Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Enhancement] Field adjusts to better compatibility with Detection Rules #9234

Closed
w0rk3r opened this issue Feb 23, 2024 · 1 comment · Fixed by #10533
Closed

[Enhancement] Field adjusts to better compatibility with Detection Rules #9234

w0rk3r opened this issue Feb 23, 2024 · 1 comment · Fixed by #10533
Assignees
@w0rk3r
Labels
enhancement New feature or request

Comments

@w0rk3r
Copy link
Contributor

w0rk3r commented Feb 23, 2024
edited
Loading

For Detection compatibility purposes, we need to adjust and add some fields to the integrations shipped process creation logs.

System Integration:

  • process.name.caseless
  • process.executable.caseless
  • process.args_count

Windows Integration:

  • process.name.caseless
  • process.executable.caseless
  • process.args_count (Sysmon logs already have these, needs to be added to win forwarded logs)

In Sysmon and in the winevent logs, we don't have a caseless field as we do in Elastic Defend, which prevents them from working with rules that use KQL, like new_terms.
@w0rk3r w0rk3r added the enhancement New feature or request label Feb 23, 2024
@w0rk3r w0rk3r mentioned this issue Mar 8, 2024
Closed
@w0rk3r w0rk3r self-assigned this May 13, 2024
@w0rk3r w0rk3r mentioned this issue May 13, 2024
Closed
4 tasks
@w0rk3r
Copy link
Contributor Author

w0rk3r commented Jul 11, 2024
edited
Loading

Changes were incorporated in ECS: elastic/ecs#2341.

They will probably be in 8.16, as this is not blocking any work and is an enhancement, I closed #9850 and will wait for the ECS release to modify the related rules.

@w0rk3r w0rk3r closed this as completed Jul 11, 2024
@w0rk3r w0rk3r mentioned this issue Jul 18, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@w0rk3r w0rk3r

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
1 participant
@w0rk3r