Skip to content

[Enhancement] Add ".caseless" fields to process events#10533

Merged
w0rk3r merged 5 commits intomainfrom
fr-process_name_caseless
Jul 26, 2024
Merged

[Enhancement] Add ".caseless" fields to process events#10533
w0rk3r merged 5 commits intomainfrom
fr-process_name_caseless

Conversation

@w0rk3r
Copy link
Copy Markdown
Contributor

@w0rk3r w0rk3r commented Jul 18, 2024

Summary

Clean version of #9850, reopening this as the discussion in ECS suggests this may be the best way to proceed.

Proposed commit message

This PR adds .caseless fields for the process name and executable to improve compatibility with our Elastic Defend integration. This enables us to handle language limitations in KQL more effectively.

I'm also specifying the .text field as it was being removed from the markdown file otherwise.

Elastic Defend Mapping:

image

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

Build the integration, ingest sysmon or windows security logs.

Related issues

Screenshots

image
image

@w0rk3r w0rk3r requested a review from andrewkroh July 18, 2024 13:05
@w0rk3r w0rk3r self-assigned this Jul 18, 2024
@w0rk3r w0rk3r requested review from a team as code owners July 18, 2024 13:05
@w0rk3r w0rk3r requested review from AndersonQ and leehinman July 18, 2024 13:05
w0rk3r
w0rk3r commented Jul 18, 2024
View reviewed changes
@w0rk3r w0rk3r mentioned this pull request Jul 18, 2024
Merged
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Jul 18, 2024

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@pierrehilbert pierrehilbert added the Team:Elastic-Agent-Data-Plane Agent Data Plane team [elastic/elastic-agent-data-plane] label Jul 18, 2024
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Jul 18, 2024

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@andrewkroh andrewkroh added Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform] and removed Team:Elastic-Agent-Data-Plane Agent Data Plane team [elastic/elastic-agent-data-plane] labels Jul 19, 2024
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Jul 19, 2024

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

@pierrehilbert pierrehilbert added the Team:Elastic-Agent-Data-Plane Agent Data Plane team [elastic/elastic-agent-data-plane] label Jul 21, 2024
@pierrehilbert pierrehilbert requested review from faec and removed request for leehinman July 21, 2024 12:40
@pierrehilbert pierrehilbert added Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] Team:Ecosystem Packages Ecosystem team [elastic/ecosystem] labels Jul 21, 2024
@pierrehilbert
Copy link
Copy Markdown
Contributor

pierrehilbert commented Jul 25, 2024

@w0rk3r this PR is now in conflict

@elastic-sonarqube
Copy link
Copy Markdown

elastic-sonarqube bot commented Jul 25, 2024

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
82.5% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Jul 25, 2024

💚 Build Succeeded

History

cc @w0rk3r

@w0rk3r w0rk3r requested a review from ishleenk17 July 25, 2024 16:24
ishleenk17
ishleenk17 approved these changes Jul 26, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@ishleenk17 ishleenk17 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@pierrehilbert
Copy link
Copy Markdown
Contributor

pierrehilbert commented Jul 26, 2024

@w0rk3r We are now good to go, thanks

@w0rk3r w0rk3r merged commit 154c06a into main Jul 26, 2024
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Jul 26, 2024

Package system - 1.60.0 containing this change is available at https://epr.elastic.co/search?package=system

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Jul 26, 2024

Package windows - 1.47.0 containing this change is available at https://epr.elastic.co/search?package=windows

This was referenced Sep 5, 2024
Merged
Merged
efd6 pushed a commit that referenced this pull request Sep 11, 2024
@w0rk3r
[Enhancement] Improve S1 Cloud Funnel Process event parity with other…
1527b10 
… EDR data sources (#11019)

Uses a field alias to map the process integrity field to the one used in the
rules based on our Elastic Defend for more straightforward rule conditions.

Adds caseless versions of process.name and process.executable as done
in #10533.
harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 4, 2025
@w0rk3r
[Enhancement] Add ".caseless" fields to process events (elastic#10533)
2d35332 
[Enhancement] Add ".caseless" fields to process events
harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 4, 2025
@w0rk3r
[Enhancement] Improve S1 Cloud Funnel Process event parity with other…
0ca7f55 
… EDR data sources (elastic#11019)

Uses a field alias to map the process integrity field to the one used in the
rules based on our Elastic Defend for more straightforward rule conditions.

Adds caseless versions of process.name and process.executable as done
in elastic#10533.
harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 5, 2025
@w0rk3r
[Enhancement] Add ".caseless" fields to process events (elastic#10533)
510fa40 
[Enhancement] Add ".caseless" fields to process events
harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 5, 2025
@w0rk3r
[Enhancement] Improve S1 Cloud Funnel Process event parity with other…
39ee991 
… EDR data sources (elastic#11019)

Uses a field alias to map the process integrity field to the one used in the
rules based on our Elastic Defend for more straightforward rule conditions.

Adds caseless versions of process.name and process.executable as done
in elastic#10533.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ishleenk17 ishleenk17 ishleenk17 approved these changes

@AndersonQ AndersonQ AndersonQ approved these changes

@andrewkroh andrewkroh andrewkroh approved these changes

@faec faec Awaiting requested review from faec

Assignees

@w0rk3r w0rk3r

Labels

Integration:system System Integration:windows Windows Team:Ecosystem Packages Ecosystem team [elastic/ecosystem] Team:Elastic-Agent-Data-Plane Agent Data Plane team [elastic/elastic-agent-data-plane] Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Enhancement] Field adjusts to better compatibility with Detection Rules Add process.name.caseless to logs-system.* mapping

6 participants

@w0rk3r @elasticmachine @pierrehilbert @AndersonQ @andrewkroh @ishleenk17