Commit 5cf7dfc
authored
[Crowdstrike Alert] adjust batch size to API limit (elastic#13862)
The CrowdStrike alert integrations uses 2 API endpoints from CrowdStrike:
* /alerts/queries/alerts/v2 → to get the composite IDs of all open alerts
with a limit of 10000[1].
The returned composite_ids of the first API call are then sent with a
post again to the next endpoint:
* /alerts/entities/alerts/v2 → to get the alert details with a limit of
1000[2], which causes the integration to get an HTTP 413 request too
large error if there are more than 1000 composite IDs returned from the
first endpoint.
The current default value for the batch size is 10,000, potentially resulting
in requests to the second endpoint being rejected due to too many alert IDs.
Fix this by setting the maximum and default to 1000 instead of 10000.
[1]https://www.falconpy.io/Service-Collections/Alerts.html#getqueriesalertsv2
[2]https://www.falconpy.io/Service-Collections/Alerts.html#postentitiesalertsv21 parent 80f6d75 commit 5cf7dfc
File tree
3 files changed
+8
-3
lines changed- packages/crowdstrike
- data_stream/alert
3 files changed
+8
-3
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
2 | 7 | | |
3 | 8 | | |
4 | 9 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
26 | 26 | | |
27 | 27 | | |
28 | 28 | | |
29 | | - | |
30 | | - | |
| 29 | + | |
| 30 | + | |
31 | 31 | | |
32 | 32 | | |
33 | 33 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
3 | | - | |
| 3 | + | |
4 | 4 | | |
5 | 5 | | |
6 | 6 | | |
| |||
0 commit comments