Expose FDR cache options for more flexibility

Author: marc-gr

packages/crowdstrike/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.29.0"
+ changes:
+ - description: Expose FDR cache options for more flexibility
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/9063
 - version: "1.28.1"
  changes:
  - description: Changed owners

packages/crowdstrike/data_stream/fdr/agent/stream/aws-s3.yml.hbs

@@ -69,8 +69,10 @@ processors:
  then:
  - cache:
  backend:
+ capacity: {{metadata_cache_capacity}}
  file:
  id: aidmaster
+ write_period: {{metadata_cache_write_period}}
  put:
  ttl: {{metadata_ttl}}
  key_field: crowdstrike.aid
@@ -89,8 +91,10 @@ processors:
  then:
  - cache:
  backend:
+ capacity: {{metadata_cache_capacity}}
  file:
  id: userinfo
+ write_period: {{metadata_cache_write_period}}
  put:
  ttl: {{metadata_ttl}}
  key_field: crowdstrike.UserSid_readable

packages/crowdstrike/data_stream/fdr/agent/stream/stream.yml.hbs

@@ -34,8 +34,10 @@ processors:
  then:
  - cache:
  backend:
+ capacity: {{metadata_cache_capacity}}
  file:
  id: aidmaster
+ write_period: {{metadata_cache_write_period}}
  put:
  ttl: {{metadata_ttl}}
  key_field: crowdstrike.aid
@@ -54,8 +56,10 @@ processors:
  then:
  - cache:
  backend:
+ capacity: {{metadata_cache_capacity}}
  file:
  id: userinfo
+ write_period: {{metadata_cache_write_period}}
  put:
  ttl: {{metadata_ttl}}
  key_field: crowdstrike.UserSid_readable

packages/crowdstrike/data_stream/fdr/manifest.yml

@@ -64,6 +64,22 @@ streams:
  type: text
  multi: false
  default: 168h
+ - name: metadata_cache_capacity
+ required: true
+ show_user: true
+ title: Metadata cache capacity
+ description: The maximum amount of metadata objects to cache. Operations that would cause the capacity to be exceeded will result in evictions of the oldest elements. The capacity should not be lower than the number of elements that are expected to be referenced when processing the input as evicted elements are lost. Values at or below zero indicate no limit.
+ type: text
+ multi: false
+ default: 0
+ - name: metadata_cache_write_period
+ required: true
+ show_user: true
+ title: Metadata cache write period
+ description: The interval between periodic cache writes to the backing file. Valid time units are h, m, s, ms, us/µs and ns. The contents are always written out to the backing file when the processor is closed. Default is zero, no periodic writes.
+ type: text
+ multi: false
+ default: 0
  - name: preserve_original_event
  required: true
  show_user: true

packages/crowdstrike/manifest.yml

@@ -1,6 +1,6 @@
 name: crowdstrike
 title: CrowdStrike
-version: "1.28.1"
+version: "1.29.0"
 description: Collect logs from Crowdstrike with Elastic Agent.
 type: integration
 format_version: "3.0.0"