Enrich Elastic Defend events with Container ECS fields

[maxvarm]

Describe the enhancement: We need Elastic Defend integration to be container-aware and enrich process/network events with container.* ECS fields.

Describe a specific use case for the enhancement or feature:

• Many Linux servers, no Kubernetes, and all applications are in docker containers.
• We want to utilize Fleet-managed Elastic Agents and Elastic Defend integration for security monitoring.
• Elastic Defend can not be used to cover this use case, forcing us to fall back to other solutions or Falco:
  • Host-based Elastic Agent with Defend: Has all containers.* ECS fields empty when running process inside a container
  • Container-based Elastic with Defend: Does not work inside a container
  • Elastic Agent with Cloud Defend: Does not work inside a container without Kubernetes

(Communication in Slack with technical details: https://elasticstack.slack.com/archives/CRGSUQC20/p1689602119829169)

What is the definition of done? For Elastic Defend "process" and "network" datasets, "container.name", "container.image", and "container.id" fields are populated with container context.

1. Deploy Ubuntu 20.04 VM with docker installed
2. Deploy host-based, Fleet-managed Elastic Agent with Elastic Defend on the VM
3. Create any docker container, exec into it, run "whoami" command
4. Observe Elastic Defend "process" event with mentioned container.* fields matching the container
5. Repeat 3-4 for "network" event

[pierrehilbert]

@kevinlog FYI

[nicholasberlin]

@nick-alayil FYI