For Detection compatibility purposes, we need to adjust and add some fields to the integrations shipped process creation logs.
System Integration:
- process.name.caseless
- process.executable.caseless
- process.args_count
Windows Integration:
- process.name.caseless
- process.executable.caseless
- process.args_count (Sysmon logs already have these, needs to be added to win forwarded logs)
In Sysmon and in the winevent logs, we don't have a caseless field as we do in Elastic Defend, which prevents them from working with rules that use KQL, like new_terms.
For Detection compatibility purposes, we need to adjust and add some fields to the integrations shipped process creation logs.
System Integration:
Windows Integration:
In Sysmon and in the winevent logs, we don't have a caseless field as we do in Elastic Defend, which prevents them from working with rules that use KQL, like new_terms.