[Crowdstrike FDR] The Field crowdstrike.CommandHistory should be explicitly mapped as both keyword and match_only_text

[leandrojmp]

Hello,

Currently the field crowdstrike.CommandHistory from the FDR dataset doesn't seem to be explicitly mapped, so it is being mapped only as keyword, but the content of this field is a command line that was executed by the user where you want to search for just part of it.

This is simlar to the field process.comand_line which is a mult-field and have the match_only_text equivalent as process.command_line.text where you can search by anything that could be present on the command line.

For this same reason the crowdstrike.CommandHistory also need to be a multi-field and the crowdstrike.CommandHistory.text field should be created as a match_only_text.

A quick example of the values on this field:

It gets a history of the commands typed and we use this for some rules.

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)