related.ip
Our FDR pipeline currently adds observer.ip, source.ip and destination.ip to related.hosts but customer feedback suggests, it should be added be added to related.ip field instead of related.hosts.
https://github.com/elastic/integrations/blob/main/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml#L1342
https://github.com/elastic/integrations/blob/main/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml#L1834
https://github.com/elastic/integrations/blob/main/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml#L1839
crowdstrike.FirstSeen
Customer has suggested this field is mapped to @timestamp. What field do we currently rely on to generate the timestamp? We do have a threat.indicator.first_seen but not a good fit here, as it relates more to IOC's.
related.ip
Our FDR pipeline currently adds
observer.ip,source.ipanddestination.iptorelated.hostsbut customer feedback suggests, it should be added be added torelated.ipfield instead ofrelated.hosts.https://github.com/elastic/integrations/blob/main/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml#L1342
https://github.com/elastic/integrations/blob/main/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml#L1834
https://github.com/elastic/integrations/blob/main/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml#L1839
crowdstrike.FirstSeen
Customer has suggested this field is mapped to
@timestamp. What field do we currently rely on to generate the timestamp? We do have athreat.indicator.first_seenbut not a good fit here, as it relates more to IOC's.