[8.8] Support new enrichment fields (#157889) (#157961)

# Backport

This will backport the following commits from `main` to `8.8`:
- [Support new enrichment fields
(#157889)](#157889)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Sebastián
Zaffarano","email":"sebastian.zaffarano@elastic.co"},"sourceCommit":{"committedDate":"2023-05-17T07:36:03Z","message":"Support
new enrichment fields (#157889)\n\n## Summary\r\n\r\nAdds support for
the following Endpoint fields for detection \r\nrules
telemetry:\r\n\r\n- process.Ext.effective_parent.name\r\n-
process.Ext.effective_parent.executable\r\n- file.Ext.original.name\r\n-
process.Ext.api.name\r\n- file.Ext.header_bytes\r\n-
process.parent.Ext.real.pid\r\n-
dll.Ext.relative_file_creation_time\r\n-
dll.Ext.relative_file_name_modify_time\r\n- file.Ext.entropy\r\n-
dll.name\r\n- dll.path\r\n- dll.code_signature.trusted\r\n-
dll.pe.original_file_name\r\n- file.directory\r\n- dll.hash.sha256\r\n-
dll.pe.imphash\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"81bcd4a3bad1e6e057addecf29c5f8d7bdec0aae","branchLabelMapping":{"^v8.9.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Feature:Telemetry","release_note:skip","Team:
SecuritySolution","v8.9.0","v8.8.1"],"number":157889,"url":"https://github.com/elastic/kibana/pull/157889","mergeCommit":{"message":"Support
new enrichment fields (#157889)\n\n## Summary\r\n\r\nAdds support for
the following Endpoint fields for detection \r\nrules
telemetry:\r\n\r\n- process.Ext.effective_parent.name\r\n-
process.Ext.effective_parent.executable\r\n- file.Ext.original.name\r\n-
process.Ext.api.name\r\n- file.Ext.header_bytes\r\n-
process.parent.Ext.real.pid\r\n-
dll.Ext.relative_file_creation_time\r\n-
dll.Ext.relative_file_name_modify_time\r\n- file.Ext.entropy\r\n-
dll.name\r\n- dll.path\r\n- dll.code_signature.trusted\r\n-
dll.pe.original_file_name\r\n- file.directory\r\n- dll.hash.sha256\r\n-
dll.pe.imphash\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"81bcd4a3bad1e6e057addecf29c5f8d7bdec0aae"}},"sourceBranch":"main","suggestedTargetBranches":["8.8"],"targetPullRequestStates":[{"branch":"main","label":"v8.9.0","labelRegex":"^v8.9.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/157889","number":157889,"mergeCommit":{"message":"Support
new enrichment fields (#157889)\n\n## Summary\r\n\r\nAdds support for
the following Endpoint fields for detection \r\nrules
telemetry:\r\n\r\n- process.Ext.effective_parent.name\r\n-
process.Ext.effective_parent.executable\r\n- file.Ext.original.name\r\n-
process.Ext.api.name\r\n- file.Ext.header_bytes\r\n-
process.parent.Ext.real.pid\r\n-
dll.Ext.relative_file_creation_time\r\n-
dll.Ext.relative_file_name_modify_time\r\n- file.Ext.entropy\r\n-
dll.name\r\n- dll.path\r\n- dll.code_signature.trusted\r\n-
dll.pe.original_file_name\r\n- file.directory\r\n- dll.hash.sha256\r\n-
dll.pe.imphash\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"81bcd4a3bad1e6e057addecf29c5f8d7bdec0aae"}},{"branch":"8.8","label":"v8.8.1","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Sebastián Zaffarano <sebastian.zaffarano@elastic.co>

Author: kibanamachine

x-pack/plugins/security_solution/server/lib/telemetry/filterlists/index.test.ts

@@ -6,30 +6,26 @@
  */
 
 import { copyAllowlistedFields } from '.';
+import { prebuiltRuleAllowlistFields } from './prebuilt_rules_alerts';
+import type { AllowlistFields } from './types';
 
 describe('Security Telemetry filters', () => {
   describe('allowlistEventFields', () => {
-    const allowlist = {
+    const testingKeys: AllowlistFields = {
       _id: true,
       a: true,
       b: true,
       c: {
         d: true,
       },
-      'kibana.alert.ancestors': true,
-      'kibana.alert.original_event.module': true,
-      'event.id': true,
-      'event.ingested': true,
-      'event.kind': true,
-      'event.module': true,
-      'event.outcome': true,
-      'event.provider': true,
-      'event.type': true,
-      'powershell.file.script_block_text': true,
       'kubernetes.pod.uid': true,
       'kubernetes.pod.name': true,
       'kubernetes.pod.ip': true,
-      package_version: true,
+    };
+
+    const allowlist = {
+      ...prebuiltRuleAllowlistFields,
+      ...testingKeys,
     };
 
     it('filters top level', () => {
@@ -47,6 +43,67 @@ describe('Security Telemetry filters', () => {
       });
     });
 
+    it('filters endpoint enrichments', () => {
+      const expected = {
+        dll: {
+          code_signature: {
+            trusted: '1',
+          },
+          Ext: {
+            relative_file_creation_time: '2',
+            relative_file_name_modify_time: '3',
+          },
+          hash: {
+            sha256: '4',
+          },
+          name: '5',
+          path: '6',
+          pe: {
+            imphash: '7',
+            original_file_name: '8',
+          },
+        },
+        file: {
+          directory: '9',
+          Ext: {
+            entropy: '10',
+            header_bytes: '11',
+            original: {
+              name: '12',
+            },
+          },
+        },
+        process: {
+          Ext: {
+            api: {
+              name: '13',
+            },
+            effective_parent: {
+              executable: '14',
+              name: '15',
+            },
+          },
+          parent: {
+            Ext: {
+              real: {
+                pid: '16',
+              },
+            },
+          },
+        },
+      };
+
+      const event = {
+        ...expected,
+        ...{
+          val1: 'unexpected-1',
+          val2: 'unexpected-2',
+        },
+      };
+
+      expect(copyAllowlistedFields(allowlist, event)).toStrictEqual(expected);
+    });
+
     it('filters nested', () => {
       const event = {
         a: {

x-pack/plugins/security_solution/server/lib/telemetry/filterlists/prebuilt_rules_alerts.ts

@@ -82,9 +82,23 @@ export const prebuiltRuleAllowlistFields: AllowlistFields = {
     port: true,
   },
   dll: {
+    Ext: {
+      relative_file_creation_time: true,
+      relative_file_name_modify_time: true,
+    },
     code_signature: {
       status: true,
       subject_name: true,
+      trusted: true,
+    },
+    name: true,
+    path: true,
+    pe: {
+      original_file_name: true,
+      imphash: true,
+    },
+    hash: {
+      sha256: true,
     },
   },
   dns: {
@@ -129,6 +143,13 @@ export const prebuiltRuleAllowlistFields: AllowlistFields = {
     entity_id: true,
     executable: true,
     Ext: {
+      api: {
+        name: true,
+      },
+      effective_parent: {
+        executable: true,
+        name: true,
+      },
       token: {
         integrity_level_name: true,
       },
@@ -235,7 +256,13 @@ export const prebuiltRuleAllowlistFields: AllowlistFields = {
     },
   },
   file: {
+    directory: true,
     Ext: {
+      entropy: true,
+      header_bytes: true,
+      original: {
+        name: true,
+      },
       windows: {
         zone_identifier: true,
       },