crowdstrike: parse command line to populate process name in FDR logs

[navnit-elastic]

Proposed commit message

crowdstrike: parse command line to populate process name in FDR logs

This handles a special case occurs in Linux-based containerized environments
when the "runc" process clones itself to get into its own namespace.
The child process would have its executable path set to "/"
which was resulting in "process.name" being empty.

This change adds command line parsing to extract "process.name"
when "process.executable" is set to a slash ("/").

Adds fields definition for ChangeTime, OciContainerId and RootPath.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• [ ]

How to test this PR locally

Pipeline Tests:

--- Test results for package: crowdstrike - START ---
╭─────────────┬─────────────┬───────────┬───────────────────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE     │ DATA STREAM │ TEST TYPE │ TEST NAME                                                     │ RESULT │ TIME ELAPSED │
├─────────────┼─────────────┼───────────┼───────────────────────────────────────────────────────────────┼────────┼──────────────┤
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-data.log)                      │ PASS   │ 412.693449ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdr-epp-detection-summary.log) │ PASS   │ 338.948915ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdr-lengthy-field-delete.log)  │ PASS   │ 344.048521ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdr-lengthy-field-index.log)   │ PASS   │ 337.829426ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdr.log)                       │ PASS   │ 352.047773ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-fdrv2-notmanaged.log)          │ PASS   │ 354.948319ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-linux.log)                     │ PASS   │ 339.636941ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-macos.log)                     │ PASS   │ 365.635581ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-tags-formats.log)              │ PASS   │  367.98951ms │
│ crowdstrike │ fdr         │ pipeline  │ (ingest pipeline warnings test-windows.log)                   │ PASS   │ 372.760256ms │
│ crowdstrike │ fdr         │ pipeline  │ test-data.log                                                 │ PASS   │ 228.059035ms │
│ crowdstrike │ fdr         │ pipeline  │ test-fdr-epp-detection-summary.log                            │ PASS   │ 480.252546ms │
│ crowdstrike │ fdr         │ pipeline  │ test-fdr-lengthy-field-delete.log                             │ PASS   │ 142.563423ms │
│ crowdstrike │ fdr         │ pipeline  │ test-fdr-lengthy-field-index.log                              │ PASS   │ 155.706309ms │
│ crowdstrike │ fdr         │ pipeline  │ test-fdr.log                                                  │ PASS   │  2.37638572s │
│ crowdstrike │ fdr         │ pipeline  │ test-fdrv2-notmanaged.log                                     │ PASS   │ 140.196696ms │
│ crowdstrike │ fdr         │ pipeline  │ test-linux.log                                                │ PASS   │ 272.310776ms │
│ crowdstrike │ fdr         │ pipeline  │ test-macos.log                                                │ PASS   │ 421.985696ms │
│ crowdstrike │ fdr         │ pipeline  │ test-tags-formats.log                                         │ PASS   │ 184.819217ms │
│ crowdstrike │ fdr         │ pipeline  │ test-windows.log                                              │ PASS   │  2.40098861s │
╰─────────────┴─────────────┴───────────┴───────────────────────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: crowdstrike - END   ---
Done

Related issues

• Relates [CrowdStrike]: Possible issues with Crowdstrike process data #15466

Screenshots

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

Package crowdstrike 👍(4) 💚(3) 💔(3)

Expand to view

Data stream	Previous EPS	New EPS	Diff (%)	Result
falcon	4405.29	3392.13	-1013.16 (-23%)	💔
host	4566.21	2896.03	-1670.18 (-36.58%)	💔
fdr	1459.85	1044.93	-414.92 (-28.42%)	💔

To see the full report comment with /test benchmark fullreport

[tomsonpl]

Thank you, this looks great!

[tomsonpl]

@navnit-elastic hey, just wanted to check in and see when is it planned to be released? :) Thank you!

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: e8e1760

History

• 💚 Build #32702 succeeded a6cb24c

cc @navnit-elastic

[elastic-vault-github-plugin-prod]

Package crowdstrike - 2.6.0 containing this change is available at https://epr.elastic.co/package/crowdstrike/2.6.0/