Add username fields to CrowdStrike FDR

[mbudge]

Hi

I found some new username fields in the crowdstrike data. These aren't added to ecs fields.

The first 4 are from these events.

ActiveDirectoryServiceAccessRequest ActiveDirectoryAuthentication ActiveDirectoryServiceAccessRequestFailure ActiveDirectoryIncomingLdapSearchRequest ActiveDirectoryAuthenticationFailure ActiveDirectoryInteractiveDomainLogon ActiveDirectoryIncomingDceRpcRequest ActiveDirectoryIncomingPsExecExecution2 ActiveDirectoryIncomingDceRpcEpmRequest

crowdstrike.SourceAccountSamAccountName > user.name crowdstrike.SourceAccountUserName > user.email crowdstrike.SourceEndpointAccountObjectSid > user.id crowdstrike.SourceAccountDomain > user.domain

Other crowdstrike fields not added to ecs fields

TokenImpersonated event.action has these fields crowdstrike.ImpersonatedUserName > user.target.name ? crowdstrike.OriginalUserName > user.name crowdstrike.OriginalUserSid > user.id

These are from the SudoCommandAttempt event. crowdstrike.NewUserID | 0 > user.target.id crowdstrike.NewUsername | root > user.target.name crowdstrike.OriginalUserID | 0 > user.id crowdstrike.OriginalUserName | root > user.target.name

Thanks

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[efd6]

@mbudge Are you able to provide sample events to use in testing?