crowdstrike: add support for host info enrichment

[efd6]

Proposed commit message

See title.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

• The fdr datastream offers both s3 and logfile inputs. Limitations in elastic-package prevent us from being able to have two system test infrastructure deployments, so only the logfile s3 input is tested.

How to test this PR locally

Make the following change:

diff --git a/packages/crowdstrike/data_stream/fdr/_dev/deploy/tf/env.yml b/packages/crowdstrike/data_stream/fdr/_dev/deploy/tf/env.yml
index b795fcdeb..6e1f17f7a 100644
--- a/packages/crowdstrike/data_stream/fdr/_dev/deploy/tf/env.yml
+++ b/packages/crowdstrike/data_stream/fdr/_dev/deploy/tf/env.yml
@@ -7,3 +7,4 @@ services:
       - AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}
       - AWS_PROFILE=${AWS_PROFILE}
       - AWS_REGION=${AWS_REGION:-us-east-1}
+      - TF_VAR_eventbridge_role_arn=arn:aws:iam::144492464627:role/eb-scheduler-role-20231101165501426500000001

Then:

$ export AWS_DEFAULT_PROFILE=elastic-siem
$ aws-mfa --profile=elastic-siem
$ eval $(grep ^aws ~/.aws/credentials | gsed -r 's/^(aws[^ ]+) = (.*)$/export \U\1\E=\2/g')

(gsed is GNU sed so if on macos you will need to install that, is on linux s/gsed/sed/ in the command above)

Then test with elastic-package as normal.

For convenience (because the AWS setup was not trivial), the TF graph is here.

Related issues

• Closes Crowdstrike FDR hostname/username enrichment #2816

Screenshots

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-11-28T19:34:05.461+0000

• Duration: 20 min 16 sec

Test stats 🧪

Test	Results
Failed	0
Passed	34
Skipped	0
Total	34

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (2/2)	💚
Files	100.0% (15/15)	💚
Classes	100.0% (15/15)	💚
Methods	95.918% (94/98)	👎 -4.082
Lines	88.261% (3609/4089)	👎 -11.739
Conditionals	100.0% (0/0)	💚

[efd6]

/test

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[kcreddy]

Suggested change

	description: Uses data in aidmaster to add host information to events. The aidmaster blob must string "aidmaster" in its path and the FDR Notification Parsing Script must sort events so that aidmaster events appear first in the stream.
	description: Uses data in aidmaster to add host information to events. The aidmaster blob must contain string "aidmaster" in its path and the FDR Notification Parsing Script must sort events so that aidmaster events appear first in the stream.

[kcreddy]

Can you also add valid time units?

[kcreddy]

Is the field log.file.path going to exist for S3 input in this case?

[efd6]

Yes.

[kcreddy]

time units here as well

[kcreddy]

LGTM 👍🏼

[andrewkroh]

Have you manually tested this using the aws-s3 input?

The fdr datastream offers both s3 and logfile inputs. Limitations in elastic-package prevent us from being able to have two system test infrastructure deployments, so only the logfile input is tested.

If we have to sacrifice the logfile testing to get aws-s3 system tests then let's do it. The aws-s3 input is what most users are running with.

[andrewkroh]

This will be a weak ordering guarantee because the scan can start concurrent readers. You could set harvester_limit: 1 to control concurrency. I don't think the log file input is used in production by anyone so this matters very little.

[efd6]

Thanks, I was worried about that. We can't limit though; making the limit 1 results in a deadlock.

[andrewkroh]

LGTM. Thanks for getting the system testing setup for the aws-s3 input.

I left some minor suggestions related to the test config.

[andrewkroh]

I think we should be able to know the expected number of events so can we add the

assert:
  hit_count: N

[andrewkroh]

This wait period seems quite high. Once Terraform completes its provisioning an SQS notification should be sent after about 1 minute. I think the default of 10m should be fine.

[efd6]

The 20m value appears to be commonly used, but agreed. Will change.

[elasticmachine]

Package crowdstrike - 1.26.0 containing this change is available at https://epr.elastic.co/search?package=crowdstrike