the fields definitions state that the field is an ip type. This prevents users from being able to make use of this field for hash IOCs. So change the type to a keyword. This is a breaking change.
harnish-elastic · Nov 18, 2024 · 1ebf387 · 1ebf387
1 parent 7d8db5e
commit 1ebf387
Show file tree

Hide file tree

Showing 6 changed files with 11 additions and 6 deletions.
diff --git a/packages/ti_crowdstrike/changelog.yml b/packages/ti_crowdstrike/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.0.0"
+  changes:
+    - description: Fix mapping type for `ioc.value` field.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/11703
 - version: "1.2.0"
   changes:
     - description: Set transform unattended to true for indefinite retries.

diff --git a/packages/ti_crowdstrike/data_stream/ioc/fields/fields.yml b/packages/ti_crowdstrike/data_stream/ioc/fields/fields.yml
@@ -55,5 +55,5 @@
       type: keyword
       description: The type of indicator.
     - name: value
-      type: ip
+      type: keyword
       description: The specific value of the indicator.
diff --git a/packages/ti_crowdstrike/docs/README.md b/packages/ti_crowdstrike/docs/README.md
@@ -454,4 +454,4 @@ An example event for `ioc` looks as following:
 | ti_crowdstrike.ioc.severity | Indicates the severity level associated with the detection. | keyword |
 | ti_crowdstrike.ioc.tags | Tags associated with the IOC. | keyword |
 | ti_crowdstrike.ioc.type | The type of indicator. | keyword |
-| ti_crowdstrike.ioc.value | The specific value of the indicator. | ip |
+| ti_crowdstrike.ioc.value | The specific value of the indicator. | keyword |
diff --git a/packages/ti_crowdstrike/elasticsearch/transform/latest_ioc/fields/fields.yml b/packages/ti_crowdstrike/elasticsearch/transform/latest_ioc/fields/fields.yml
@@ -55,5 +55,5 @@
       type: keyword
       description: The type of indicator.
     - name: value
-      type: ip
+      type: keyword
       description: The specific value of the indicator.
diff --git a/packages/ti_crowdstrike/elasticsearch/transform/latest_ioc/transform.yml b/packages/ti_crowdstrike/elasticsearch/transform/latest_ioc/transform.yml
@@ -9,7 +9,7 @@ source:
 # us that ability in order to prevent having duplicate IoC data and prevent query
 # time field type conflicts.
 dest:
-  index: "logs-ti_crowdstrike_latest.dest_ioc-4"
+  index: "logs-ti_crowdstrike_latest.dest_ioc-5"
   aliases:
     - alias: "logs-ti_crowdstrike_latest.ioc"
       move_on_creation: true
@@ -35,4 +35,4 @@ _meta:
   managed: true
   # Bump this version to delete, reinstall, and restart the transform during package.
   # Version bump is needed if there is any code change in transform.
-  fleet_transform_version: 0.4.0
+  fleet_transform_version: 0.5.0
diff --git a/packages/ti_crowdstrike/manifest.yml b/packages/ti_crowdstrike/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 3.0.3
 name: ti_crowdstrike
 title: CrowdStrike Falcon Intelligence
-version: "1.2.0"
+version: "2.0.0"
 description: Collect logs from CrowdStrike Falcon Intelligence with Elastic Agent.
 type: integration
 categories: