crowdstrike: add pipeline processor tags via elastic-package and expose in on_failure#17437

Draft

navnit-elastic wants to merge 1 commit intoelastic:mainfrom

navnit-elastic:crowdstrike-integration_quality-phase_1-add_tags

Draft

crowdstrike: add pipeline processor tags via elastic-package and expose in on_failure#17437
navnit-elastic wants to merge 1 commit intoelastic:mainfrom
navnit-elastic:crowdstrike-integration_quality-phase_1-add_tags

Conversation

Copy link

Contributor

navnit-elastic commentedFeb 17, 2026•
edited
Loading

Proposed commit message

crowdstrike: add pipeline processor tags via elastic-package and expose in on_failure- Run `elastic-package modify -m pipeline-tag` to add a `tag` key to  each processor in ingest pipelines (part of integration quality  phase-1 improvements).- Update on_failure append to error.message to include  _ingest.on_failure_processor_tag so pipeline failures can be traced   by processor tag.

Note

This PR follows:#17435

Checklist

I have reviewedtips for building integrations and this pull request is aligned with them.
I have verified that all data streams collect metrics or logs.
I have added an entry to my package'schangelog.yml file.
I have verified that Kibana version constraints are current according toguidelines.
I have verified that any added dashboard complies with Kibana'sDashboard good practices

Author's Checklist

How to test this PR locally

Tested all 4 packages' processors now have tags:

forpkgin ti_abusech o365 m365_defender sentinel_one;do  find"packages/$pkg" -path'*/data_stream/*/elasticsearch/ingest_pipeline/*.yml' -type f2>/dev/null|whileread -r f;do    missing=$(yq'.processors[] | select((to_entries[0].value | has("tag")) | not) | to_entries[0].key'"$f"2>/dev/null)echo"===$f ==="if [-n"$missing" ];then      data_stream=$(echo"$f"| sed's|.*/data_stream/\([^/]*\)/.*|\1|')      pipeline=$(basename"$f" .yml)echo"data stream:$data_stream, pipeline:$pipeline"echo"$missing"elseecho"all processors have tags"fiecho""donedone

Output

=== packages/crowdstrike/data_stream/host/elasticsearch/ingest_pipeline/default.yml ===all processors have tags=== packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml ===all processors have tags=== packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml ===all processors have tags=== packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/categorize.yml ===all processors have tags=== packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/fim_rule_matched.yml ===all processors have tags=== packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/epp_detection_summary.yml ===all processors have tags=== packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/data_protection_detection_summary.yml ===all processors have tags=== packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/cspm_ioa.yml ===all processors have tags=== packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/outbound_network.yml ===all processors have tags=== packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/cspm_iom.yml ===all processors have tags=== packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/inbound_network.yml ===all processors have tags=== packages/crowdstrike/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/detection_summary.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/incident_summary.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/user_activity_audit.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/epp_detection_summary.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/auth_activity_audit.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/data_protection_detection_summary.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/recon_notification_summary.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_start.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/identity_protection_incident.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/customer_ioc_event.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/xdr_detection_summary.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_end.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/ipd_detection_summary.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/scheduled_report_notification_event.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/cspm_events.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/mobile_detection_summary.yml ===all processors have tags