Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Enhancement] Add ".caseless" fields to process events #9850

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

[Enhancement] Add ".caseless" fields to process events #9850

wants to merge 5 commits into from
+58 −2

Conversation

w0rk3r
Copy link
Contributor

@w0rk3r w0rk3r commented May 13, 2024
edited

Proposed commit message

This PR adds .caseless fields for the process name and executable to improve compatibility with our Elastic Defend integration. This enables us to handle language limitations in KQL more effectively.

I'm also specifying the .text field as it was being removed from the markdown file otherwise.

Elastic Defend Mapping:

image

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

Build the integration, ingest sysmon or windows security logs.

Related issues

Screenshots

image
image

@w0rk3r w0rk3r self-assigned this May 13, 2024
@w0rk3r w0rk3r requested review from a team as code owners May 13, 2024 16:51
@elasticmachine
Copy link

elasticmachine commented May 13, 2024
edited

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@ishleenk17
Copy link
Contributor

ishleenk17 commented May 16, 2024
edited

@w0rk3r : Can we please get the CI green here ?

w0rk3r
w0rk3r commented May 21, 2024
View reviewed changes
packages/system/changelog.yml Outdated Show resolved Hide resolved
packages/system/manifest.yml Outdated Show resolved Hide resolved
@elasticmachine
Copy link

💚 Build Succeeded

History

cc @w0rk3r

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

andrewkroh
andrewkroh requested changes May 22, 2024
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This introduces a new field into an ECS controlled namespace that is not defined in ECS. We need to commit this to the schema first so that it becomes standardized. This will allow us to use a uniform definition everywhere and it's easily importable.

# fields.yml
- name: process.executable
  external: ecs

This additional multi-field will end up in the Elasticsearch ecs@mappings template meaning that all users of data streams can have a consistent mapping for these fields (even if they aren't using an integration).

Probably one reason that we have incompatibility with detection rules (#9234) is that the rule(s) are using fields which have not been defined in ECS. So if we can align ECS then any future integrations will just work.

I also think we should debate alternative naming. My initial reaction was that calling this "lowercase" would be more clear because it conveys the fact that the value is being converted to lowercase.

@w0rk3r w0rk3r mentioned this pull request May 22, 2024
Draft
@efd6 efd6 mentioned this pull request May 26, 2024
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh requested changes

@belimawr belimawr belimawr approved these changes

@fearful-symmetry fearful-symmetry Awaiting requested review from fearful-symmetry fearful-symmetry is a code owner automatically assigned from elastic/elastic-agent-data-plane

@ishleenk17 ishleenk17 Awaiting requested review from ishleenk17

Requested changes must be addressed to merge this pull request.

Assignees

@w0rk3r w0rk3r

Labels
enhancement New feature or request Integration:System Integration:Windows
Projects
None yet
Milestone
No milestone
5 participants
@w0rk3r @elasticmachine @ishleenk17 @belimawr @andrewkroh