feat(crowdstrike): add identity protection assessment data stream

[navnit-elastic]

Proposed commit message

feat(crowdstrike): add identity protection security assessment data stream

- Collect Falcon Identity Protection security assessments over GraphQL (domain
  list and per-domain assessments), with ingest pipeline, field mappings, tests,
  and benchmarks.
- Replace Markdown-based navigation on existing CrowdStrike dashboards with
  Kibana Links panels, and add a link to the new Identity Protection
  Assessments dashboard.

Pipeline and related test samples come from a live CrowdStrike tenant.

Docs (Elastic tenant):

• https://falcon.us-2.crowdstrike.com/documentation/page/ae01c10c/identity-protection-apis#le65ac89
• https://falcon.us-2.crowdstrike.com/identity-protection/api-documentation/query/securityAssessment

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• [ ]

How to test this PR locally

• Clone integrations repo.
• Install elastic package locally.
• Start elastic stack using elastic-package.
• Move to integrations/packages/crowdstrike directory.
• Run the following command to run tests.

elastic-package test

Related issues

• Relates [CrowdStrike]: Add support for Falcon Identity Protection module #17846

Screenshots

[github-actions]

Vale Linting Results

Summary: 5 warnings found

⚠️ Warnings (5)

File	Line	Rule	Message
packages/crowdstrike/docs/README.md	3726	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/crowdstrike/docs/README.md	3727	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/crowdstrike/docs/README.md	3729	Elastic.QuotesPunctuation	Place punctuation inside closing quotation marks.
packages/crowdstrike/docs/README.md	3730	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/crowdstrike/docs/README.md	3731	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.

---

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

Package crowdstrike 👍(7) 💚(2) 💔(3)

Expand to view

Data stream	Previous EPS	New EPS	Diff (%)	Result
falcon	5555.56	3311.26	-2244.3 (-40.4%)	💔
host	4484.3	3135.78	-1348.52 (-30.07%)	💔
alert	1937.98	1607.72	-330.26 (-17.04%)	💔

To see the full report comment with /test benchmark fullreport

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[kcreddy]

Just getting clarification on couple of script tests. Otherwise LGTM

[kcreddy]

Isn't this the same as previous test first_assessment just with DOMAIN_B error instead of DOMAIN_A error? Do we need to test both?

[navnit-elastic]

No, they are different. The intent is to test errors in sequence of requests (i.e. first request fails and second successes, first successes and second fails).

The first_assessment_http_500 validates that after a failure in a middle of work-list, the collector still continues and ingests event for the next domain.

The second_assessment_http_500 validates that when the first assessment succeeds but the second fails, we still get one assessment and one error.

If you think this is redundant and not required to test at this depth, we can skip the second_assessment_http_500 test case.

[kcreddy]

Yeah, lets remove second_assessment_http_500 its testing the same code block

[navnit-elastic]

@kcreddy, Please take a look at comment replies.

[navnit-elastic]

No, they are different. The intent is to test errors in sequence of requests (i.e. first request fails and second successes, first successes and second fails).

The first_assessment_http_500 validates that after a failure in a middle of work-list, the collector still continues and ingests event for the next domain.

The second_assessment_http_500 validates that when the first assessment succeeds but the second fails, we still get one assessment and one error.

If you think this is redundant and not required to test at this depth, we can skip the second_assessment_http_500 test case.

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 702d4ac

History

• 💚 Build #42074 succeeded c3ca8fa
• 💔 Build #42065 failed 9355ca2
• 💔 Build #42050 failed afd5c3a
• 💔 Build #41995 failed 46eee1b
• 💚 Build #41984 succeeded 103a410
• 💔 Build #41983 failed fd34012

cc @navnit-elastic

[kcreddy]

LGTM. Thank you!