RELOPS-2331: add CrowdStrike NGSIEM event hub log forwarding

[jwmossmoz]

Summary

Stream Azure activity logs and Entra ID tenant logs to CrowdStrike Falcon Next-Gen SIEM via a dedicated Event Hub Namespace in the InfraSec subscription. Splunk forwarding is unchanged and continues to receive the same log categories in parallel.

Jira: RELOPS-2331

Changes

• terraform/azure_infrasec/crowdstrike.tf (new): resource group rg-crowdstrike-eventhub, Event Hub Namespace mozcrowdstrikeeventhub (Standard, TLS 1.2, auto-inflate), entralogs and activitylogs hubs (7-day retention), NGSIEM-dedicated consumer groups, subscription-scope azurerm_monitor_diagnostic_setting, and tenant-scope azurerm_monitor_aad_diagnostic_setting.
• terraform/azure_ad/sp_crowdstrike.tf (new): Entra application and service principal sp-infosec-crowdstrike-eventhub. Client secret is managed in the Azure portal, not Terraform.
• terraform/azure_ad/rbac.tf: Azure Event Hubs Data Receiver on the CrowdStrike namespace for the new SP, plus Reader on the tenant root management group for the InfraSec and Releng groups so the azurerm_management_group data source resolves.

Subscription enumeration

Diagnostic settings iterate over subscriptions discovered from the tenant root management group (c0dc8bb0-...), filtered to exclude Azure subscription 1. New subscriptions added to the tenant onboard automatically on the next apply.

Apply order

1. cd terraform/azure_ad && terraform plan && terraform apply — creates the role assignments for MG reader and the Entra app/SP.
2. cd terraform/azure_infrasec && terraform plan && terraform apply — creates the namespace, hubs, consumer groups, and diagnostic settings.
3. Azure portal: Entra ID → App registrations → sp-infosec-crowdstrike-eventhub → Certificates & secrets → create a client secret. Hand the value to SecOps along with the crowdstrike_eventhub_client_id and crowdstrike_eventhub_tenant_id outputs.
4. SecOps configures the Falcon data connector with the above plus namespace / hub / consumer group names (from the azure_infrasec outputs).

Test plan

• terraform plan in azure_ad shows only the three new role assignments and the new app/SP
• terraform plan in azure_infrasec shows the new resource group, namespace, hubs, consumer groups, and diagnostic settings; verify the crowdstrike_forwarding_subscriptions output excludes Azure subscription 1
• After apply, confirm activity logs appear on the activitylogs hub and Entra logs on the entralogs hub via the Azure portal Messages chart (PDF Step 7)
• SecOps validates ingestion in Falcon (PDF Step 9)