Fix processing of crowdstrike.User.Name field (elastic#15272)

This PR renames the crowdstrike.User.Name field to user.name.

Author: chemamartinez

packages/crowdstrike/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.2.1"
+  changes:
+    - description: Fix processing of `crowdstrike.User.Name` field.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/15272
 - version: "2.2.0"
   changes:
     - description: >-

packages/crowdstrike/data_stream/fdr/_dev/deploy/tf/files/fdr-sample.log

@@ -124,3 +124,4 @@
 {"ConfigBuild":"1007.4.0009906.1","ConfigStateHash":"3429017943","ContextProcessId":"66426035996442255","ContextTimeStamp":"1604851098.548","Entitlements":"15","aid":"ffffffff899541b94b9adff8922aa70a","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"FirewallDisabled","id":"ffffffff-1111-11eb-9d4c-02f402df8c1f","name":"FirewallDisabledMacV1","timestamp":"1604851040625"}
 {"ComputerName":"HQ-sadhkbasHS","CurrentLocalIP":"67.43.156.13","FirstDiscoveredDate":"1669625277.827","LastDiscoveredBy":"c1b74438660b44cfa93e24c9d44badab","LocalAddressIP4":"67.43.156.13","MAC":"AA-AA-AA-AA-AA-AA","MACPrefix":"AA-AA-AA","NeighborName":"!!!!UNKNOWN!!!!","__mv_LocalAddressIP4":"","__mv_aip":"$67.43.156.14$;$67.43.156.13$","__mv_discoverer_aid":"$4b8f58d3f5f040b3804d3820ca2aed67$;$c1b74438660b44cfa93e24c9d44badab$","__mv_discoverer_devicetype":"","_time":"1678931820.343","aip":"67.43.156.13 67.43.156.14 81.2.69.192","aipCount":"3","cid":"500c5073b4d7443688f4b32c5eeb295b","discovererCount":"2","discoverer_aid":"4b8f58d3f5f040b3804d3820ca2aed67 c1b74438660b44cfa93e24c9d44badab","discoverer_devicetype":"","localipCount":"1","subnet":"10.0"}
 {"aid":"11111111111111111111111111111111","cid":"22222222222222222222222222222222","hostname":"example-XXXXXXXXX","os_version":"Sonoma (14)","product_name":"","product_type_desc":"Workstation","host_hidden_status":"VISIBLE","event_platform":"Mac","scores":{"os":89,"sensor":100,"overall":97,"version":"3.8.1","modified_time":"2024-02-13T22:33:34.077075097Z"},"assessments":{"analytics_and_improvements_mac":"yes","application_firewall_mac":"yes","crendential_dumping_hash_mac":"yes","crendential_dumping_kcpassword_mac":"yes","crowdstrike_full_disk_access":"yes","execution_blocking_custom_blocking_enabled_mac":"yes","execution_blocking_intel_threats_enabled_mac":"yes","execution_blocking_suspicious_processes_enabled_mac":"yes","file_vault_enabled_mac":"yes","gatekeeper_mac":"yes","internet_sharing_mac":"yes","mac_os_version":"yes","ml_adware_detection_mac":"yes","ml_adware_prevention_mac":"yes","ml_cloud_antimalware_detection_mac":"yes","ml_cloud_antimalware_prevention_mac":"yes","ml_sensor_adware_and_pup_detection_mac":"yes","ml_sensor_adware_and_pup_prevention_mac":"yes","ml_sensor_antimalware_detection_mac":"yes","ml_sensor_antimalware_prevention_mac":"yes","quarantine_mac":"yes","real_time_response_enabled_mac":"yes","remote_login_mac":"yes","script_based_execution_monitoring_mac":"yes","sip_enabled_mac":"yes","stealth_mode_mac":"no","system_full_disk_access_mac":"no","unauthorized_remote_access_chopper_mac":"yes","unauthorized_remote_access_empyre_mac":"yes","unauthorized_remote_access_xpcom_mac":"yes"},"event_type":"ZeroTrustHostAssessment","timestamp":"1601546312519"}
+{"AccountType":"Domain User","LastLoggedOnHost":"COMPUTER1","LocalAdminAccess":"No","LogonInfo":"Domain User Logon","LogonTime":"1702546155.197","LogonType":"Interactive","PasswordLastSet":"1699971198.062","User":{"Name":"DOMAIN\\BRADLEYA"},"UserIsAdmin":"0","UserLogonFlags_decimal":"0","UserSid_readable":"S-1-12-1-3697283754-1083485977-2164330645-2516515886","_time":"1702546168.576","cid":"ffffffff15754bcfb5f9152ec7ac90ad","event_platform":"Win","monthsincereset":"1.0"}

packages/crowdstrike/data_stream/fdr/_dev/deploy/tf/main.tf

@@ -100,14 +100,14 @@ resource "aws_scheduler_schedule" "eventbridge_scheduler_every1minute" {
       cid        = "ffffffff15754bcfb5f9152ec7ac90ac"
       timestamp  = 1625677488615
       fileCount  = 3
-      totalSize  = 118088
+      totalSize  = 120161
       bucket     = aws_s3_bucket.crowdstrike_fdr.id
       pathPrefix = "data/f0714ca5-3689-448d-b5cc-582a6f7a56b1"
       "files" : [
         {
           "path" : aws_s3_object.crowdstrike_data.key,
-          "size" : 113186,
-          "checksum" : "49b3322129084890cbdfc0f4521cc80b"
+          "size" : 115258,
+          "checksum" : "c24b5525ad5d4b3ff92bb3c9c002bdc7"
         },
         {
           "path" : aws_s3_object.crowdstrike_aidmaster.key,

packages/crowdstrike/data_stream/fdr/_dev/test/system/test-default-config.yml

@@ -13,4 +13,4 @@ data_stream:
     preserve_original_event: true
     enable_deduplication: true
 assert:
-  hit_count: 125
+  hit_count: 126

packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml

@@ -2446,6 +2446,11 @@ processors:
       field: user.roles
       value: admin
       if: ctx.crowdstrike?.UserIsAdmin == "1"
+  - rename:
+      field: crowdstrike.User.Name
+      target_field: user.name
+      ignore_missing: true
+      if: ctx.crowdstrike?.User?.Name != null && ctx.user?.name == null
   - rename:
       field: crowdstrike.UserName
       target_field: user.name

packages/crowdstrike/manifest.yml

@@ -1,6 +1,6 @@
 name: crowdstrike
 title: CrowdStrike
-version: "2.2.0"
+version: "2.2.1"
 description: Collect logs from Crowdstrike with Elastic Agent.
 type: integration
 format_version: "3.4.0"