crowdstrike: do not populate related.hosts with IP values (elastic#8684)

packages/crowdstrike/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.26.2"
+  changes:
+    - description: Do not populate `related.hosts` with IP values.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/8684
 - version: "1.26.1"
   changes:
     - description: Fix exclude_files pattern.

packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-cspmsearch-streaming.log-expected.json

@@ -48,7 +48,7 @@
                 "kind": "alert",
                 "original": "{\n\t\"metadata\": {\n\n\t\t\"customerIDString\": \"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\",\n\t\t\"offset\": 54712611,\n\t\t\"eventType\": \"CSPMSearchStreamingEvent\",\n\t\t\"eventCreationTime\": 1663009688832,\n\t\t\"version\": \"1.0\"\n\t},\n\t\"event\": {\n\t\t\"AccountId\": \"XXXXXXXXXXXX\",\n\t\t\"Region\": \"us-west-2\",\n\t\t\"ResourceId\": \"i-0108fce80eXXXXXXX\",\n\t\t\"ResourceIdType\": \"Instance Id\",\n\t\t\"ResourceName\": \"\",\n\t\t\"ResourceCreateTime\": 0,\n\t\t\"PolicyStatement\": \"EC2 NACL configured for global ingress\",\n\t\t\"PolicyId\": 26,\n\t\t\"Severity\": 1,\n\t\t\"SeverityName\": \"High\",\n\t\t\"CloudPlatform\": \"AWS\",\n\t\t\"CloudService\": \"EC2\",\n\t\t\"Disposition\": \"Failed\",\n\t\t\"ResourceUrl\": \"https://us-west-2.console.aws.amazon.com/ec2/v2/home?region=us-west-2#InstanceDetails:instanceId=i-0108fce80eXXXXXXX\",\n\t\t\"Finding\": \"Instance ID: i-0108fce80e5ab5129|VPC ID: vpc-0e886040c27d9f526|Network ACL ID: acl-005e6bb98e75ac17e|Rule Number: 100|CIDR Block: 0.0.0.0/0|Protocol: All\",\n\t\t\"ResourceAttributes\": \"{\\\"ACL ID\\\": \\\"acl - 005e6 bb98e75ac17e\\\",\\\"VPC ID\\\": \\\"vpc - 0e886040 c27d9f526\\\",\\\"Platform\\\": \\\"Linux\\\",\\\"Instance ID\\\": \\\"i - 0108 fce80eXXXXXXX\\\",\\\"Launch Time\\\": \\\"2022 - 09 - 12 17: 11: 06 + 00\\\",\\\"Instance State\\\": \\\"running\\\"}\",\n\t\t\"Tags\": [{\n\t\t\t\"Key\": \"cstag-business\",\n\t\t\t\"ValueString\": \"Sales\"\n\t\t}, {\n\t\t\t\"Key\": \"cstag-accounting\",\n\t\t\t\"ValueString\": \"dev\"\n\t\t}, {\n\t\t\t\"Key\": \"cstag-department\",\n\t\t\t\"ValueString\": \"Sales - 310000\"\n\t\t}, {\n\t\t\t\"Key\": \"Slackbot Env UUID\",\n\t\t\t\"ValueString\": \"C68EC25E-32BD-11ED-AE4B-0EBCA3237C75\"\n\t\t}, {\n\t\t\t\"Key\": \"Name\",\n\t\t\t\"ValueString\": \"CS-SE-Demo-KALI-ROBERT.WILSON\"\n\t\t}, {\n\t\t\t\"Key\": \"Slack_User\",\n\t\t\t\"ValueString\": \"bob.smith\"\n\t\t}, {\n\t\t\t\"Key\": \"cstag-owner\",\n\t\t\t\"ValueString\": \"jane.doe\"\n\t\t}],\n\t\t\"ReportUrl\": \"https://falcon.crowdstrike.com/cloud-security/cspm/assessment-drilldown?event-type=cspm_policy_26\\u0026policy_id=26\\u0026scan_id=1a8adc1c36aa7d83e90e5c06\\u0026service=EC2\",\n\t\t\"Timestamp\": 1663009688832\n\t}\n}",
                 "outcome": "failure",
-                "reference": "https://falcon.crowdstrike.com/cloud-security/cspm/assessment-drilldown?event-type=cspm_policy_26\u0026policy_id=26\u0026scan_id=1a8adc1c36aa7d83e90e5c06\u0026service=EC2",
+                "reference": "https://falcon.crowdstrike.com/cloud-security/cspm/assessment-drilldown?event-type=cspm_policy_26&policy_id=26&scan_id=1a8adc1c36aa7d83e90e5c06&service=EC2",
                 "severity": 1,
                 "type": [
                     "info",

packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-detection-summary.log-expected.json

@@ -166,7 +166,7 @@
                 "preserve_original_event"
             ],
             "threat": {
-                "framework": "MITRE ATT\u0026CK",
+                "framework": "MITRE ATT&CK",
                 "tactic": {
                     "name": [
                         "Malware"

packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-events.log-expected.json

@@ -105,7 +105,7 @@
                 "preserve_original_event"
             ],
             "threat": {
-                "framework": "MITRE ATT\u0026CK",
+                "framework": "MITRE ATT&CK",
                 "tactic": {
                     "name": [
                         "Malware"

packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-firewall.log-expected.json

@@ -55,7 +55,7 @@
             "host": {
                 "name": "TESTDEVICE01"
             },
-            "message": "Firewall Rule: 'Inbound SMB Block \u0026 Log Private' triggered - Action: 'Blocked'",
+            "message": "Firewall Rule: 'Inbound SMB Block & Log Private' triggered - Action: 'Blocked'",
             "network": {
                 "direction": "ingress",
                 "type": "ipv4"
@@ -84,7 +84,7 @@
             "rule": {
                 "category": "fec73e96a1bf4481be582c3f89b234fa",
                 "id": "4877172638743447345",
-                "name": "Inbound SMB Block \u0026 Log Private",
+                "name": "Inbound SMB Block & Log Private",
                 "ruleset": "SMB Rules"
             },
             "source": {

packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-mobile-detection-summary.log-expected.json

@@ -70,7 +70,7 @@
                 "preserve_original_event"
             ],
             "threat": {
-                "framework": "MITRE ATT\u0026CK",
+                "framework": "MITRE ATT&CK",
                 "tactic": {
                     "id": [
                         "CSTA0009"

packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-recon-notification.log-expected.json

@@ -5,7 +5,7 @@
             "crowdstrike": {
                 "event": {
                     "Highlights": [
-                        "Some highlighed text \u0026lt;cs-highlight\u0026gt;test\u0026lt;/cs-highlight\u0026gt; \u0026lt;cs-highlight\u0026gt;gdsfgasd\u0026lt;/cs-highlight\u0026gt;.\n\nAs an Some more text"
+                        "Some highlighed text <cs-highlight>test</cs-highlight> <cs-highlight>gdsfgasd</cs-highlight>.\n\nAs an Some more text"
                     ],
                     "ItemPostedTimestamp": 1686873909000,
                     "ItemType": "post",

packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json

@@ -54,7 +54,7 @@
             "host": {
                 "name": "TESTDEVICE01"
             },
-            "message": "Firewall Rule: 'Inbound SMB Block \u0026 Log Private' triggered - Action: 'Blocked'",
+            "message": "Firewall Rule: 'Inbound SMB Block & Log Private' triggered - Action: 'Blocked'",
             "network": {
                 "direction": "ingress",
                 "type": "ipv4"
@@ -78,7 +78,7 @@
             "rule": {
                 "category": "fec73e96a1bf4481be582c3f89b234fa",
                 "id": "4877172638743447345",
-                "name": "Inbound SMB Block \u0026 Log Private",
+                "name": "Inbound SMB Block & Log Private",
                 "ruleset": "SMB Rules"
             },
             "source": {
@@ -540,7 +540,7 @@
                 "preserve_original_event"
             ],
             "threat": {
-                "framework": "MITRE ATT\u0026CK",
+                "framework": "MITRE ATT&CK",
                 "tactic": {
                     "name": [
                         "Machine Learning"

packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-tags-list.log-expected.json

