[Crowdstrike] Adding new dashboards for Crowdstrike and Falcon

[P1llus]

This PR adds new dashboards for Crowdstrike (overview), and for Crowdstrike Falcon. It only adds slight changes to the existing FDR dashboard to fit the similar layout.

Added validation skip for searches (unsure why that is not allowed?), ran elastic-package format to clean up anything that was missing.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Related issues

• Closes [CrowdStrike] Add dashboards to integration  #7010

Screenshots

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[P1llus]

Some of the screenshots of the graphs is a bit weird because all the sample data is spread out over 10 years, they will look better with actual data.

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-11-20T08:53:15.254+0000

• Duration: 16 min 52 sec

Test stats 🧪

Test	Results
Failed	0
Passed	34
Skipped	0
Total	34

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (2/2)	💚
Files	100.0% (15/15)	💚
Classes	100.0% (15/15)	💚
Methods	95.918% (94/98)	👎 -4.082
Lines	88.221% (3595/4075)	👍 0.663
Conditionals	100.0% (0/0)	💚

[efd6]

Why is this reverting to HTML-escaped? (throughout)

[P1llus]

Thats because of our pipeline test code @efd6 . Its been an issue for a while. Though I was sure it was fixed. Its the json unmarshal that escapes things by default, though I believe we added an override for that at some point.

[efd6]

Yes, this is the reason. AIUI the html escaping was turned off, so we saw a whole heap of \uXXXX→<real character>. So I'm wondering why that is being reversed. Has this been changed back? I hope not for two reasons, it's unclear and it makes diff churn. @jsoriano Do you know why this is happening?

[jsoriano]

Yes, this should be fixed, I will take a look. Thanks for the ping.

[jsoriano]

Reopening elastic/elastic-package#320.

[P1llus]

Will merge it for now then, I am checking with @jsoriano if we can take a look sooner rather than later, to see if we can resolve it.

[jsoriano]

Hey @P1llus,

Is it possible that you have regenerated these files with an old version of elastic-package? If I try with 0.92, this change is reverted.

-                "framework": "MITRE ATT\u0026CK",
+                "framework": "MITRE ATT&CK",

Both files are accepted by tests, probably because the default decoder makes parsing of entities transparent. I can try to disable this behaviour so this is detected, but please confirm what version of elastic-package you used to generate these files.

[jsoriano]

I can try to disable this behaviour

It doesn't look so easy, HTML entities in JSON strings are always decoded in Go 🤔

[efd6]

Is it possible that you have regenerated these files with an old version of elastic-package? If I try with 0.92, this change is reverted.

This was my concern.

[P1llus]

It should have been made with elastic-package version-hash b2251c5-dirty (build time: 2023-11-13T11:17:14+01:00), but I can try it again with the latest build

[elasticmachine]

Package crowdstrike - 1.25.0 containing this change is available at https://epr.elastic.co/search?package=crowdstrike