[7.12][Telemetry] Add missing fields for security telemetry (elastic#…

…91920) Co-authored-by: Thiago Souza <[email protected]>
Kerry350 · Feb 19, 2021 · 4e2601d · 4e2601d
1 parent 4a1134c
commit 4e2601d
Show file tree

Hide file tree

Showing 2 changed files with 96 additions and 0 deletions.
diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts b/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts
@@ -34,6 +34,11 @@ describe('TelemetryEventsSender', () => {
           agent: {
             name: 'test',
           },
+          rule: {
+            id: 'X',
+            name: 'Y',
+            ruleset: 'Z',
+          },
           file: {
             size: 3,
             path: 'X',
@@ -47,6 +52,9 @@ describe('TelemetryEventsSender', () => {
               malware_classification: {
                 key1: 'X',
               },
+              malware_signature: {
+                key1: 'X',
+              },
               quarantine_result: true,
               quarantine_message: 'this file is bad',
               something_else: 'nope',
@@ -70,6 +78,11 @@ describe('TelemetryEventsSender', () => {
           agent: {
             name: 'test',
           },
+          rule: {
+            id: 'X',
+            name: 'Y',
+            ruleset: 'Z',
+          },
           file: {
             size: 3,
             path: 'X',
@@ -81,6 +94,9 @@ describe('TelemetryEventsSender', () => {
               malware_classification: {
                 key1: 'X',
               },
+              malware_signature: {
+                key1: 'X',
+              },
               quarantine_result: true,
               quarantine_message: 'this file is bad',
             },

diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts b/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts
@@ -296,16 +296,20 @@ interface AllowlistFields {
 // Allow list for the data we include in the events. True means that it is deep-cloned
 // blindly. Object contents means that we only copy the fields that appear explicitly in
 // the sub-object.
+/* eslint-disable @typescript-eslint/naming-convention */
 const allowlistEventFields: AllowlistFields = {
   '@timestamp': true,
   agent: true,
   Endpoint: true,
+  Memory_protection: true,
   Ransomware: true,
   data_stream: true,
   ecs: true,
   elastic: true,
   event: true,
   rule: {
+    id: true,
+    name: true,
     ruleset: true,
   },
   file: {
@@ -320,6 +324,7 @@ const allowlistEventFields: AllowlistFields = {
     Ext: {
       code_signature: true,
       malware_classification: true,
+      malware_signature: true,
       quarantine_result: true,
       quarantine_message: true,
     },
@@ -335,20 +340,95 @@ const allowlistEventFields: AllowlistFields = {
     pid: true,
     uptime: true,
     Ext: {
+      architecture: true,
       code_signature: true,
+      dll: true,
+      token: {
+        integrity_level_name: true,
+      },
     },
     parent: {
       name: true,
       executable: true,
       command_line: true,
       hash: true,
       Ext: {
+        architecture: true,
         code_signature: true,
+        dll: true,
+        token: {
+          integrity_level_name: true,
+        },
       },
       uptime: true,
       pid: true,
       ppid: true,
     },
+    Target: {
+      process: {
+        Ext: {
+          architecture: true,
+          code_signature: true,
+          dll: true,
+          token: {
+            integrity_level_name: true,
+          },
+        },
+        parent: {
+          process: {
+            Ext: {
+              architecture: true,
+              code_signature: true,
+              dll: true,
+              token: {
+                integrity_level_name: true,
+              },
+            },
+          },
+        },
+        thread: {
+          Ext: {
+            call_stack: true,
+            start_address: true,
+            start_address_details: {
+              address_offset: true,
+              allocation_base: true,
+              allocation_protection: true,
+              allocation_size: true,
+              allocation_type: true,
+              base_address: true,
+              bytes_start_address: true,
+              compressed_bytes: true,
+              dest_bytes: true,
+              dest_bytes_disasm: true,
+              dest_bytes_disasm_hash: true,
+              pe: {
+                Ext: {
+                  legal_copyright: true,
+                  product_version: true,
+                  code_signature: {
+                    status: true,
+                    subject_name: true,
+                    trusted: true,
+                  },
+                  company: true,
+                  description: true,
+                  file_version: true,
+                  imphash: true,
+                  original_file_name: true,
+                  product: true,
+                },
+              },
+              pe_detected: true,
+              region_protection: true,
+              region_size: true,
+              region_state: true,
+              strings: true,
+            },
+          },
+        },
+      },
+    },
     token: {
       integrity_level_name: true,
     },