[crowdstrike] Add support of Vulnerability Events. (elastic#12973)

- Added vulnerability data stream.
- Updated ecs version to 8.17.0.
- Updated kibana version to the latest (^8.18.0 || ^9.0.0).
- Added support of agentless server.
- Added navigation link of vulnerability dashboard in existing dashboard.

Author: muskan-agarwal26

packages/crowdstrike/_dev/build/build.yml

@@ -1,3 +1,3 @@
 dependencies:
   ecs:
-    reference: "git@v8.11.0"
+    reference: "git@v8.17.0"

packages/crowdstrike/_dev/build/docs/README.md

@@ -12,6 +12,8 @@ The [CrowdStrike](https://www.crowdstrike.com/) integration allows you to easily
 
 - `host` dataset: It retrieves all the hosts/devices in your environment providing information such as device metadata, configuration, and status generated by the CrowdStrike Falcon platform, via Falcon Intelligence Host/Device API - `/devices/entities/devices/v2`. It is more focused to provide the management and monitoring information of devices such as login details, status, policies, configuration etc.
 
+- `vulnerability` dataset: It retrieves all the vulnerabilities in your environment, providing information such as severity, status, confidence levels, remediation guidance, and affected hosts, as detected by the CrowdStrike Falcon platform, via the Falcon Spotlight Vulnerability API - `/spotlight/entities/vulnerabilities/v2`.
+
 3. **Falcon Data Replicator**: This Collect events in near real time from your endpoints and cloud workloads, identities and data. CrowdStrike Falcon Data Replicator (FDR) enables you with actionable insights to improve SOC performance. FDR contains near real-time data collected by the Falcon platform's single, lightweight agent. It includes the following datasets for receiving logs:
 
 - `fdr` dataset: consists of logs forwarded using the [Falcon Data Replicator](https://github.com/CrowdStrike/FDR).
@@ -25,6 +27,36 @@ The [CrowdStrike](https://www.crowdstrike.com/) integration allows you to easily
 This integration is compatible with CrowdStrike Falcon SIEM-Connector-v2.0, REST API, and CrowdStrike Event Streaming.
 For Rest API support, this module has been tested against the **CrowdStrike API Version v1/v2**.
 
+## Requirements
+
+### Agentless Enabled Integration
+Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html).
+
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments.  This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.
+
+### Agent Based Installation
+- Elastic Agent must be installed
+- You can install only one Elastic Agent per host.
+- Elastic Agent is required to stream data from the GCP Pub/Sub or REST API and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines.
+
+#### Installing and managing an Elastic Agent:
+
+You have a few options for installing and managing an Elastic Agent:
+
+#### Install a Fleet-managed Elastic Agent (recommended):
+
+With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier.
+
+#### Install Elastic Agent in standalone mode (advanced users):
+
+With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only.
+
+#### Install Elastic Agent in a containerized environment:
+
+You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry and we provide deployment manifests for running on Kubernetes.
+
+There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html).
+
 ## Setup
 ### To collect data from CrowdStrike REST API, the following parameters from your CrowdStrike instance are required:
 
@@ -38,6 +70,7 @@ For Rest API support, this module has been tested against the **CrowdStrike API
     | ------------- | ------------- |
     | Alert         | read:alert    |
     | Host          | read:host     |
+    | Vulnerability | read:vulnerability |
 
 ### To collect data from CrowdStrike Event Stream, the following parameters from your CrowdStrike instance are required:
 
@@ -234,3 +267,13 @@ This is the `Host` dataset.
 {{event "host"}}
 
 {{fields "host"}}
+
+### Vulnerability
+
+This is the `Vulnerability` dataset.
+
+#### Example
+
+{{event "vulnerability"}}
+
+{{fields "vulnerability"}}

packages/crowdstrike/_dev/deploy/docker/docker-compose.yml

@@ -26,3 +26,16 @@ services:
       - http-server
       - --addr=:8090
       - --config=/files/config-host.yml
+  crowdstrike-vulnerability:
+    image: docker.elastic.co/observability/stream:v0.15.0
+    hostname: crowdstrike-vulnerability
+    ports:
+      - 8090
+    volumes:
+      - ./files:/files:ro
+    environment:
+      PORT: '8090'
+    command:
+      - http-server
+      - --addr=:8090
+      - --config=/files/config-vulnerability.yml