[Crowdstrike] - Handle nested File object in FDR DataEgressEnriched events

[ShourieG]

Type of change

• Bug

Proposed commit message

crowdstrike: handle nested File object in FDR DataEgressEnriched events

DataEgressEnriched events send crowdstrike.File as a nested JSON object
instead of a keyword, causing document rejections. Extract sub-fields to
ECS file.* and crowdstrike.FileType.Type.*, then remove the Map before
indexing. Events where File is already a string are unaffected.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• [ ]

How to test this PR locally

Related issues

Screenshots

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[kcreddy]

LGTM.
@navnit-elastic, please make a note of this new event type addition.

[kcreddy]

@ShourieG, is the label Team:Security-Cloud Services auto-added?

[ShourieG]

@ShourieG, is the label Team:Security-Cloud Services auto-added?

No I added it manually, this is labeled as Security Data Experience - Cloud Services which aligns with the current name change sde-service-integrations. At least this was my interpretation of it.

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 4e5bad1

History

• 💚 Build #41391 succeeded 34e9a78

cc @ShourieG

[elastic-vault-github-plugin-prod]

Package crowdstrike - 3.14.1 containing this change is available at https://epr.elastic.co/package/crowdstrike/3.14.1/