crowdstrike: rename FDR lookup destinations out of logs-* namespace

[kcreddy]

Proposed commit message

crowdstrike: rename FDR lookup destinations out of logs-* namespace

The latest_aidmaster and latest_userinfo transforms wrote to
logs-crowdstrike_lookup.dest_* indices exposed via aliases
under the same prefix. Their destination index mappings omit
@timestamp on purpose, to avoid LOOKUP JOIN column shadowing.

Because these indices match the default Security Solution logs-*
pattern, the detection rule engine's pre-execution fieldCaps check
flagged them as missing @timestamp and degraded affected rules
to partial-failure status.

Move the destinations and aliases out of logs-* so they no longer
collide with Security detection patterns. Update the bundled
dashboard, READMEs, and the userinfo script test to use the new
names. Bump fleet_transform_version on both transforms so Fleet
recreates them on upgrade.

Add a parallel aidmaster_lookup_join script test that pushes a
synthetic aidmaster doc through the destination pipeline and
asserts the LOOKUP JOIN returns the enriched hostname end-to-end.

Fixes elastic/integrations#18462

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• [ ]

How to test this PR locally

• See screenshots below for testing of transform and new data view (new destination index pattern) working.
• Updated script test for userinfo works.
• New script test for aidmaster works - similar to userinfo, verifies the LOOKUP JOIN working.

--- Test results for package: crowdstrike - START ---
╭─────────────┬───────────────┬───────────┬───────────────────────┬────────┬────────────────╮
│ PACKAGE     │ DATA STREAM   │ TEST TYPE │ TEST NAME             │ RESULT │   TIME ELAPSED │
├─────────────┼───────────────┼───────────┼───────────────────────┼────────┼────────────────┤
│ crowdstrike │ alert         │ script    │ api_error_response    │ PASS   │ 1m7.134059208s │
│ crowdstrike │ alert         │ script    │ env                   │ PASS   │    89.597084ms │
│ crowdstrike │ alert         │ script    │ unauthorized          │ PASS   │   1m9.1324055s │
│ crowdstrike │ fdr           │ script    │ aidmaster_lookup_join │ PASS   │   3.384558417s │
│ crowdstrike │ fdr           │ script    │ env                   │ PASS   │    72.209666ms │
│ crowdstrike │ fdr           │ script    │ userinfo_lookup_join  │ PASS   │  14.045054292s │
│ crowdstrike │ host          │ script    │ api_error_response    │ PASS   │ 1m9.852729333s │
│ crowdstrike │ host          │ script    │ env                   │ PASS   │    79.450041ms │
│ crowdstrike │ vulnerability │ script    │ api_error_response    │ PASS   │ 1m9.008370417s │
│ crowdstrike │ vulnerability │ script    │ env                   │ PASS   │    72.496167ms │
╰─────────────┴───────────────┴───────────┴───────────────────────┴────────┴────────────────╯
--- Test results for package: crowdstrike - END   ---
Done

Related issues

• Closes [CrowdStrike]: A empty index was created and missing log field @timestamp #18462

Screenshots

[github-actions]

✅ Vale Linting Results

No issues found on modified lines!

---

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

[infra-vault-gh-plugin-prod]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[kcreddy]

/test

[github-actions]

TL;DR

I could not determine a code-level root cause from the available Buildkite step log because it only contains teardown/output-upload lines and the final non-zero exit. The immediate next action is to inspect the uploaded JUnit artifacts for this job (build/test-results/crowdstrike-*.xml) to identify the exact failing test/assertion.

Remediation

• Download and inspect the failed job’s JUnit XML artifacts from build 42892 (especially crowdstrike-system-*.xml, crowdstrike-script-*.xml, and crowdstrike-pipeline-*.xml) and identify the first failing testcase/error message.
• Re-run the single failing test locally (or in CI) with verbose output once the failing testcase is known; patch the specific failing assertion/query and re-run Check integrations crowdstrike.

Investigation details

Root Cause

Inconclusive from the provided logs. The prefetched log for Check integrations crowdstrike does not include the failing test output; it only shows stack teardown and final command failure.

Evidence

• Build: https://buildkite.com/elastic/integrations/builds/42892
• Job/step: Check integrations crowdstrike
• Key log excerpt (/tmp/gh-aw/buildkite-logs/integrations-check-integrations-crowdstrike.txt):
  • L73: --- [crowdstrike] failed
  • L76: Error: The command exited with status 1
  • L78: user command error: exit status 1
• The same commit failed previously as well (Build #42847), indicating deterministic failure rather than a one-off transient.
• The same log confirms artifacts were uploaded (including build/test-results/crowdstrike-*.xml), which should contain the actionable failing testcase and stack trace.

Verification

• Not run end-to-end in this environment: the local runner does not have a reachable Docker daemon for reproducing the Buildkite package test workflow.

Follow-up

Once you share the failing testcase/error text from the JUnit artifact, I can map it directly to the exact source line and provide a concrete patch recommendation.

Note

🔒 Integrity filter blocked 3 items

The following items were blocked because they don't meet the GitHub integrity level.

• crowdstrike: rename FDR lookup destinations out of logs-* namespace #19005 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #19005 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #19005 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 8c3e59d

History

• 💔 Build #42892 failed 47acd5c
• 💔 Build #42847 failed 47acd5c

cc @kcreddy

[elastic-vault-github-plugin-prod]

Package crowdstrike - 3.16.2 containing this change is available at https://epr.elastic.co/package/crowdstrike/3.16.2/