crowdstrike: improve device.id ECS mapping for FDR data stream (#13762)

crowdstrike: improve device.id ECS mapping for FDR data stream

This modifies the FDR ingest pipeline to set the device.id field using the observer.serial_number 
when the crowdstrike.SensorId or crowdstrike.DeviceId fields are not present in the incoming data.

Author: navnit-elastic

packages/crowdstrike/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.64.0"
+  changes:
+    - description: Enhance `device.id` ECS mappings for FDR data stream.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/13762
 - version: "1.63.2"
   changes:
     - description: Fix the navigation links in `Table of Contents` section.

packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-data.log-expected.json

@@ -269,6 +269,9 @@
                     "version": "3.8.1"
                 }
             },
+            "device": {
+                "id": "11111111111111111111111111111111"
+            },
             "event": {
                 "id": "|11111111111111111111111111111111|22222222222222222222222222222222",
                 "original": "{\"aid\":\"11111111111111111111111111111111\",\"cid\":\"22222222222222222222222222222222\",\"hostname\":\"example-XXXXXXXXX\",\"os_version\":\"Sonoma (14)\",\"product_name\":\"\",\"product_type_desc\":\"Workstation\",\"host_hidden_status\":\"VISIBLE\",\"event_platform\":\"Mac\",\"scores\":{\"os\":89,\"sensor\":100,\"overall\":97,\"version\":\"3.8.1\",\"modified_time\":\"2024-02-13T22:33:34.077075097Z\"},\"assessments\":{\"analytics_and_improvements_mac\":\"yes\",\"application_firewall_mac\":\"yes\",\"crendential_dumping_hash_mac\":\"yes\",\"crendential_dumping_kcpassword_mac\":\"yes\",\"crowdstrike_full_disk_access\":\"yes\",\"execution_blocking_custom_blocking_enabled_mac\":\"yes\",\"execution_blocking_intel_threats_enabled_mac\":\"yes\",\"execution_blocking_suspicious_processes_enabled_mac\":\"yes\",\"file_vault_enabled_mac\":\"yes\",\"gatekeeper_mac\":\"yes\",\"internet_sharing_mac\":\"yes\",\"mac_os_version\":\"yes\",\"ml_adware_detection_mac\":\"yes\",\"ml_adware_prevention_mac\":\"yes\",\"ml_cloud_antimalware_detection_mac\":\"yes\",\"ml_cloud_antimalware_prevention_mac\":\"yes\",\"ml_sensor_adware_and_pup_detection_mac\":\"yes\",\"ml_sensor_adware_and_pup_prevention_mac\":\"yes\",\"ml_sensor_antimalware_detection_mac\":\"yes\",\"ml_sensor_antimalware_prevention_mac\":\"yes\",\"quarantine_mac\":\"yes\",\"real_time_response_enabled_mac\":\"yes\",\"remote_login_mac\":\"yes\",\"script_based_execution_monitoring_mac\":\"yes\",\"sip_enabled_mac\":\"yes\",\"stealth_mode_mac\":\"no\",\"system_full_disk_access_mac\":\"no\",\"unauthorized_remote_access_chopper_mac\":\"yes\",\"unauthorized_remote_access_empyre_mac\":\"yes\",\"unauthorized_remote_access_xpcom_mac\":\"yes\"},\"event_type\":\"ZeroTrustHostAssessment\"}"

packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr-lengthy-field-delete.log-expected.json

@@ -48,6 +48,9 @@
                     "version": "3.8.1"
                 }
             },
+            "device": {
+                "id": "1111"
+            },
             "event": {
                 "created": "2020-10-01T09:58:32.519Z",
                 "id": "|1111|2222",

packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr-lengthy-field-index.log-expected.json

@@ -49,6 +49,9 @@
                     "version": "3.8.1"
                 }
             },
+            "device": {
+                "id": "1111"
+            },
             "event": {
                 "created": "2020-10-01T09:58:32.519Z",
                 "id": "|1111|2222",