crowdstrike: prevent ingestion of duplicate event IDs (#5669)

Author: efd6

packages/crowdstrike/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.11.2"
+  changes:
+    - description: Reduce duplicate document ingestion.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/5669
 - version: "1.11.1"
   changes:
     - description: Multiple IPs in `aip` field and add new fields

packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml

@@ -394,6 +394,16 @@ processors:
       if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
       ignore_failure: true
       ignore_missing: true
+  - fingerprint:
+      fields:
+        - '@timestamp'
+        - crowdstrike.event.SessionId
+        - crowdstrike.event.DetectId
+        - crowdstrike.metadata.eventType
+        - crowdstrike.metadata.customerIDString
+      target_field: _id
+      ignore_missing: true
+
   - script:
       lang: painless
       description: This script processor iterates over the whole document to remove fields with null values.

packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml

@@ -179,6 +179,15 @@ processors:
       type: integer
       if: (ctx.crowdstrike?.localipCount != null && ctx.crowdstrike?.localipCount != "")
 
+  - fingerprint:
+      fields:
+        - '@timestamp'
+        - crowdstrike.id
+        - crowdstrike.aid
+        - crowdstrike.cid
+      target_field: _id
+      ignore_missing: true
+
   ## ECS fields.
   - set:
       field: ecs.version

packages/crowdstrike/manifest.yml

@@ -1,6 +1,6 @@
 name: crowdstrike
 title: CrowdStrike
-version: "1.11.1"
+version: "1.11.2"
 description: Collect logs from Crowdstrike with Elastic Agent.
 type: integration
 format_version: 1.0.0