Proposed commit message
crowdstrike: add pipeline processor tags via elastic-package and expose in on_failure- Run `elastic-package modify -m pipeline-tag` to add a `tag` key to each processor in ingest pipelines (part of integration quality phase-1 improvements).- Update on_failure append to error.message to include _ingest.on_failure_processor_tag so pipeline failures can be traced by processor tag.
Checklist
Author's Checklist
How to test this PR locally
Tested all 4 packages' processors now have tags:
forpkgin ti_abusech o365 m365_defender sentinel_one;do find"packages/$pkg" -path'*/data_stream/*/elasticsearch/ingest_pipeline/*.yml' -type f2>/dev/null|whileread -r f;do missing=$(yq'.processors[] | select((to_entries[0].value | has("tag")) | not) | to_entries[0].key'"$f"2>/dev/null)echo"===$f ==="if [-n"$missing" ];then data_stream=$(echo"$f"| sed's|.*/data_stream/\([^/]*\)/.*|\1|') pipeline=$(basename"$f" .yml)echo"data stream:$data_stream, pipeline:$pipeline"echo"$missing"elseecho"all processors have tags"fiecho""donedoneOutput
=== packages/crowdstrike/data_stream/host/elasticsearch/ingest_pipeline/default.yml ===all processors have tags=== packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml ===all processors have tags=== packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml ===all processors have tags=== packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/categorize.yml ===all processors have tags=== packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/fim_rule_matched.yml ===all processors have tags=== packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/epp_detection_summary.yml ===all processors have tags=== packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/data_protection_detection_summary.yml ===all processors have tags=== packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/cspm_ioa.yml ===all processors have tags=== packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/outbound_network.yml ===all processors have tags=== packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/cspm_iom.yml ===all processors have tags=== packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/inbound_network.yml ===all processors have tags=== packages/crowdstrike/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/detection_summary.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/incident_summary.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/user_activity_audit.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/epp_detection_summary.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/auth_activity_audit.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/data_protection_detection_summary.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/recon_notification_summary.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_start.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/identity_protection_incident.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/customer_ioc_event.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/xdr_detection_summary.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_end.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/ipd_detection_summary.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/scheduled_report_notification_event.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/cspm_events.yml ===all processors have tags=== packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/mobile_detection_summary.yml ===all processors have tags
Related issues
Screenshots
Uh oh!
There was an error while loading.Please reload this page.
Proposed commit message
Note
This PR follows:#17435
Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Tested all 4 packages' processors now have tags:
Output
Related issues
Screenshots