Fix parse of CommandLine in Falcon pipeline

Closes elastic#4746

packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log

@@ -188,7 +188,7 @@
         "SeverityName": "Low",
         "FileName": "filename.exe",
         "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path",
-        "CommandLine": "\"C:\\ProgramData\\file\\path\\filename.exe\" ",
+        "CommandLine": "\"C:\\ProgramData\\file\\path\\filename.exe\" arg1 arg2      arg3 ",
         "SHA256String": "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb",
         "MD5String": "0ab1235adca04aef6239f5496ef0a5df",
         "SHA1String": "0000000000000000000000000000000000000000",

packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json

@@ -401,7 +401,7 @@
             },
             "crowdstrike": {
                 "event": {
-                    "CommandLine": "\"C:\\ProgramData\\file\\path\\filename.exe\" ",
+                    "CommandLine": "\"C:\\ProgramData\\file\\path\\filename.exe\" arg1 arg2      arg3 ",
                     "ComputerName": "TESTDEVICE01",
                     "DetectDescription": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.",
                     "DetectId": "ldt:1abcd2345b8c4151a0cb45dcfbe6d3d0:124559902719",
@@ -492,7 +492,7 @@
                     "malware"
                 ],
                 "kind": "alert",
-                "original": "{\n    \"metadata\": {\n        \"customerIDString\": \"12345a1bc2d34fghi56jk7890lmno12p\",\n        \"offset\": 57047,\n        \"eventType\": \"DetectionSummaryEvent\",\n        \"eventCreationTime\": 1595002291000,\n        \"version\": \"1.0\"\n    },\n    \"event\": {\n        \"ProcessStartTime\": 1595002290,\n        \"ProcessEndTime\": 1595002290,\n        \"ProcessId\": 663790158277,\n        \"ParentProcessId\": 627311656469,\n        \"ComputerName\": \"TESTDEVICE01\",\n        \"UserName\": \"First.last\",\n        \"DetectName\": \"NGAV\",\n        \"DetectDescription\": \"This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.\",\n        \"Severity\": 2,\n        \"SeverityName\": \"Low\",\n        \"FileName\": \"filename.exe\",\n        \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\",\n        \"CommandLine\": \"\\\"C:\\\\ProgramData\\\\file\\\\path\\\\filename.exe\\\" \",\n        \"SHA256String\": \"0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb\",\n        \"MD5String\": \"0ab1235adca04aef6239f5496ef0a5df\",\n        \"SHA1String\": \"0000000000000000000000000000000000000000\",\n        \"MachineDomain\": \"NA\",\n        \"ExecutablesWritten\": [\n            {\n                \"Timestamp\": 1595002290,\n                \"FileName\": \"NEURO_200_J1939Configuration.mexw64\",\n                \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\\\\is\\\\right\\\\here\\\\folder\"\n            },\n            {\n                \"Timestamp\": 1595002290,\n                \"FileName\": \"NEURO_200_J1939Configuration.mexw64\",\n                \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\\\\is\\\\right\\\\here\\\\folder\"\n            },\n            {\n                \"Timestamp\": 1595002290,\n                \"FileName\": \"NEURO_200_J1939CanPackMessage.mexw64\",\n                \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\\\\is\\\\right\\\\here\\\\folder\"\n            },\n            {\n                \"Timestamp\": 1595002290,\n                \"FileName\": \"NEURO_200_J1939CanPackMessage.mexw64\",\n                \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\\\\is\\\\right\\\\here\\\\folder\"\n            }\n        ],\n        \"FalconHostLink\": \"https://falcon.crowdstrike.com/activity/detections/detail/1abcd2345b8c4151a0cb45dcfbe6d3d0/124559902719?_cid=12345a1bc2d34fghi56jk7890lmno12p\",\n        \"SensorId\": \"1abcd2345b8c4151a0cb45dcfbe6d3d0\",\n        \"IOCType\": \"hash_sha256\",\n        \"IOCValue\": \"0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb\",\n        \"DetectId\": \"ldt:1abcd2345b8c4151a0cb45dcfbe6d3d0:124559902719\",\n        \"LocalIP\": \"10.1.190.117\",\n        \"MACAddress\": \"54-ad-d4-d2-a8-0b\",\n        \"Tactic\": \"Machine Learning\",\n        \"Technique\": \"Sensor-based ML\",\n        \"Objective\": \"Falcon Detection Method\",\n        \"PatternDispositionDescription\": \"Detection, process would have been blocked if related prevention policy setting was enabled.\",\n        \"PatternDispositionValue\": 2304,\n        \"PatternDispositionFlags\": {\n            \"Indicator\": false,\n            \"Detect\": false,\n            \"InddetMask\": false,\n            \"SensorOnly\": false,\n            \"Rooting\": false,\n            \"KillProcess\": false,\n            \"KillSubProcess\": false,\n            \"QuarantineMachine\": false,\n            \"QuarantineFile\": false,\n            \"PolicyDisabled\": true,\n            \"KillParent\": false,\n            \"OperationBlocked\": false,\n            \"ProcessBlocked\": true,\n            \"RegistryOperationBlocked\": false,\n            \"CriticalProcessDisabled\": false,\n            \"BootupSafeguardEnabled\": false,\n            \"FsOperationBlocked\": false\n        },\n        \"ParentImageFileName\": \"\\\\Device\\\\HarddiskVolume2\\\\Windows\\\\explorer.exe\",\n        \"ParentCommandLine\": \"C:\\\\Windows\\\\Explorer.EXE\",\n        \"GrandparentImageFileName\": \"\\\\Device\\\\HarddiskVolume2\\\\Windows\\\\System32\\\\userinit.exe\",\n        \"GrandparentCommandLine\": \"C:\\\\Windows\\\\system32\\\\userinit.exe\"\n    }\n}",
