[7.12][Telemetry] Add missing fields for security telemetry (#91920)

Co-authored-by: Thiago Souza <thiago@elastic.co>
2025-04-24 01:38:56 -04:00 · 2021-02-19 18:10:15 +00:00 · 2021-02-19 18:10:15 +00:00 · 4e2601d9c9
commit 4e2601d9c9
parent 4a1134c732
2 changed files with 96 additions and 0 deletions
--- a/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts
@ -34,6 +34,11 @@ describe('TelemetryEventsSender', () => {
          agent: {
            name: 'test',
          },
+          rule: {
+            id: 'X',
+            name: 'Y',
+            ruleset: 'Z',
+          },
          file: {
            size: 3,
            path: 'X',
@ -47,6 +52,9 @@ describe('TelemetryEventsSender', () => {
              malware_classification: {
                key1: 'X',
              },
+              malware_signature: {
+                key1: 'X',
+              },
              quarantine_result: true,
              quarantine_message: 'this file is bad',
              something_else: 'nope',
@ -70,6 +78,11 @@ describe('TelemetryEventsSender', () => {
          agent: {
            name: 'test',
          },
+          rule: {
+            id: 'X',
+            name: 'Y',
+            ruleset: 'Z',
+          },
          file: {
            size: 3,
            path: 'X',
@ -81,6 +94,9 @@ describe('TelemetryEventsSender', () => {
              malware_classification: {
                key1: 'X',
              },
+              malware_signature: {
+                key1: 'X',
+              },
              quarantine_result: true,
              quarantine_message: 'this file is bad',
            },
--- a/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts
+++ b/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts
@ -296,16 +296,20 @@ interface AllowlistFields {
 // Allow list for the data we include in the events. True means that it is deep-cloned
 // blindly. Object contents means that we only copy the fields that appear explicitly in
 // the sub-object.
+/* eslint-disable @typescript-eslint/naming-convention */
 const allowlistEventFields: AllowlistFields = {
  '@timestamp': true,
  agent: true,
  Endpoint: true,
+  Memory_protection: true,
  Ransomware: true,
  data_stream: true,
  ecs: true,
  elastic: true,
  event: true,
  rule: {
+    id: true,
+    name: true,
    ruleset: true,
  },
  file: {
@ -320,6 +324,7 @@ const allowlistEventFields: AllowlistFields = {
    Ext: {
      code_signature: true,
      malware_classification: true,
+      malware_signature: true,
      quarantine_result: true,
      quarantine_message: true,
    },
@ -335,7 +340,12 @@ const allowlistEventFields: AllowlistFields = {
    pid: true,
    uptime: true,
    Ext: {
+      architecture: true,
      code_signature: true,
+      dll: true,
+      token: {
+        integrity_level_name: true,
+      },
    },
    parent: {
      name: true,
@ -343,12 +353,82 @@ const allowlistEventFields: AllowlistFields = {
      command_line: true,
      hash: true,
      Ext: {
+        architecture: true,
        code_signature: true,
+        dll: true,
+        token: {
+          integrity_level_name: true,
+        },
      },
      uptime: true,
      pid: true,
      ppid: true,
    },
+    Target: {
+      process: {
+        Ext: {
+          architecture: true,
+          code_signature: true,
+          dll: true,
+          token: {
+            integrity_level_name: true,
+          },
+        },
+        parent: {
+          process: {
+            Ext: {
+              architecture: true,
+              code_signature: true,
+              dll: true,
+              token: {
+                integrity_level_name: true,
+              },
+            },
+          },
+        },
+        thread: {
+          Ext: {
+            call_stack: true,
+            start_address: true,
+            start_address_details: {
+              address_offset: true,
+              allocation_base: true,
+              allocation_protection: true,
+              allocation_size: true,
+              allocation_type: true,
+              base_address: true,
+              bytes_start_address: true,
+              compressed_bytes: true,
+              dest_bytes: true,
+              dest_bytes_disasm: true,
+              dest_bytes_disasm_hash: true,
+              pe: {
+                Ext: {
+                  legal_copyright: true,
+                  product_version: true,
+                  code_signature: {
+                    status: true,
+                    subject_name: true,
+                    trusted: true,
+                  },
+                  company: true,
+                  description: true,
+                  file_version: true,
+                  imphash: true,
+                  original_file_name: true,
+                  product: true,
+                },
+              },
+              pe_detected: true,
+              region_protection: true,
+              region_size: true,
+              region_state: true,
+              strings: true,
+            },
+          },
+        },
+      },
+    },
    token: {
      integrity_level_name: true,
    },