crowdstrike: provide alternate endpoint to query host data for GovCloud CIDs

[navnit-elastic]

Proposed commit message

crowdstrike: provide alternate endpoint to query host data for GovCloud CIDs

This change adds a toggle in the host data stream manifest
to switch between two different device endpoints to query host data.

The "/devices/combined/devices/v1" endpoint is not supported in GovCloud CIDs,
which was introduced in this PR[1]. This impacted GovCloud users to encounter errors
when enabling the host data stream.

This change provides an option for GovCloud users to query an alternate endpoint,
"/devices/entities/devices/v2".

If the GovCloud flag is disabled, the CEL program inspects the base URL to infer
whether the integration is pointed at a GovCloud environment. If the
URL matches a known GovCloud domain, the integration avoids calling the unsupported
combined endpoint and instead uses "/devices/entities/devices/v2".

[1] https://github.com/elastic/integrations/pull/15419

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• [ ]

How to test this PR locally

System Tests:

--- Test results for package: crowdstrike - START ---
╭─────────────┬─────────────┬───────────┬─────────────┬────────┬───────────────╮
│ PACKAGE     │ DATA STREAM │ TEST TYPE │ TEST NAME   │ RESULT │  TIME ELAPSED │
├─────────────┼─────────────┼───────────┼─────────────┼────────┼───────────────┤
│ crowdstrike │ host        │ system    │ common      │ PASS   │ 44.078286575s │
│ crowdstrike │ host        │ system    │ govcloud    │ PASS   │ 44.100005811s │
│ crowdstrike │ host        │ system    │ govcloudurl │ PASS   │ 44.272329058s │
╰─────────────┴─────────────┴───────────┴─────────────┴────────┴───────────────╯
--- Test results for package: crowdstrike - END   ---
Done

Related issues

• Closes [Crowdstrike] - "combined/devices" API endpoint is only available in Crowdstrike Commercial Cloud CID's #15795

Screenshots

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[kcreddy]

@navnit-elastic, can you add screenshot how the new option would show to the users?
cc: @narph

[navnit-elastic]

@navnit-elastic, can you add screenshot how the new option would show to the users? cc: @narph

@kcreddy - added it in the commit message.

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: fb41790

History

• 💔 Build #34353 failed 2ff00cf
• 💚 Build #34346 succeeded 5f9980f
• 💚 Build #34278 succeeded 02f68d7
• 💔 Build #34274 failed 35f356f

cc @navnit-elastic

[efd6]

I think this is an enhancement. This is an additional feature, not a fix for an incorrect behaviour.

[ShourieG]

+1

[efd6]

If we can automagically determine the correct behaviour from the URL, why are we adding a configuration toggle? Is it the case that the known URLs are not an exhaustive enumeration of all GovCloud base URLs?

[ShourieG]

I personally feel we should not even try to switch the request flow based on url parsing as it obfuscates the control flow and undermines the entire presence of the toggle

[efd6]

Agree. We should do one or the other. If we can always determine the correct behaviour from the URL, we should do that, if it is less than always, we should not even try and just use a configuration.

[kcreddy]

The approach was discussed in #15795 and since there was no alternate proposals, this was taken up. I can see that the URL check will give us correct behaviour all the time until a new GovCloud URL is launched by Crowdstrike, in such case a toggle can help quicken the SDH resolution.
I do agree that having both might be confusing and reduces each other's efficacy.

[ShourieG]

If there's a chance that new GovCloud URLs can be launched in future, I feel it's best to just stick to a toggle based approach for clarity purposes. When a failure occurs (if the toggle in not configured), it would be a clear signal to indicate the real issue in every case. Also it's easier for support to resolve without creating a SDH if the behaviour is singular and known in advance. A dual mechanism, though efficient and less intrusive can obfuscate the behaviour and lead to confusion in some scenarios down the line.

[efd6]

I'm not convinced of the value of this convenience.

[ShourieG]

+1

[efd6]

Add a comment saying that this is the GovCloud branch.

(this is a long program, so some navigation aids will be helpful)

[efd6]

Add comment that this is the non-GovCloud branch.

[efd6]

Suggested change

	"message": "GET:" + (
	"message": "GET: " + (

[efd6]

Suggested change

	"message": "POST:" + (
	"message": "POST: " + (

[ShourieG]

Suggested change

	GovCloud CIDs should enable this. When enabled, the integration will automatically use CrowdStrike’s GovCloud-supported devices endpoint (`/devices/entities/devices/v2`) instead of the standard combined endpoint (`/devices/combined/devices/v1`).
	GovCloud CIDs should enable this. When enabled, the integration will use CrowdStrike’s GovCloud-supported devices endpoint (`/devices/entities/devices/v2`) instead of the standard combined endpoint (`/devices/combined/devices/v1`).

If we are enabling the toggle, then it's no longer automatic. As for the dual safety mechanism, it undermines the presence of the toggle.