From 35fe3188702baa6cdc742e57c8da39e3c71e49e5 Mon Sep 17 00:00:00 2001
From: Marius Iversen <marius.iversen@elastic.co>
Date: Tue, 5 Sep 2023 14:59:06 +0200
Subject: [PATCH 1/2] [Filebeat][Crowdstrike] Adding fix to ingest pipeline for
 command line array handling (#36496)

* [Filebeat][Crowdstrike] Adding fix to ingest pipeline for command line args array handling

* changelog PR link update

* adding missing semicolon

* adding testdata to test the process commandline arg being an empty string
---
 CHANGELOG.next.asciidoc                               |  1 +
 .../module/crowdstrike/falcon/ingest/pipeline.yml     |  2 +-
 .../module/crowdstrike/falcon/test/falcon-events.log  |  2 +-
 .../falcon/test/falcon-events.log-expected.json       | 11 ++++++-----
 4 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index d95e5fbb547..8e38ea153ad 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -102,6 +102,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 - Fix Filebeat Cisco module with missing escape character {issue}36325[36325] {pull}36326[36326]
 - Fix panic when redact option is not provided to CEL input. {issue}36387[36387] {pull}36388[36388]
 - Remove 'onFilteredOut' and 'onDroppedOnPublish' callback logs {issue}36299[36299] {pull}36399[36399]
+- Added a fix for Crowdstrike pipeline handling process arrays {pull}36496[36496]
 
 *Heartbeat*
 
diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml
index 9aeb653b488..94d312d7e11 100644
--- a/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml
@@ -281,7 +281,7 @@ processors:
           commandLine = commandLine.trim();
 
           if (commandLine != "") {
-            def args = Arrays.asList(/ /.split(commandLine));
+            def args = new ArrayList(Arrays.asList(/ /.split(commandLine)));
             args.removeIf(arg -> arg == "");
 
             ctx['process'] = new HashMap();
diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log
index 0980bf0fb60..f7cb78602c8 100644
--- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log
+++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log
@@ -19,7 +19,7 @@
         "SeverityName": "High",
         "FileName": "explorer.exe",
         "FilePath": "\\Device\\HarddiskVolume1\\Windows",
-        "CommandLine": "C:\\Windows\\Explorer.EXE",
+        "CommandLine": "C:\\Windows\\Explorer.EXE  --test",
         "SHA256String": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a",
         "MD5String": "ac4c51eb24aa95b77f705ab159189e24",
         "MachineDomain": "CORP-DOMAIN",
diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json
index 0756dfac477..9ed50798143 100644
--- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json
+++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json
@@ -1,6 +1,6 @@
 [
     {
-        "crowdstrike.event.CommandLine": "C:\\Windows\\Explorer.EXE",
+        "crowdstrike.event.CommandLine": "C:\\Windows\\Explorer.EXE  --test",
         "crowdstrike.event.ComputerName": "alice-laptop",
         "crowdstrike.event.DetectDescription": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.",
         "crowdstrike.event.DetectId": "ldt:ec86abd353824e96765ecbe18eb4f0b4:38655257584",
@@ -67,9 +67,10 @@
         "log.offset": 0,
         "message": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.",
         "process.args": [
-            "C:\\Windows\\Explorer.EXE"
+            "C:\\Windows\\Explorer.EXE",
+            "--test"
         ],
-        "process.command_line": "C:\\Windows\\Explorer.EXE",
+        "process.command_line": "C:\\Windows\\Explorer.EXE  --test",
         "process.executable": "C:\\Windows\\Explorer.EXE",
         "process.name": "explorer.exe",
         "process.pid": 38684386611,
@@ -126,7 +127,7 @@
         "log.flags": [
             "multiline"
         ],
-        "log.offset": 2063,
+        "log.offset": 2071,
         "message": "Incident score 1.2",
         "service.type": "crowdstrike",
         "tags": [
@@ -169,7 +170,7 @@
         "log.flags": [
             "multiline"
         ],
-        "log.offset": 2579,
+        "log.offset": 2587,
         "message": "quarantined_file_update",
         "related.user": [
             "Crowdstrike"

From 3b02b8a82a5adb95077ef6d61f8d153f9167fcc4 Mon Sep 17 00:00:00 2001
From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com>
Date: Tue, 5 Sep 2023 15:26:07 +0200
Subject: [PATCH 2/2] docs: Prepare Changelog for 8.9.2 (#36501) (#36505)

* docs: Close changelog for 8.9.2

* Update CHANGELOG.asciidoc

---------

Co-authored-by: Pierre HILBERT <pierre.hilbert@elastic.co>
(cherry picked from commit fd9c588b9c34b0df07e42beb29cfecff272f5237)

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
---
 CHANGELOG.asciidoc            | 18 ++++++++++++++++++
 CHANGELOG.next.asciidoc       |  3 +++
 libbeat/docs/release.asciidoc |  1 +
 3 files changed, 22 insertions(+)

diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc
index 29c218df468..f1adc06601a 100644
--- a/CHANGELOG.asciidoc
+++ b/CHANGELOG.asciidoc
@@ -3,6 +3,24 @@
 :issue: https://github.com/elastic/beats/issues/
 :pull: https://github.com/elastic/beats/pull/
 
+[[release-notes-8.9.2]]
+=== Beats version 8.9.2
+https://github.com/elastic/beats/compare/v8.9.1\...v8.9.2[View commits]
+
+==== Bugfixes
+
+*Filebeat*
+
+- Fix panic when redact option is not provided to CEL input. {issue}36387[36387] {pull}36388[36388]
+- Update mito CEL extension library to v1.5.0. {pull}36146[36146]
+
+==== Added
+
+*Metricbeat*
+
+- Add Azure resource tags support to Azure Billing module {pull}36428[36428]
+
+
 [[release-notes-8.9.1]]
 === Beats version 8.9.1
 https://github.com/elastic/beats/compare/v8.9.0\...v8.9.1[View commits]
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 8e38ea153ad..d9418e40c70 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -304,3 +304,6 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 
 
 
+
+
+
diff --git a/libbeat/docs/release.asciidoc b/libbeat/docs/release.asciidoc
index 71a8abbda9e..e750d59a2e8 100644
--- a/libbeat/docs/release.asciidoc
+++ b/libbeat/docs/release.asciidoc
@@ -8,6 +8,7 @@ This section summarizes the changes in each release. Also read
 <<breaking-changes>> for more detail about changes that affect
 upgrade.
 
+* <<release-notes-8.9.2>>
 * <<release-notes-8.9.1>>
 * <<release-notes-8.9.0>>
 * <<release-notes-8.8.2>>