[Crowdstrike,Azure] Fix flaky tests with ECS fields (elastic#9738)

kcreddy · web-flow · commit c90e8173ebe6 · 2024-04-30T11:32:17.000+05:30
* Fix flaky pipeline tests.

   * `azure.graphactivitylogs`: Add missing ECS field definitions.

   * `crowdstrike.falcon`: Update `geoip` processor to `destination` instead of `source`.
diff --git a/packages/azure/changelog.yml b/packages/azure/changelog.yml
@@ -1,3 +1,8 @@
+- version: "1.11.2"
+  changes:
+    - description: Add missing ECS field definitions.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/9738
 - version: "1.11.1"
   changes:
     - description: Update description for event hub parameter name recommendations.
diff --git a/packages/azure/data_stream/graphactivitylogs/_dev/test/pipeline/test-common-config.yml b/packages/azure/data_stream/graphactivitylogs/_dev/test/pipeline/test-common-config.yml
@@ -1,7 +1,6 @@
 fields:
   tags:
     - preserve_original_event
-
 dynamic_fields:
   # This can be removed after ES 8.14 is the minimum version.
   # Relates: https://github.com/elastic/elasticsearch/pull/105689
diff --git a/packages/azure/data_stream/graphactivitylogs/fields/ecs.yml b/packages/azure/data_stream/graphactivitylogs/fields/ecs.yml
@@ -1,3 +1,7 @@
+- name: client.as.number
+  external: ecs
+- name: client.as.organization.name
+  external: ecs
 - name: client.ip
   external: ecs
 - name: client.geo.city_name
@@ -56,6 +60,10 @@
   external: ecs
 - name: source.address
   external: ecs
+- name: source.as.number
+  external: ecs
+- name: source.as.organization.name
+  external: ecs
 - name: source.geo.city_name
   external: ecs
 - name: source.geo.continent_name
diff --git a/packages/azure/docs/graphactivitylogs.md b/packages/azure/docs/graphactivitylogs.md
@@ -253,6 +253,9 @@ An example event for `graphactivitylogs` looks as following:
 | azure.resource.provider | Resource type/namespace. | keyword |
 | azure.subscription_id | Azure subscription ID. | keyword |
 | azure.tenant_id | tenant ID. | keyword |
+| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| client.as.organization.name | Organization name. | keyword |
+| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text |
 | client.geo.city_name | City name. | keyword |
 | client.geo.continent_name | Name of the continent. | keyword |
 | client.geo.country_iso_code | Country ISO code. | keyword |
@@ -317,6 +320,9 @@ An example event for `graphactivitylogs` looks as following:
 | related.ip | All of the IPs seen on your event. | ip |
 | related.user | All the user names or other user identifiers seen on the event. | keyword |
 | source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
 | source.geo.city_name | City name. | keyword |
 | source.geo.continent_name | Name of the continent. | keyword |
 | source.geo.country_iso_code | Country ISO code. | keyword |
diff --git a/packages/azure/manifest.yml b/packages/azure/manifest.yml
@@ -1,6 +1,6 @@
 name: azure
 title: Azure Logs
-version: 1.11.1
+version: 1.11.2
 description: This Elastic integration collects logs from Azure
 type: integration
 icons:
diff --git a/packages/crowdstrike/changelog.yml b/packages/crowdstrike/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.32.2"
+  changes:
+    - description: Fix geoip mapping to destination.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/9738
 - version: "1.32.1"
   changes:
     - description: Fix cache option name in FDR data stream.
diff --git a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml
@@ -323,7 +323,7 @@ processors:
   - geoip:
       database_file: GeoLite2-ASN.mmdb
       field: destination.ip
-      target_field: source.as
+      target_field: destination.as
       properties:
         - asn
         - organization_name
diff --git a/packages/crowdstrike/manifest.yml b/packages/crowdstrike/manifest.yml
@@ -1,6 +1,6 @@
 name: crowdstrike
 title: CrowdStrike
-version: "1.32.1"
+version: "1.32.2"
 description: Collect logs from Crowdstrike with Elastic Agent.
 type: integration
 format_version: "3.0.0"
