crowdstrike: support string-encoded numbers fields

New tests are derived from existing tests, but with numbers quoted.

Author: efd6

packages/crowdstrike/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.9.0"
+  changes:
+    - description: Support handling FDR documents that encode numbers as strings.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/
 - version: "2.8.0"
   changes:
     - description: Add support for HTTP proxy configuration for Event Streams. Add support for proxy header configuration for CrowdStrike APIs.

packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-data.log

@@ -1,3 +1,5 @@
 {"eid":118,"SensorId":"55555555555555555555555555555555","Tactic":"Machine Learning","CustomerIdString":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","EventType":"Event_ExternalApiEvent","ParentProcessId":1680759529306198500,"FileName":"webhook","UTCTimestamp":1680759530000,"FalconHostLink":"https://falcon.us-2.crowdstrike.com/activity/detections/detail/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb/111111111?_cid=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","ParentImageFileName":"/bin/busybox","MachineDomain":"","GrandparentImageFileName":"/memfd:runc_cloned:/proc/self/exe (deleted)","HostGroups":"26666666666666666666666666666666","OriginSourceIpAddress":"","SHA1String":"0000000000000000000000000000000000000000","ProcessEndTime":0,"IOCValue":"31a0f9b83d1cd121cef133333333333333333333333333333333333333333333","LocalIP":"172.17.0.1","DetectDescription":"This file meets the machine learning-based on-sensor AV protection's medium confidence threshold for malicious files.","ParentCommandLine":"/bin/sh ./run.sh","Tags":"SensorGroupingTags/aws-k8s-production","timestamp":"2023-04-06T05:38:50Z","FilePath":"/","UserName":"cherry","PatternDispositionFlags":{"BootupSafeguardEnabled":false,"QuarantineFile":false,"QuarantineMachine":false,"HandleOperationDowngraded":false,"Detect":false,"RegistryOperationBlocked":false,"KillParent":false,"Indicator":false,"FsOperationBlocked":false,"OperationBlocked":false,"SuspendParent":false,"SuspendProcess":false,"KillProcess":true,"ProcessBlocked":false,"BlockingUnsupportedOrDisabled":false,"PolicyDisabled":true,"KillActionFailed":false,"SensorOnly":false,"CriticalProcessDisabled":false,"KillSubProcess":false,"Rooting":false,"InddetMask":false},"EventUUID":"14688888888888888888888888888888","MD5String":"cf288888888888888888888888888888","SeverityName":"Medium","PatternDispositionDescription":"Detection, process would have been killed if related prevention policy setting was enabled.","Severity":3,"DetectId":"ldt:45bbbbbbbbbbbbbbbbbbbbbbbbbbbbbb:111111111","PatternDispositionValue":272,"ExternalApiType":"Event_DetectionSummaryEvent","SHA256String":"31a0333333333333333333333333333333333333333333333333333333333333","Nonce":1,"Objective":"Falcon Detection Method","CommandLine":"./webhook -verbosity=0 -port=8080 -cacheLimit=26000 -cacheTtl=7200 -maxClientConnsPerHost=5000 -maxDialsPerSecond=1800 -fakeMode=false -useMemoryLimit=true -memoryLimit=4096Mi -memoryLimitWarning=80 -memoryLimitCritical=90 -maxSurgeRPS=10000","MACAddress":"02-02-02-02-02-02","GrandparentCommandLine":"runc init","ProcessStartTime":1680759529,"ComputerName":"ip-172-18-63-230.ec2.internal","DetectName":"NGAV","AgentIdString":"45444444444444444444444444444444","IOCType":"hash_sha256","ProcessId":1680759529508885200,"Technique":"Sensor-based ML","AssociatedFile":"/webhook","cid":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"}
