crowdstrike.fdr: avoid mapping conflict when host metadata is not an object

[chemamartinez]

Proposed commit message

Found this error in a live scenario:

{\"type\":\"document_parsing_exception\",\"reason\":\"[1:2175] object mapping for [crowdstrike.info.host] tried to parse field [host] as object, but found a concrete value\"}, dropping event!

Where event being dropped contains metadata host info as follows:

{
  "metadata": {
    "host": "example_host_name"
  }
}

metadata.host is supposed to be an object with several host fields, so when it is renamed to crowdstrike.info.host it causes the error above, as this field is mapped as an object.

This fix is being backported to skip the current minimum required Kibana version (8.16.0).

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[andrewkroh]

Can you please add a test case for this.

Another solution would be to adopt subobjects: false for the data stream.

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 06b176e

cc @chemamartinez

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
16.7% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[chemamartinez]

Can you please add a test case for this.

I will add a test case.

Another solution would be to adopt subobjects: false for the data stream.

Isn't the subject approach conditioned by elastic/kibana#193044? this was fixed for 8.17 and this fix needs to work in older versions.

[andrewkroh]

Isn't the subject approach conditioned by elastic/kibana#193044? this was fixed for 8.17 and this fix needs to work in older versions.

Probably. I know the fix is required when you set subobects at the field level, but not sure about when you change it at the data stream level.