crowdstrike: handle UTCTimestamp values in Unix seconds (elastic#13833)

Apparently Crowdstrike will send this field in seconds as well as
millis; we have test cases that show the latter already. On the basis
that security events are unlikely to be ocurring in the 1970s now, use
the heuristic that timestamp values less that 1e10 are seconds and parse
on that basis.

New test case obtained from a mutation of the existing test case with
this field, but with the UTCTimestamp field truncated by three
characters.

Author: efd6

packages/crowdstrike/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.66.0"
+  changes:
+    - description: Handle `UTCTimestamp` values expressed in Unix seconds.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/13833
 - version: "1.65.1"
   changes:
     - description: Adjust alert batch size to 1000 to match the API limit.

packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log

@@ -135,3 +135,4 @@
 {"ContextBaseFileName":"SenseImdsCollector.exe","event_simpleName":"DnsRequest","ContextTimeStamp":"1738009377.497","ConfigStateHash":"138674525","ContextProcessId":"683613242245","DomainName":"metadata.google.internal","ContextThreadId":"31712204862362","aip":"67.43.156.14","QueryStatus":"9003","InterfaceIndex":"0","ConfigBuild":"1007.3.0019011.15","event_platform":"Win","DnsRequestCount":"1","DualRequest":"1","Entitlements":"15","name":"DnsRequestV5","EventOrigin":"1","id":"3d0ef474-fcc3-4f18-9ad6-7130d8ddb407","EffectiveTransmissionClass":"3","aid":"31e92a267c044d57b1c1e14109079e89","timestamp":"1738009364034","cid":"ffffffff30a3407dae27d0503611022d","RequestType":"28"}
 {"ProcessCreateFlags":"1024","IntegrityLevel":"8192","ParentProcessId":"434985540832797032","SourceProcessId":"434985540832797032","aip":"89.160.20.120","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-4084637156-299436391-3671333128-115430","event_platform":"Win","TokenType":"2","ProcessEndTime":"","ParentBaseFileName":"EmUser.exe","ImageSubsystem":"2","id":"9686a6b3-1d39-11ed-9370-0660bfa16adf","EffectiveTransmissionClass":"3","SessionId":"1","Tags":"25, 27, 862, 874, 924, 12094627905582, 12094627906234","timestamp":"1660636869410","event_simpleName":"ProcessRollup2","RawProcessId":"18446744072636268557","ConfigStateHash":"518095218","MD5HashData":"e570911fc2ab74ecf0dc59f324318f6e","SHA256HashData":"f470180a4f67ebd944570b3eaf040caa8c0713252c6228e60c413714375ccfe2","ProcessSxsFlags":"64","AuthenticationId":"29530993","ConfigBuild":"1007.3.0015103.1","CommandLine":"\"C:\\Program Files\\nirsoft\\SoundVolumeView.exe\" /SetDefault \"Teradici Virtual Audio Driver\\device\\speakers\\\" all","ParentAuthenticationId":"29530993","TargetProcessId":"434985669758362104","ImageFileName":"\\Device\\HarddiskVolume3\\Program Files\\NirSoft\\SoundVolumeView.exe","SourceThreadId":"434985668331321297","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1660636868.576","ProcessParameterFlags":"24577","aid":"50deaa55144543089a1f463b568cdc53","cid":"1301ac65ae144fbb9689a8472f828c2e"}
 {"AgentLoadFlags":"none","AgentLocalTime":"none","AgentTimeOffset":"63878691745","AgentVersion":"2025.02.1","BiosManufacturer":"none","BiosVersion":"none","ChassisType":"none","City":"Bengaluru","ComputerName":"none","ConfigBuild":"1007.32.20250201.9","ConfigIDBuild":"20250201","Continent":"Asia","Country":"India","FalconGroupingTags":"none","FirstSeen":"1742447937.000","HostHiddenStatus":"visible","MachineDomain":"none","OU":"none","PointerSize":"none","ProductType":"none","SensorGroupingTags":"none","ServicePackMajor":"none","SiteName":"none","SystemManufacturer":"Apple","SystemProductName":"none","Time":"1743094945.000","Timezone":"Asia/Kolkata","Version":"iOS 18.3.2","aid":"44444444444444444444444444444444","aip":"0.0.0.0","cid":"55555555555555555555555555555555","event_platform":"iOS"}
+{"AuthenticationId":"317005428","AuthenticationPackage":"Negotiate","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3950066843","EffectiveTransmissionClass":"2","Entitlements":"15","LogoffTime":"1604855132.756","LogonDomain":"dom1","LogonServer":"srv2","LogonTime":"1604855131.666","LogonType":"7","PasswordLastSet":"1598119332.510","RemoteAccount":"1","UserFlags":"32","UserIsAdmin":"0","UserLogoffType":"3","UserLogonFlags":"0","UserName":"user4","UserPrincipal":"[email protected]","UserSid":"S-1-5-21-606747145-1364589140-725345543-28636","aid":"ffffffffe0104823bd3de859d5bc8bc7","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"UserLogoff","id":"ffffffff-1111-11eb-8913-0287fd11c79b","name":"UserLogoffV3","UTCTimestamp":"1604855134"}

packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json

@@ -11894,6 +11894,95 @@
             "tags": [
                 "preserve_original_event"
             ]
+        },
+        {
+            "@timestamp": "2020-11-08T17:05:34.000Z",
+            "crowdstrike": {
+                "AuthenticationId": "317005428",
+                "AuthenticationPackage": "Negotiate",
+                "ConfigStateHash": "3950066843",
+                "EffectiveTransmissionClass": "2",
+                "Entitlements": "15",
+                "LogoffTime": "2020-11-08T17:05:32.756Z",
+                "LogonServer": "srv2",
+                "LogonTime": "2020-11-08T17:05:31.666Z",
+                "LogonType": "7",
+                "PasswordLastSet": "1598119332.510",
+                "RemoteAccount": "1",
+                "UserFlags": "32",
+                "UserLogoffType": "3",
+                "UserLogonFlags": "0",
+                "cid": "ffffffff30a3407dae27d0503611022d",
+                "id": "ffffffff-1111-11eb-8913-0287fd11c79b",
+                "name": "UserLogoffV3"
+            },
+            "device": {
+                "id": "ffffffffe0104823bd3de859d5bc8bc7"
+            },
+            "event": {
+                "action": "UserLogoff",
+                "category": [
+                    "authentication"
+                ],
+                "created": "2020-11-08T17:05:34.000Z",
+                "id": "ffffffff-1111-11eb-8913-0287fd11c79b|ffffffffe0104823bd3de859d5bc8bc7|ffffffff30a3407dae27d0503611022d",
+                "kind": "event",
+                "original": "{\"AuthenticationId\":\"317005428\",\"AuthenticationPackage\":\"Negotiate\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3950066843\",\"EffectiveTransmissionClass\":\"2\",\"Entitlements\":\"15\",\"LogoffTime\":\"1604855132.756\",\"LogonDomain\":\"dom1\",\"LogonServer\":\"srv2\",\"LogonTime\":\"1604855131.666\",\"LogonType\":\"7\",\"PasswordLastSet\":\"1598119332.510\",\"RemoteAccount\":\"1\",\"UserFlags\":\"32\",\"UserIsAdmin\":\"0\",\"UserLogoffType\":\"3\",\"UserLogonFlags\":\"0\",\"UserName\":\"user4\",\"UserPrincipal\":\"[email protected]\",\"UserSid\":\"S-1-5-21-606747145-1364589140-725345543-28636\",\"aid\":\"ffffffffe0104823bd3de859d5bc8bc7\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"UserLogoff\",\"id\":\"ffffffff-1111-11eb-8913-0287fd11c79b\",\"name\":\"UserLogoffV3\",\"UTCTimestamp\":\"1604855134\"}",
+                "outcome": "success",
+                "type": [
+                    "end"
+                ]
+            },
+            "host": {
+                "domain": "dom1",
+                "os": {
+                    "type": "windows"
+                }
+            },
+            "observer": {
+                "address": [
+                    "67.43.156.13"
+                ],
+                "geo": {
+                    "continent_name": "Asia",
+                    "country_iso_code": "BT",
+                    "country_name": "Bhutan",
+                    "location": {
+                        "lat": 27.5,
+                        "lon": 90.5
+                    }
+                },
+                "ip": [
+                    "67.43.156.13"
+                ],
+                "serial_number": "ffffffffe0104823bd3de859d5bc8bc7",
+                "version": "1007.3.0011603.1"
+            },
+            "related": {
+                "hash": [
+                    "3950066843"
+                ],
+                "hosts": [
+                    "srv2"
+                ],
+                "ip": [
+                    "67.43.156.13"
+                ],
+                "user": [
+                    "user4",
+                    "user.name"
+                ]
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "user": {
+                "domain": "dom2.com",
+                "email": "[email protected]",
+                "full_name": "user.name",
+                "id": "S-1-5-21-606747145-1364589140-725345543-28636",
+                "name": "user4"
+            }
         }
     ]
 }

packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml

@@ -40,6 +40,21 @@ processors:
         - append:
             field: error.message
             value: "'{{{ _ingest.on_failure_processor_tag }}}' rename failed with message {{{ _ingest.on_failure_message }}}"
+  - convert:
+      field: crowdstrike.UTCTimestamp
+      target_field: _temp.utc_timestamp
+      type: long
+      ignore_failure: true
+  - date:
+      tag: date-timestamp-utc
+      description: Parse timestamp from event.
+      field: _temp.utc_timestamp
+      target_field: event.created
+      formats:
+        - UNIX
+      ignore_failure: true
+      if: >
+        ctx.event?.created == null && ctx._temp?.utc_timestamp instanceof long && ctx._temp.utc_timestamp < (long)1e10
   - date:
       tag: date-timestamp-utc
       description: Parse timestamp from event.

packages/crowdstrike/manifest.yml

@@ -1,6 +1,6 @@
 name: crowdstrike
 title: CrowdStrike
-version: "1.65.1"
+version: "1.66.0"
 description: Collect logs from Crowdstrike with Elastic Agent.
 type: integration
 format_version: "3.3.1"