[crowdstrike] Expose FDR cache options for more flexibility

packages/crowdstrike/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.29.0"
+ changes:
+ - description: Expose FDR cache options for more flexibility
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/9063
 - version: "1.28.3"
  changes:
  - description: Fix drive letter parsing.

packages/crowdstrike/data_stream/fdr/agent/stream/aws-s3.yml.hbs

@@ -69,8 +69,10 @@ processors:
  then:
  - cache:
  backend:
+ capacity: {{metadata_cache_capacity}}
  file:
  id: aidmaster
+ write_period: {{metadata_cache_write_period}}
  put:
  ttl: {{metadata_ttl}}
  key_field: crowdstrike.aid
@@ -89,8 +91,10 @@ processors:
  then:
  - cache:
  backend:
+ capacity: {{metadata_cache_capacity}}
  file:
  id: userinfo
+ write_period: {{metadata_cache_write_period}}
  put:
  ttl: {{metadata_ttl}}
  key_field: crowdstrike.UserSid_readable

packages/crowdstrike/data_stream/fdr/agent/stream/stream.yml.hbs

@@ -34,8 +34,10 @@ processors:
  then:
  - cache:
  backend:
+ capacity: {{metadata_cache_capacity}}
  file:
  id: aidmaster
+ write_period: {{metadata_cache_write_period}}
  put:
  ttl: {{metadata_ttl}}
  key_field: crowdstrike.aid
@@ -54,8 +56,10 @@ processors:
  then:
  - cache:
  backend:
+ capacity: {{metadata_cache_capacity}}
  file:
  id: userinfo
+ write_period: {{metadata_cache_write_period}}
  put:
  ttl: {{metadata_ttl}}
  key_field: crowdstrike.UserSid_readable

packages/crowdstrike/data_stream/fdr/manifest.yml

@@ -64,6 +64,22 @@ streams:
  type: text
  multi: false
  default: 168h
+ - name: metadata_cache_capacity
+ required: true
+ show_user: false
+ title: Metadata cache capacity
+ description: "The maximum amount of metadata objects to cache. Operations that would cause the capacity to be exceeded will result in evictions of the oldest elements. The capacity should not be lower than the number of elements that are expected to be referenced when processing the input as evicted elements are lost. Values at or below zero indicate no limit. \nWARNING: This setting needs to be set only if the amount of metadata elements is known beforehand, otherwise it might lead to enrichment data loss. If you are not sure, leave it untouched.\n"
+ type: text
+ multi: false
+ default: 0
+ - name: metadata_cache_write_period
+ required: true
+ show_user: false
+ title: Metadata cache write period
+ description: The interval between periodic cache writes to the backing file. Valid time units are h, m, s, ms, us/µs and ns. The contents are always written out to the backing file when the processor is closed. Default is zero, no periodic writes.
+ type: text
+ multi: false
+ default: 0
  - name: preserve_original_event
  required: true
  show_user: true

packages/crowdstrike/manifest.yml

@@ -1,6 +1,6 @@
 name: crowdstrike
 title: CrowdStrike
-version: "1.28.3"
+version: "1.29.0"
 description: Collect logs from Crowdstrike with Elastic Agent.
 type: integration
 format_version: "3.0.0"