@@ -48,7 +48,7 @@
                 "kind": "alert",
                 "original": "{\n\t\"metadata\": {\n\n\t\t\"customerIDString\": \"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\",\n\t\t\"offset\": 54712611,\n\t\t\"eventType\": \"CSPMSearchStreamingEvent\",\n\t\t\"eventCreationTime\": 1663009688832,\n\t\t\"version\": \"1.0\"\n\t},\n\t\"event\": {\n\t\t\"AccountId\": \"XXXXXXXXXXXX\",\n\t\t\"Region\": \"us-west-2\",\n\t\t\"ResourceId\": \"i-0108fce80eXXXXXXX\",\n\t\t\"ResourceIdType\": \"Instance Id\",\n\t\t\"ResourceName\": \"\",\n\t\t\"ResourceCreateTime\": 0,\n\t\t\"PolicyStatement\": \"EC2 NACL configured for global ingress\",\n\t\t\"PolicyId\": 26,\n\t\t\"Severity\": 1,\n\t\t\"SeverityName\": \"High\",\n\t\t\"CloudPlatform\": \"AWS\",\n\t\t\"CloudService\": \"EC2\",\n\t\t\"Disposition\": \"Failed\",\n\t\t\"ResourceUrl\": \"https://us-west-2.console.aws.amazon.com/ec2/v2/home?region=us-west-2#InstanceDetails:instanceId=i-0108fce80eXXXXXXX\",\n\t\t\"Finding\": \"Instance ID: i-0108fce80e5ab5129|VPC ID: vpc-0e886040c27d9f526|Network ACL ID: acl-005e6bb98e75ac17e|Rule Number: 100|CIDR Block: 0.0.0.0/0|Protocol: All\",\n\t\t\"ResourceAttributes\": \"{\\\"ACL ID\\\": \\\"acl - 005e6 bb98e75ac17e\\\",\\\"VPC ID\\\": \\\"vpc - 0e886040 c27d9f526\\\",\\\"Platform\\\": \\\"Linux\\\",\\\"Instance ID\\\": \\\"i - 0108 fce80eXXXXXXX\\\",\\\"Launch Time\\\": \\\"2022 - 09 - 12 17: 11: 06 + 00\\\",\\\"Instance State\\\": \\\"running\\\"}\",\n\t\t\"Tags\": \"SensorGroupingTags/TEACHER, SensorGroupingTags/XYZ, 321, 1111\",\n\t\t\"ReportUrl\": \"https://falcon.crowdstrike.com/cloud-security/cspm/assessment-drilldown?event-type=cspm_policy_26\\u0026policy_id=26\\u0026scan_id=1a8adc1c36aa7d83e90e5c06\\u0026service=EC2\",\n\t\t\"Timestamp\": 1663009688832\n\t}\n}",
                 "outcome": "failure",
-                "reference": "https://falcon.crowdstrike.com/cloud-security/cspm/assessment-drilldown?event-type=cspm_policy_26\u0026policy_id=26\u0026scan_id=1a8adc1c36aa7d83e90e5c06\u0026service=EC2",
+                "reference": "https://falcon.crowdstrike.com/cloud-security/cspm/assessment-drilldown?event-type=cspm_policy_26&policy_id=26&scan_id=1a8adc1c36aa7d83e90e5c06&service=EC2",
                 "severity": 1,
                 "type": [
                     "info",

packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-tags.log-expected.json

@@ -48,7 +48,7 @@
                 "kind": "alert",
                 "original": "{\n\t\"metadata\": {\n\n\t\t\"customerIDString\": \"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\",\n\t\t\"offset\": 54712611,\n\t\t\"eventType\": \"CSPMSearchStreamingEvent\",\n\t\t\"eventCreationTime\": 1663009688832,\n\t\t\"version\": \"1.0\"\n\t},\n\t\"event\": {\n\t\t\"AccountId\": \"XXXXXXXXXXXX\",\n\t\t\"Region\": \"us-west-2\",\n\t\t\"ResourceId\": \"i-0108fce80eXXXXXXX\",\n\t\t\"ResourceIdType\": \"Instance Id\",\n\t\t\"ResourceName\": \"\",\n\t\t\"ResourceCreateTime\": 0,\n\t\t\"PolicyStatement\": \"EC2 NACL configured for global ingress\",\n\t\t\"PolicyId\": 26,\n\t\t\"Severity\": 1,\n\t\t\"SeverityName\": \"High\",\n\t\t\"CloudPlatform\": \"AWS\",\n\t\t\"CloudService\": \"EC2\",\n\t\t\"Disposition\": \"Failed\",\n\t\t\"ResourceUrl\": \"https://us-west-2.console.aws.amazon.com/ec2/v2/home?region=us-west-2#InstanceDetails:instanceId=i-0108fce80eXXXXXXX\",\n\t\t\"Finding\": \"Instance ID: i-0108fce80e5ab5129|VPC ID: vpc-0e886040c27d9f526|Network ACL ID: acl-005e6bb98e75ac17e|Rule Number: 100|CIDR Block: 0.0.0.0/0|Protocol: All\",\n\t\t\"ResourceAttributes\": \"{\\\"ACL ID\\\": \\\"acl - 005e6 bb98e75ac17e\\\",\\\"VPC ID\\\": \\\"vpc - 0e886040 c27d9f526\\\",\\\"Platform\\\": \\\"Linux\\\",\\\"Instance ID\\\": \\\"i - 0108 fce80eXXXXXXX\\\",\\\"Launch Time\\\": \\\"2022 - 09 - 12 17: 11: 06 + 00\\\",\\\"Instance State\\\": \\\"running\\\"}\",\n\t\t\"Tags\": \"SensorGroupingTags/TEACHER\",\n\t\t\"ReportUrl\": \"https://falcon.crowdstrike.com/cloud-security/cspm/assessment-drilldown?event-type=cspm_policy_26\\u0026policy_id=26\\u0026scan_id=1a8adc1c36aa7d83e90e5c06\\u0026service=EC2\",\n\t\t\"Timestamp\": 1663009688832\n\t}\n}",
                 "outcome": "failure",
-                "reference": "https://falcon.crowdstrike.com/cloud-security/cspm/assessment-drilldown?event-type=cspm_policy_26\u0026policy_id=26\u0026scan_id=1a8adc1c36aa7d83e90e5c06\u0026service=EC2",
+                "reference": "https://falcon.crowdstrike.com/cloud-security/cspm/assessment-drilldown?event-type=cspm_policy_26&policy_id=26&scan_id=1a8adc1c36aa7d83e90e5c06&service=EC2",
                 "severity": 1,
                 "type": [
                     "info",

packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-xdr-detection-summary.log-expected.json

@@ -62,7 +62,7 @@
                 "preserve_original_event"
             ],
             "threat": {
-                "framework": "MITRE ATT\u0026CK",
+                "framework": "MITRE ATT&CK",
                 "tactic": {
                     "id": [
                         "TA0001",

packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-data.log-expected.json

@@ -92,8 +92,7 @@
             },
             "related": {
                 "hosts": [
-                    "ip-172-18-63-230.ec2.internal",
-                    "172.17.0.1"
+                    "ip-172-18-63-230.ec2.internal"
                 ],
                 "ip": [
                     "172.17.0.1"
@@ -209,8 +208,7 @@
             },
             "related": {
                 "hosts": [
-                    "ip-172-18-63-230.ec2.internal",
-                    "172.17.0.1"
+                    "ip-172-18-63-230.ec2.internal"
                 ],
                 "ip": [
                     "172.17.0.1"