crowdstrike.falcon: Fix Falcon Overview dashboard errors.

kcreddy commented 1 week ago

Proposed commit message

crowdstrike.falcon data-stream doesn't set host.hostname unlike crowdstrike.alert or crowdstrike.host. But it uses host.hostname in Falcon Overview dashboard, which leads to empty data.

Fixes made to Falcon Overview dashboard:

Use host.name in Top Related Hosts visualisation.
Use host.name field for Hostname control.
Remove unused and unset field control on observer.address.
Add Severity name to empty control using the field crowdstrike.event.SeverityName.

[!NOTE] host.name is used instead of host.hostname due to following reasons:

As per ECS definitions, host.name can contain a more generic hostname and applies to several cases, rather than host.hostname which should contain what hostname command returns which may not be always available in the event.

host.name presence is more within Security Solution, such as in Hosts flyout.

host.name:repo:elastic/detection-rules path:/^rules\// /host\.name/ is also widely used in Detection Rules than host.hostname: repo:elastic/detection-rules path:/^rules\// /host\.hostname/

Checklist

[ ] I have reviewed tips for building integrations and this pull request is aligned with them.
[ ] I have verified that all data streams collect metrics or logs.
[x] I have added an entry to my package's changelog.yml file.
[ ] I have verified that Kibana version constraints are current according to guidelines.
[ ] I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

Run system tests with --defer-cleanup 30m elastic-package stack down && elastic-package build && elastic-package stack up --version=8.13.0 -d -v && eval "$(elastic-package stack shellinit)" && elastic-package test system --generate -v --defer-cleanup 30m --data-streams=falcon
Navigate to local Kibana and check if the Flacon Overview dashboard is fixed.
Terminate the waiting system test run.

Check system tests are successful.

--- Test results for package: crowdstrike - START ---
╭─────────────┬─────────────┬───────────┬───────────┬────────┬───────────────╮
│ PACKAGE     │ DATA STREAM │ TEST TYPE │ TEST NAME │ RESULT │  TIME ELAPSED │
├─────────────┼─────────────┼───────────┼───────────┼────────┼───────────────┤
│ crowdstrike │ falcon      │ system    │ logfile   │ PASS   │ 36.104079292s │
╰─────────────┴─────────────┴───────────┴───────────┴────────┴───────────────╯
--- Test results for package: crowdstrike - END   ---
Done

Related issues

Screenshots

Before:

After:

elasticmachine commented 1 week ago

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

kcreddy commented 1 day ago

I'm able to replicate the filter issue and see it fixed by this, but cannot replicate the issue with the table with the system test cases. Could we have some additional test cases that exercise the dashboards?

@efd6, the screenshot is taken from running system tests sample. I think the table is probably not visible due to timestamp filter. Last 10 years worked for me. Let me know if I have to adjust the timestamps in the log samples.

Resolved the conflicts.