The plan for scaling CrowdStrike metadata enrichment is to use LOOKUP JOIN, first splitting the current fdr data stream into three: fdr, fdr_aidmaster and fdr_userinfo.

To aid this, the ingest pipeline needs to be clarified. Initial work has been done on that, identifying duplicated code and some small (inconsequential?) syntax issues.