Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Enhancement] Add ".caseless" fields to process events #10533

Merged
merged 5 commits into from
Jul 26, 2024
Merged

[Enhancement] Add ".caseless" fields to process events #10533

merged 5 commits into from
Jul 26, 2024

Conversation

w0rk3r
Copy link
Contributor

@w0rk3r w0rk3r commented Jul 18, 2024

Summary

Clean version of #9850, reopening this as the discussion in ECS suggests this may be the best way to proceed.

Proposed commit message

This PR adds .caseless fields for the process name and executable to improve compatibility with our Elastic Defend integration. This enables us to handle language limitations in KQL more effectively.

I'm also specifying the .text field as it was being removed from the markdown file otherwise.

Elastic Defend Mapping:

image

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

Build the integration, ingest sysmon or windows security logs.

Related issues

Screenshots

image
image

@w0rk3r w0rk3r requested a review from andrewkroh July 18, 2024 13:05
@w0rk3r w0rk3r self-assigned this Jul 18, 2024
@w0rk3r w0rk3r requested review from a team as code owners July 18, 2024 13:05
@w0rk3r w0rk3r mentioned this pull request Jul 18, 2024
Merged
@elasticmachine
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@pierrehilbert pierrehilbert added the Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team [elastic/elastic-agent-data-plane] label Jul 18, 2024
@elasticmachine
Copy link

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@andrewkroh andrewkroh added Team:Security-Windows Platform Security Windows Platform Team [elastic/sec-windows-platform] and removed Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team [elastic/elastic-agent-data-plane] labels Jul 19, 2024
@elasticmachine
Copy link

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

@pierrehilbert pierrehilbert added the Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team [elastic/elastic-agent-data-plane] label Jul 21, 2024
@pierrehilbert pierrehilbert requested review from faec and removed request for leehinman July 21, 2024 12:40
@pierrehilbert pierrehilbert added Team:Obs-InfraObs Label for the Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] Team:Ecosystem Label for the Packages Ecosystem team [elastic/ecosystem] labels Jul 21, 2024
@pierrehilbert
Copy link
Contributor

@w0rk3r this PR is now in conflict

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
82.5% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@elasticmachine
Copy link

💚 Build Succeeded

History

cc @w0rk3r

@w0rk3r w0rk3r requested a review from ishleenk17 July 25, 2024 16:24
ishleenk17
ishleenk17 approved these changes Jul 26, 2024
View reviewed changes
Copy link
Contributor

@ishleenk17 ishleenk17 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@pierrehilbert
Copy link
Contributor

@w0rk3r We are now good to go, thanks

@w0rk3r w0rk3r merged commit 154c06a into main Jul 26, 2024
5 checks passed
@elasticmachine
Copy link

Package system - 1.60.0 containing this change is available at https://epr.elastic.co/search?package=system

@elasticmachine
Copy link

Package windows - 1.47.0 containing this change is available at https://epr.elastic.co/search?package=windows

jvalente-salemstate pushed a commit to jvalente-salemstate/integrations that referenced this pull request Aug 21, 2024
@w0rk3r
[Enhancement] Add ".caseless" fields to process events (elastic#10533)
8bb6bb6 
[Enhancement] Add ".caseless" fields to process events
This was referenced Sep 5, 2024
Merged
Open
efd6 pushed a commit that referenced this pull request Sep 11, 2024
@w0rk3r
[Enhancement] Improve S1 Cloud Funnel Process event parity with other…
1527b10 
… EDR data sources (#11019)

Uses a field alias to map the process integrity field to the one used in the
rules based on our Elastic Defend for more straightforward rule conditions.

Adds caseless versions of process.name and process.executable as done
in #10533.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ishleenk17 ishleenk17 ishleenk17 approved these changes

@AndersonQ AndersonQ AndersonQ approved these changes

@andrewkroh andrewkroh andrewkroh approved these changes

@faec faec Awaiting requested review from faec

Assignees

@w0rk3r w0rk3r

Labels
Integration:system System Integration:windows Windows Team:Ecosystem Label for the Packages Ecosystem team [elastic/ecosystem] Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team [elastic/elastic-agent-data-plane] Team:Obs-InfraObs Label for the Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] Team:Security-Windows Platform Security Windows Platform Team [elastic/sec-windows-platform]
Projects
None yet
Milestone
No milestone
6 participants
@w0rk3r @elasticmachine @pierrehilbert @AndersonQ @andrewkroh @ishleenk17