 {"eid":119,"SensorId":"666666666","Tactic":"Machine Learning","CustomerIdString":"bbbbbbb","EventType":"Event_ExternalApiEvent","ParentProcessId":1680759529306198500,"FileName":"webhook","UTCTimestamp":1680659520000,"FalconHostLink":"https://falcon.us-2.crowdstrike.com/activity/detections/detail/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb/111111111?_cid=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","ParentImageFileName":"/bin/busybox","MachineDomain":"","GrandparentImageFileName":"/memfd:runc_cloned:/proc/self/exe (deleted)","HostGroups":"26666666666666666666666666666666","OriginSourceIpAddress":"","SHA1String":"0000000000000000000000000000000000000000","ProcessEndTime":1680769672,"IOCValue":"31a0f9b83d1cd121cef133333333333333333333333333333333333333333333","LocalIP":"172.17.0.1","DetectDescription":"This file meets the machine learning-based on-sensor AV protection's medium confidence threshold for malicious files.","ParentCommandLine":"/bin/sh ./run.sh","Tags":"SensorGroupingTags/aws-k8s-production","timestamp":"2023-04-06T05:38:50Z","FilePath":"/","UserName":"cherry","PatternDispositionFlags":{"BootupSafeguardEnabled":false,"QuarantineFile":false,"QuarantineMachine":false,"HandleOperationDowngraded":false,"Detect":false,"RegistryOperationBlocked":false,"KillParent":false,"Indicator":false,"FsOperationBlocked":false,"OperationBlocked":false,"SuspendParent":false,"SuspendProcess":false,"KillProcess":true,"ProcessBlocked":false,"BlockingUnsupportedOrDisabled":false,"PolicyDisabled":true,"KillActionFailed":false,"SensorOnly":false,"CriticalProcessDisabled":false,"KillSubProcess":false,"Rooting":false,"InddetMask":false},"EventUUID":"14688888888888888888888888888888","MD5String":"cf288888888888888888888888888888","SeverityName":"Medium","PatternDispositionDescription":"Detection, process would have been killed if related prevention policy setting was enabled.","Severity":3,"DetectId":"ldt:45bbbbbbbbbbbbbbbbbbbbbbbbbbbbbb:111111111","PatternDispositionValue":272,"ExternalApiType":"Event_DetectionSummaryEvent","SHA256String":"31a0333333333333333333333333333333333333333333333333333333333333","Nonce":1,"Objective":"Falcon Detection Method","CommandLine":"./webhook -verbosity=0 -port=8080 -cacheLimit=26000 -cacheTtl=7200 -maxClientConnsPerHost=5000 -maxDialsPerSecond=1800 -fakeMode=false -useMemoryLimit=true -memoryLimit=4096Mi -memoryLimitWarning=80 -memoryLimitCritical=90 -maxSurgeRPS=10000","MACAddress":"02-02-02-02-02-02","GrandparentCommandLine":"runc init","ProcessStartTime":1680759529,"ComputerName":"ip-172-18-63-230.ec2.internal","DetectName":"NGAV","AgentIdString":"45444444444444444444444444444444","IOCType":"hash_sha256","ProcessId":1680759529508885200,"Technique":"Sensor-based ML","AssociatedFile":"/webhook","cid":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"}
+{"eid":119,"SensorId":"666666666","Tactic":"Machine Learning","CustomerIdString":"bbbbbbb","EventType":"Event_ExternalApiEvent","ParentProcessId":1680759529306198500,"FileName":"webhook","UTCTimestamp":1680659520000,"FalconHostLink":"https://falcon.us-2.crowdstrike.com/activity/detections/detail/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb/111111111?_cid=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","ParentImageFileName":"/bin/busybox","MachineDomain":"","GrandparentImageFileName":"/memfd:runc_cloned:/proc/self/exe (deleted)","HostGroups":"26666666666666666666666666666666","OriginSourceIpAddress":"","SHA1String":"0000000000000000000000000000000000000000","ProcessEndTime":1680769672,"IOCValue":"31a0f9b83d1cd121cef133333333333333333333333333333333333333333333","LocalIP":"172.17.0.1","DetectDescription":"This file meets the machine learning-based on-sensor AV protection's medium confidence threshold for malicious files.","ParentCommandLine":"/bin/sh ./run.sh","Tags":"SensorGroupingTags/aws-k8s-production","timestamp":"2023-04-06T05:38:50Z","FilePath":"/","UserName":"cherry","PatternDispositionFlags":{"BootupSafeguardEnabled":false,"QuarantineFile":false,"QuarantineMachine":false,"HandleOperationDowngraded":false,"Detect":false,"RegistryOperationBlocked":false,"KillParent":false,"Indicator":false,"FsOperationBlocked":false,"OperationBlocked":false,"SuspendParent":false,"SuspendProcess":false,"KillProcess":true,"ProcessBlocked":false,"BlockingUnsupportedOrDisabled":false,"PolicyDisabled":true,"KillActionFailed":false,"SensorOnly":false,"CriticalProcessDisabled":false,"KillSubProcess":false,"Rooting":false,"InddetMask":false},"EventUUID":"14688888888888888888888888888888","MD5String":"cf288888888888888888888888888888","SeverityName":"Medium","PatternDispositionDescription":"Detection, process would have been killed if related prevention policy