crowdstrike - fix (de-dot) flattened process fields (elastic#4709)

Fix flattened process fields in default ingest pipeline. The field names contained dots.

Author: leandrojmp

packages/crowdstrike/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.8.1"
+  changes:
+    - description: Fix parse of flattened `process` fields in Falcon data stream.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/4709
 - version: "1.8.0"
   changes:
     - description: Update package to ECS 8.5.0.

packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-events.log-expected.json

@@ -85,14 +85,14 @@
             },
             "message": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.",
             "process": {
+                "args": [
+                    "C:\\Windows\\Explorer.EXE"
+                ],
+                "command_line": "C:\\Windows\\Explorer.EXE",
+                "executable": "C:\\Windows\\Explorer.EXE",
                 "name": "explorer.exe",
                 "pid": 38684386611
             },
-            "process.args": [
-                "C:\\Windows\\Explorer.EXE"
-            ],
-            "process.command_line": "C:\\Windows\\Explorer.EXE",
-            "process.executable": "C:\\Windows\\Explorer.EXE",
             "related": {
                 "hash": [
                     "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a",

packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json

@@ -512,18 +512,18 @@
             },
             "message": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.",
             "process": {
+                "args": [
+                    "\"C:\\ProgramData\\file\\path\\filename.exe\""
+                ],
+                "command_line": "\"C:\\ProgramData\\file\\path\\filename.exe\"",
+                "executable": "\"C:\\ProgramData\\file\\path\\filename.exe\"",
                 "name": "filename.exe",
                 "parent": {
                     "command_line": "C:\\Windows\\Explorer.EXE",
                     "executable": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"
                 },
                 "pid": 663790158277
             },
-            "process.args": [
-                "\"C:\\ProgramData\\file\\path\\filename.exe\""
-            ],
-            "process.command_line": "\"C:\\ProgramData\\file\\path\\filename.exe\"",
-            "process.executable": "\"C:\\ProgramData\\file\\path\\filename.exe\"",
             "related": {
                 "hash": [
                     "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb",

packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml

@@ -312,9 +312,11 @@ processors:
             def args = Arrays.asList(/ /.split(commandLine));
             args.removeIf(arg -> arg == "");
 
-            ctx["process.command_line"] = commandLine;
-            ctx["process.args"] = args;
-            ctx["process.executable"] = args.get(0);
+            ctx.process = [
+              'command_line': commandLine,
+              'args': args,
+              'executable': args.get(0)
+            ]
           }
         }
   - pipeline:

packages/crowdstrike/manifest.yml

@@ -1,6 +1,6 @@
 name: crowdstrike
 title: CrowdStrike
-version: "1.8.0"
+version: "1.8.1"
 description: Collect logs from Crowdstrike with Elastic Agent.
 type: integration
 format_version: 1.0.0