+                "original": "{\n    \"metadata\": {\n        \"customerIDString\": \"12345a1bc2d34fghi56jk7890lmno12p\",\n        \"offset\": 57047,\n        \"eventType\": \"DetectionSummaryEvent\",\n        \"eventCreationTime\": 1595002291000,\n        \"version\": \"1.0\"\n    },\n    \"event\": {\n        \"ProcessStartTime\": 1595002290,\n        \"ProcessEndTime\": 1595002290,\n        \"ProcessId\": 663790158277,\n        \"ParentProcessId\": 627311656469,\n        \"ComputerName\": \"TESTDEVICE01\",\n        \"UserName\": \"First.last\",\n        \"DetectName\": \"NGAV\",\n        \"DetectDescription\": \"This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.\",\n        \"Severity\": 2,\n        \"SeverityName\": \"Low\",\n        \"FileName\": \"filename.exe\",\n        \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\",\n        \"CommandLine\": \"\\\"C:\\\\ProgramData\\\\file\\\\path\\\\filename.exe\\\" arg1 arg2      arg3 \",\n        \"SHA256String\": \"0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb\",\n        \"MD5String\": \"0ab1235adca04aef6239f5496ef0a5df\",\n        \"SHA1String\": \"0000000000000000000000000000000000000000\",\n        \"MachineDomain\": \"NA\",\n        \"ExecutablesWritten\": [\n            {\n                \"Timestamp\": 1595002290,\n                \"FileName\": \"NEURO_200_J1939Configuration.mexw64\",\n                \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\\\\is\\\\right\\\\here\\\\folder\"\n            },\n            {\n                \"Timestamp\": 1595002290,\n                \"FileName\": \"NEURO_200_J1939Configuration.mexw64\",\n                \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\\\\is\\\\right\\\\here\\\\folder\"\n            },\n            {\n                \"Timestamp\": 1595002290,\n                \"FileName\": \"NEURO_200_J1939CanPackMessage.mexw64\",\n                \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\\\\is\\\\right\\\\here\\\\folder\"\n            },\n            {\n                \"Timestamp\": 1595002290,\n                \"FileName\": \"NEURO_200_J1939CanPackMessage.mexw64\",\n                \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\\\\is\\\\right\\\\here\\\\folder\"\n            }\n        ],\n        \"FalconHostLink\": \"https://falcon.crowdstrike.com/activity/detections/detail/1abcd2345b8c4151a0cb45dcfbe6d3d0/124559902719?_cid=12345a1bc2d34fghi56jk7890lmno12p\",\n        \"SensorId\": \"1abcd2345b8c4151a0cb45dcfbe6d3d0\",\n        \"IOCType\": \"hash_sha256\",\n        \"IOCValue\": \"0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb\",\n        \"DetectId\": \"ldt:1abcd2345b8c4151a0cb45dcfbe6d3d0:124559902719\",\n        \"LocalIP\": \"10.1.190.117\",\n        \"MACAddress\": \"54-ad-d4-d2-a8-0b\",\n        \"Tactic\": \"Machine Learning\",\n        \"Technique\": \"Sensor-based ML\",\n        \"Objective\": \"Falcon Detection Method\",\n        \"PatternDispositionDescription\": \"Detection, process would have been blocked if related prevention policy setting was enabled.\",\n        \"PatternDispositionValue\": 2304,\n        \"PatternDispositionFlags\": {\n            \"Indicator\": false,\n            \"Detect\": false,\n            \"InddetMask\": false,\n            \"SensorOnly\": false,\n            \"Rooting\": false,\n            \"KillProcess\": false,\n            \"KillSubProcess\": false,\n            \"QuarantineMachine\": false,\n            \"QuarantineFile\": false,\n            \"PolicyDisabled\": true,\n            \"KillParent\": false,\n            \"OperationBlocked\": false,\n            \"ProcessBlocked\": true,\n            \"RegistryOperationBlocked\": false,\n            \"CriticalProcessDisabled\": false,\n            \"BootupSafeguardEnabled\": false,\n            \"FsOperationBlocked\": false\n        },\n        \"ParentImageFileName\": \"\\\\Device\\\\HarddiskVolume2\\\\Windows\\\\explorer.exe\",\n        \"ParentCommandLine\": \"C:\\\\Windows\\\\Explorer.EXE\",\n        \"GrandparentImageFileName\": \"\\\\Device\\\\HarddiskVolume2\\\\Windows\\\\System32\\\\userinit.exe\",\n        \"GrandparentCommandLine\": \"C:\\\\Windows\\\\system32\\\\userinit.exe\"\n    }\n}",
                 "outcome": "unknown",
                 "severity": 2,
                 "type": [
@@ -513,9 +513,12 @@
             "message": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.",
             "process": {
                 "args": [
-                    "\"C:\\ProgramData\\file\\path\\filename.exe\""
+                    "\"C:\\ProgramData\\file\\path\\filename.exe\"",
+                    "arg1",
+                    "arg2",
+                    "arg3"
                 ],
-                "command_line": "\"C:\\ProgramData\\file\\path\\filename.exe\"",
+                "command_line": "\"C:\\ProgramData\\file\\path\\filename.exe\" arg1 arg2      arg3",
                 "executable": "\"C:\\ProgramData\\file\\path\\filename.exe\"",
                 "name": "filename.exe",
                 "parent": {

packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml

@@ -309,7 +309,7 @@ processors:
           commandLine = commandLine.trim();
 
           if (commandLine != "") {
-            def args = Arrays.asList(/ /.split(commandLine));
+            def args = new ArrayList(Arrays.asList(/ /.split(commandLine)));
             args.removeIf(arg -> arg == "");
 
             ctx.process = [