setting was enabled.","Severity":"3","DetectId":"ldt:45bbbbbbbbbbbbbbbbbbbbbbbbbbbbbb:111111111","PatternDispositionValue":272,"ExternalApiType":"Event_DetectionSummaryEvent","SHA256String":"31a0333333333333333333333333333333333333333333333333333333333333","Nonce":1,"Objective":"Falcon Detection Method","CommandLine":"./webhook -verbosity=0 -port=8080 -cacheLimit=26000 -cacheTtl=7200 -maxClientConnsPerHost=5000 -maxDialsPerSecond=1800 -fakeMode=false -useMemoryLimit=true -memoryLimit=4096Mi -memoryLimitWarning=80 -memoryLimitCritical=90 -maxSurgeRPS=10000","MACAddress":"02-02-02-02-02-02","GrandparentCommandLine":"runc init","ProcessStartTime":1680759529,"ComputerName":"ip-172-18-63-230.ec2.internal","DetectName":"NGAV","AgentIdString":"45444444444444444444444444444444","IOCType":"hash_sha256","ProcessId":1680759529508885200,"Technique":"Sensor-based ML","AssociatedFile":"/webhook","cid":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"}
 {"aid":"11111111111111111111111111111111","cid":"22222222222222222222222222222222","hostname":"example-XXXXXXXXX","os_version":"Sonoma (14)","product_name":"","product_type_desc":"Workstation","host_hidden_status":"VISIBLE","event_platform":"Mac","scores":{"os":89,"sensor":100,"overall":97,"version":"3.8.1","modified_time":"2024-02-13T22:33:34.077075097Z"},"assessments":{"analytics_and_improvements_mac":"yes","application_firewall_mac":"yes","crendential_dumping_hash_mac":"yes","crendential_dumping_kcpassword_mac":"yes","crowdstrike_full_disk_access":"yes","execution_blocking_custom_blocking_enabled_mac":"yes","execution_blocking_intel_threats_enabled_mac":"yes","execution_blocking_suspicious_processes_enabled_mac":"yes","file_vault_enabled_mac":"yes","gatekeeper_mac":"yes","internet_sharing_mac":"yes","mac_os_version":"yes","ml_adware_detection_mac":"yes","ml_adware_prevention_mac":"yes","ml_cloud_antimalware_detection_mac":"yes","ml_cloud_antimalware_prevention_mac":"yes","ml_sensor_adware_and_pup_detection_mac":"yes","ml_sensor_adware_and_pup_prevention_mac":"yes","ml_sensor_antimalware_detection_mac":"yes","ml_sensor_antimalware_prevention_mac":"yes","quarantine_mac":"yes","real_time_response_enabled_mac":"yes","remote_login_mac":"yes","script_based_execution_monitoring_mac":"yes","sip_enabled_mac":"yes","stealth_mode_mac":"no","system_full_disk_access_mac":"no","unauthorized_remote_access_chopper_mac":"yes","unauthorized_remote_access_empyre_mac":"yes","unauthorized_remote_access_xpcom_mac":"yes"},"event_type":"ZeroTrustHostAssessment"}
+{"aid":"11111111111111111111111111111111","cid":"22222222222222222222222222222222","hostname":"example-XXXXXXXXX","os_version":"Sonoma (14)","product_name":"","product_type_desc":"Workstation","host_hidden_status":"VISIBLE","event_platform":"Mac","scores":{"os":"89","sensor":"100","overall":"97","version":"3.8.1","modified_time":"2024-02-13T22:33:34.077075097Z"},"assessments":{"analytics_and_improvements_mac":"yes","application_firewall_mac":"yes","crendential_dumping_hash_mac":"yes","crendential_dumping_kcpassword_mac":"yes","crowdstrike_full_disk_access":"yes","execution_blocking_custom_blocking_enabled_mac":"yes","execution_blocking_intel_threats_enabled_mac":"yes","execution_blocking_suspicious_processes_enabled_mac":"yes","file_vault_enabled_mac":"yes","gatekeeper_mac":"yes","internet_sharing_mac":"yes","mac_os_version":"yes","ml_adware_detection_mac":"yes","ml_adware_prevention_mac":"yes","ml_cloud_antimalware_detection_mac":"yes","ml_cloud_antimalware_prevention_mac":"yes","ml_sensor_adware_and_pup_detection_mac":"yes","ml_sensor_adware_and_pup_prevention_mac":"yes","ml_sensor_antimalware_detection_mac":"yes","ml_sensor_antimalware_prevention_mac":"yes","quarantine_mac":"yes","real_time_response_enabled_mac":"yes","remote_login_mac":"yes","script_based_execution_monitoring_mac":"yes","sip_enabled_mac":"yes","stealth_mode_mac":"no","system_full_disk_access_mac":"no","unauthorized_remote_access_chopper_mac":"yes","unauthorized_remote_access_empyre_mac":"yes","unauthorized_remote_access_xpcom_mac":"yes"},"event_type":"ZeroTrustHostAssessment","timestamp":"1601546312519"}