Skip to content

[9.0.1] AMSI API changes for behavior rule alerts - process.Ext.api.parameters.content_name #609

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Apr 25, 2025
Merged

[9.0.1] AMSI API changes for behavior rule alerts - process.Ext.api.parameters.content_name #609

merged 11 commits into from
Apr 25, 2025

Conversation

@magermark
Copy link
Contributor

@magermark magermark commented Apr 21, 2025
edited
Loading

Change Summary

Added new entries to accommodate process.Ext.api.parameters.content_name and process.Ext.api.parameters.app_name in behavior rule alerts. Entries were ported over from the same entries for AMSI API events: #572

Release Target

9.0.1 - Required for upcoming third party testing

@magermark magermark requested a review from a team as a code owner April 21, 2025 19:00
@magermark magermark requested review from gergoabraham and pzl April 21, 2025 19:00
@magermark magermark changed the title [9.0.1] API AMSI changes (process.Ext.api.parameters.content_name) [9.0.1] AMSI API changes for rule detection rule alerts - process.Ext.api.parameters.content_name Apr 21, 2025
@magermark magermark changed the title [9.0.1] AMSI API changes for rule detection rule alerts - process.Ext.api.parameters.content_name [9.0.1] AMSI API changes for behavior rule alerts - process.Ext.api.parameters.content_name Apr 21, 2025
pzl
pzl reviewed Apr 22, 2025
View reviewed changes
Copy link
Member

@pzl pzl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add the definitions to the fields (the description, type, flat_name, etc) in custom_schemas (probably custom_schemas/custom_process.yml, but whatever is most relevant).

Then to add those fields to the alert data stream, please edit custom_subsets/elastic_endpoint/alerts/rule_detection_event.yaml to declare where the fields will go.

Then run make to generate the rest of the changes, which should include the change here under schemas.

sample values can be manually placed in package/endpoint/data_stream/alerts/sample_event.json to aid in automated testing for this repo

@pzl pzl removed the request for review from gergoabraham April 22, 2025 12:12
@magermark
Copy link
Contributor Author

magermark commented Apr 22, 2025

@pzl These fields were previously added by @jdu2600 under custom_api.yml:

process.Ext.api.parameters:
https://github.com/elastic/endpoint-package/blob/main/custom_schemas/custom_api.yml#L179-L183

process.Ext.api.parameters.app_name:
https://github.com/elastic/endpoint-package/blob/main/custom_schemas/custom_api.yml#L532-L537

process.Ext.api.parameters.content_name:
https://github.com/elastic/endpoint-package/blob/main/custom_schemas/custom_api.yml#L539-L544

@magermark magermark requested a review from pzl April 25, 2025 15:41
@magermark magermark merged commit e32721c into main Apr 25, 2025
4 checks passed
pzl pushed a commit that referenced this pull request May 5, 2025
@magermark @pzl
[9.0.1] AMSI API changes for behavior rule alerts - process.Ext.api.p…
75b784f 
…arameters.content_name (#609)

* Entries for process.Ext.api.parameters and process.Ext.api.parameters.content_name

* Added process.Ext.api.parameters.app_name

* custom_subsets changes for process.Ext.api.parameters.content_name and process.Ext.api.parameters.app_name

* Add fields under parameters

* testing

* Test Windows

* Revert Windows change

* Revert .bat

* Remove test

* Remove test_name

* Generated changes
@pzl pzl mentioned this pull request May 5, 2025
Merged
pzl added a commit that referenced this pull request May 5, 2025
@pzl @magermark
AMSI API changes for behavior rule alerts - process.Ext.api.parameter…
71fd4c1 
…s.content_name (#609) (#626)

* Entries for process.Ext.api.parameters and process.Ext.api.parameters.content_name

* Added process.Ext.api.parameters.app_name

* custom_subsets changes for process.Ext.api.parameters.content_name and process.Ext.api.parameters.app_name

* Add fields under parameters

* testing

* Test Windows

* Revert Windows change

* Revert .bat

* Remove test

* Remove test_name

* Generated changes

Co-authored-by: Mark Mager <42077975+magermark@users.noreply.github.com>
@pzl pzl deleted the amsi-changes branch June 24, 2025 16:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pzl pzl pzl approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@magermark @pzl