Fix and enhance handling of crowdstrike.DomainName

[peterydzynski]

Proposed commit message

This PR fixes a few bugs and also enhances the handling of domain names.

List of bug fixes:

• Fixed the logic surrounding the setting of url.scheme which would set all logs that have no destination port to url.scheme: http even if no network activity was involved. This logic is still entirely based on port which is obviously not ideal but I left that alone.
• Fixed the handling of DNS fields to apply to all DNS log types. The old logic missed a few other types of events like SuspiciousDnsRequest.
• Fixed the setting of dns.question.name which was handled by the registered domain processor which meant that all internal domains and PTR queries were not being set properly.

Enhancement:

• Added handling for crowdstrike.DomainName when the event type is not DNS related. I have only observed SMB communications with crowdstrike.DomainName so there may still be some other event types that need handling but I do not have examples.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• [ ]

How to test this PR locally

Related issues

Screenshots

[efd6]

/test

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[peterydzynski]

Thanks for the fixes @efd6

[efd6]

/test

[elastic-sonarqube]

Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube

[efd6]

The tests are failing with

test case failed: one or more problems with fields found in documents: [0] field "crowdstrike.ContextBaseFileName" is undefined
[1] field "crowdstrike.EventOrigin" is undefined
[2] field "crowdstrike.QueryStatus" is undefined
[3] field "crowdstrike.SmbShareName" is undefined

Please add these fields to the field definitions.

[peterydzynski]

Added mappings and actually tested on the right branch, apologies.

[efd6]

/test

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: 987cefa

Failed CI Steps

• Check integrations crowdstrike

History

• 💔 Build #21236 failed c9a069b
• 💔 Build #21152 failed 6039979

[efd6]

Please run elastic-package build.