crowdstrike: add performance optimization enhancements for transform

[navnit-elastic]

Proposed commit message

crowdstrike: add performance optimization enhancements for transform

- Add a must_not filter to the source.query to exclude
  the cold and frozen tiers.
- Increase the transform frequency from 30s to 1 hour (1h)
  to reduce the overhead on the cluster.

Note

Related Docs:

• https://www.elastic.co/docs/explore-analyze/transforms/transform-scale#limit-source-query
• https://www.elastic.co/docs/explore-analyze/transforms/transform-scale#frequency

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• [ ]

How to test this PR locally

• Clone integrations repo.
• Install elastic package locally.
• Start elastic stack using elastic-package.
• Move to integrations/packages/crowdstrike directory.
• Run the following command to run tests.

elastic-package test system

System Tests:

--- Test results for package: crowdstrike - START ---
╭─────────────┬─────────────┬───────────┬───────────────┬────────┬─────────────────╮
│ PACKAGE     │ DATA STREAM │ TEST TYPE │ TEST NAME     │ RESULT │    TIME ELAPSED │
├─────────────┼─────────────┼───────────┼───────────────┼────────┼─────────────────┤
│ crowdstrike │ fdr         │ system    │ default       │ PASS   │   2m56.3517615s │
│ crowdstrike │ fdr         │ system    │ keep-metadata │ PASS   │ 5m38.489213167s │
╰─────────────┴─────────────┴───────────┴───────────────┴────────┴─────────────────╯
--- Test results for package: crowdstrike - END   ---
Done

Related issues

• Closes [CrowdStrike] Change built-in transform to exclude cold and frozen tier and increase frequency #18256

Screenshots

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 39b86b2

History

• 💚 Build #41046 succeeded fed3d0e

cc @navnit-elastic

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[elastic-vault-github-plugin-prod]

Package crowdstrike - 3.14.0 containing this change is available at https://epr.elastic.co/package/crowdstrike/3.14.0/