crowdstrike: add ECS user mappings for Crowdstrike fields (#13906)

Author: efd6

packages/crowdstrike/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.69.0"
+  changes:
+    - description: Improve user ECS field mappings for FDR.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/13906
 - version: "1.68.0"
   changes:
     - description: Improve handling of document collision.

packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-windows.log-expected.json

@@ -7825,11 +7825,22 @@
                 ],
                 "ip": [
                     "81.2.69.142"
+                ],
+                "user": [
+                    "3d0d64ac1d9faf",
+                    "9bf10282"
                 ]
             },
             "tags": [
                 "preserve_original_event"
-            ]
+            ],
+            "user": {
+                "id": "S-33232-15769-33973-56426-34173-11558-64704-78944",
+                "name": "3d0d64ac1d9faf",
+                "target": {
+                    "name": "9bf10282"
+                }
+            }
         },
         {
             "@timestamp": "2025-04-01T11:59:59.999Z",

packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml

@@ -390,6 +390,51 @@ processors:
       description: Categorize events.
       lang: painless
       params:
+        ActiveDirectoryServiceAccessRequest:
+          category: [ database ]
+          type: [ access ]
+          kind: event
+          outcome: success
+        ActiveDirectoryAuthentication:
+          category: [ authentication ]
+          type: [ start ]
+          kind: event
+          outcome: success
+        ActiveDirectoryServiceAccessRequestFailure:
+          category: [ database ]
+          type: [ access ]
+          kind: event
+          outcome: failure
+        ActiveDirectoryIncomingLdapSearchRequest:
+          category: [ database ]
+          type: [ access ]
+          kind: event
+          outcome: unknown
+        ActiveDirectoryAuthenticationFailure:
+          category: [ authentication ]
+          type: [ start ]
+          kind: event
+          outcome: failure
+        ActiveDirectoryInteractiveDomainLogon:
+          category: [ authentication ]
+          type: [ start ]
+          kind: event
+          outcome: success
+        ActiveDirectoryIncomingDceRpcRequest:
+          category: [ api ]
+          type: [ start ]
+          kind: event
+          outcome: unknown
+        ActiveDirectoryIncomingPsExecExecution2:
+          category: [ process ]
+          type: [ start ]
+          kind: event
+          outcome: success
+        ActiveDirectoryIncomingDceRpcEpmRequest:
+          category: [ api ]
+          type: [ start ]
+          kind: event
+          outcome: unknown
         AcUninstallConfirmation:
           category: [ package ]
           type: [ deletion ]
@@ -1334,6 +1379,11 @@ processors:
           type: [ change ]
           kind: event
           outcome: success
+        SudoCommandAttempt:
+          category: [ authentication ]
+          type: [ start ]
+          kind: event
+          outcome: unknown
         SuspiciousCreateSymbolicLink:
           category: [ malware, file ]
           type: [ creation, info ]
@@ -2359,6 +2409,79 @@ processors:
       ignore_failure: true
       ignore_empty_value: true
       if: ctx._temp?.user_parts != null && ctx._temp.user_parts.size() == 2
+  - set:
+      field: user.name
+      copy_from: crowdstrike.SourceAccountSamAccountName
+      if: ctx.event?.action instanceof String && ctx.event.action.startsWith('ActiveDirectory')
+      ignore_empty_value: true
+  - set:
+      field: user.email
+      copy_from: crowdstrike.SourceAccountUserName
+      if: >-
+        ctx.event?.action instanceof String && ctx.event.action.startsWith('ActiveDirectory') &&
+        ctx.crowdstrike?.SourceAccountUserName instanceof String && ctx.crowdstrike.SourceAccountUserName.contains('@')
+      ignore_empty_value: true
+  - set:
+      field: user.id
+      copy_from: crowdstrike.SourceEndpointAccountObjectSid
+      if: ctx.event?.action instanceof String && ctx.event.action.startsWith('ActiveDirectory')
+      ignore_empty_value: true
+  - set:
+      field: user.domain
+      copy_from: crowdstrike.SourceAccountDomain
+      if: ctx.event?.action instanceof String && ctx.event.action.startsWith('ActiveDirectory')
+      ignore_empty_value: true
+  - set:
+      field: user.name
+      copy_from: crowdstrike.OriginalUserName
+      if: ctx.event?.action == 'TokenImpersonated'
+      ignore_empty_value: true
+  - set:
+      field: user.id
+      copy_from: crowdstrike.OriginalUserSid
+      if: ctx.event?.action == 'TokenImpersonated'
+      ignore_empty_value: true
+  - set:
+      field: user.target.name
+      copy_from: crowdstrike.ImpersonatedUserName
+      if: ctx.event?.action == 'TokenImpersonated'
+      ignore_empty_value: true
+  - set:
+      field: user.name
+      copy_from: crowdstrike.OriginalUserName
+      if: ctx.event?.action == 'SudoCommandAttempt'
+      ignore_empty_value: true
+  - set:
+      field: user.name
+      value: root
+      if: (ctx.user?.name == null || ctx.user.name == '') && ctx.event?.action == 'SudoCommandAttempt'
+  - set:
+      field: user.id
+      copy_from: crowdstrike.OriginalUserID
+      if: ctx.event?.action == 'SudoCommandAttempt'
+      ignore_empty_value: true
+  - set:
+      field: user.id
+      value: 0
+      if: ctx.user?.id == null && ctx.event?.action == 'SudoCommandAttempt'
+  - set:
+      field: user.target.name
+      copy_from: crowdstrike.NewUsername
+      if: ctx.event?.action == 'SudoCommandAttempt'
+      ignore_empty_value: true
+  - set:
+      field: user.target.name
+      value: root
+      if: (ctx.user?.target?.name == null || ctx.user.target.name == '') && ctx.event?.action == 'SudoCommandAttempt'
+  - set:
+      field: user.target.id
+      copy_from: crowdstrike.NewUserID
+      if: ctx.event?.action == 'SudoCommandAttempt'
+      ignore_empty_value: true
+  - set:
+      field: user.target.id
+      value: 0
+      if: ctx.user?.target?.id == null && ctx.event?.action == 'SudoCommandAttempt'
   - append:
       field: related.user
       value: "{{{user.name}}}"
@@ -2376,6 +2499,12 @@ processors:
       ignore_failure: true
       allow_duplicates: false
       if: ctx.user?.full_name != null
+  - append:
+      field: related.user
+      value: "{{{user.target.name}}}"
+      ignore_failure: true
+      allow_duplicates: false
+      if: ctx.user?.target?.name != null
 
   ## Networking fields.
   - set:

packages/crowdstrike/manifest.yml

@@ -1,6 +1,6 @@
 name: crowdstrike
 title: CrowdStrike
-version: "1.68.0"
+version: "1.69.0"
 description: Collect logs from Crowdstrike with Elastic Agent.
 type: integration
 format_version: "3.3.1"