[crowdstrike] Prefer ImageFileName for the value of process.executable

[chrisberkhout]

Proposed commit message

[crowdstrike] Prefer ImageFileName for the value of process.executable

In the `firewall_match` pipeline of the Crowdstrike integration's
Falcon data stream, prefer `ImageFileName` over `CommandLine` as the
source of the value for `process.executable` when both are populated,
as `ImageFileName` should provide the more complete file name.

Background

There was a user report of pipeline failures when both ImageFileName and CommandLine were populated.

The table of existing test data below suggests that ImageFileName values will better match the ECS field process.executable, which is described as "Absolute path to the process executable".

ImageFileName	CommandLine
/bin/sh	/bin/sh -s unix:cmd
/usr/libexec/xpcproxy	xpcproxy com.apple.mdworker.shared.01000000-0600-0000-0000-000000000000
/usr/bin/pgbackrest	pgbackrest --stanza\u003dmain archive-get 000000020004D51F0000009F pg_wal/RECOVERYXLOG
/bin/uname	uname -a
\Device\HarddiskVolume2\projects\splunk-forwarder\bin\splunk-powershell.exe	D:\projects\splunk-forwarder\bin\splunk-powershell.exe --ps2
/usr/bin/plutil	/usr/bin/plutil -convert xml1 -o - /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/Library/CoreSimulator/Profiles/Runtimes/tvOS.simruntime/Contents/Resources/RuntimeRoot/System/Library/PrivateFrameworks/DiagnosticExtensions.framework/PlugIns/com.apple.DiagnosticExtensions.CrashLogs.appex/Info.plist
\Device\HarddiskVolume3\Windows\System32\svchost.exe	C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wlidsvc
\Device\HarddiskVolume3\Windows\System32\svchost.exe	C:\WINDOWS\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
\Device\HarddiskVolume3\Windows\System32\backgroundTaskHost.exe	"C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:App.AppXnme9zjyebb2xnyygh6q9ev6p5d234br2.mca

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Related issues

• Closes [crowdstrike] Failure renaming to existing field process.executable #8325

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-11-01T08:47:36.607+0000

• Duration: 17 min 13 sec

Test stats 🧪

Test	Results
Failed	0
Passed	30
Skipped	0
Total	30

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (2/2)	💚
Files	100.0% (15/15)	💚
Classes	100.0% (15/15)	💚
Methods	95.918% (94/98)	👎 -4.082
Lines	88.221% (3595/4075)	👎 -6.931
Conditionals	100.0% (0/0)	💚

[elasticmachine]

Package crowdstrike - 1.23.1 containing this change is available at https://epr.elastic.co/search?package=crowdstrike