Add some missing Endpoint telemetry fields (#141769)

## Summary Add some fields to Endpoint telemetry which are stripped by the PII filter. These fields enable the Endpoint Protections team to better triage alerts and create exceptions. - [Effective_process.* ](https://github.com/elastic/endpoint-dev/blob/main/Python/endpoint/generators/events/v0/events.yml#L535) (no PII, similar content to process.name/executable, apply to registry and file events, 8.4+) - [Process.Ext.effective.*](https://github.com/elastic/endpoint-dev/blob/main/Python/endpoint/generators/events/v0/events.yml#L1273) (no PII, similar content to process.name/executable, 8.4+) - [Process.Ext.device.*](https://github.com/elastic/endpoint-dev/blob/main/Python/endpoint/generators/events/v0/events.yml#L2022) (no PII, device metadata, 8.3+) - [dll.Ext.device.*](https://github.com/elastic/endpoint-dev/blob/main/Python/endpoint/generators/events/v0/events.yml#L2593) (no PII, device metadata, 8.3+) - [process.Ext.relative_file_creation_time](https://github.com/elastic/endpoint-dev/blob/main/Python/endpoint/generators/events/v0/events.yml#L2036) 8.4+ - [process.Ext.relative_file_name_modify_time](https://github.com/elastic/endpoint-dev/blob/main/Python/endpoint/generators/events/v0/events.yml#L2041) 8.4+ - [dll.Ext.relative_file_creation_time](https://github.com/elastic/endpoint-dev/blob/main/Python/endpoint/generators/events/v0/events.yml#L2577) 8.4+ - [dll.Ext.relative_file_name_modify_time](https://github.com/elastic/endpoint-dev/blob/main/Python/endpoint/generators/events/v0/events.yml#L2582) 8.4+ ### Checklist Delete any items that are not applicable to this PR. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Colson Wilhoit <[email protected]> Co-authored-by: Pete Hampton <[email protected]> Co-authored-by: Pete Hampton <[email protected]>
elastic · Feb 24, 2023 · 300a87d · 300a87d
1 parent 18fbb94
commit 300a87d
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 17 deletions.
diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/filterlists/endpoint_alerts.ts b/x-pack/plugins/security_solution/server/lib/telemetry/filterlists/endpoint_alerts.ts
@@ -38,6 +38,8 @@ const baseAllowlistFields: AllowlistFields = {
       integrity_level_name: true,
       security_attributes: true,
     },
+    effective_parent: true,
+    device: true,
   },
   thread: true,
   working_directory: true,
@@ -54,9 +56,7 @@ const allowlistBaseEventFields: AllowlistFields = {
     malware_signature: true,
     pe: true,
     Ext: {
-      device: {
-        volume_device_type: true,
-      },
+      device: true,
       load_index: true,
       relative_file_creation_time: true,
       relative_file_name_modify_time: true,
@@ -114,6 +114,8 @@ const allowlistBaseEventFields: AllowlistFields = {
     id: true,
   },
   Persistence: true,
+  /* eslint-disable @typescript-eslint/naming-convention */
+  Effective_process: true,
 };
 
 // Allow list for the data we include in the events. True means that it is deep-cloned

diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts b/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts
@@ -94,11 +94,16 @@ describe('TelemetryEventsSender', () => {
           dll: {
             Ext: {
               device: {
-                volume_device_type: 'Disk File System',
+                bus_type: 'FileBackedVirtual',
+                dos_name: 'D:',
+                file_system_type: 'CDFS',
+                nt_name: 'CdRom0',
+                product_id: 'Virtual DVD-ROM',
+                vendor_id: 'Msft',
+                volume_device_type: 'CD-ROM File System',
               },
-              load_index: 1,
-              relative_file_creation_time: 48628704.4029488,
-              relative_file_name_modify_time: 48628704.4029488,
+              relative_file_creation_time: 35588490.2737149,
+              relative_file_name_modify_time: 35588490.2424634,
             },
           },
           file: {
@@ -177,6 +182,21 @@ describe('TelemetryEventsSender', () => {
               protection: 'PsProtectedSignerAntimalware-Light',
               relative_file_creation_time: 48628704.4029488,
               relative_file_name_modify_time: 48628704.4029488,
+              device: {
+                bus_type: 'FileBackedVirtual',
+                volume_device_type: 'CD-ROM File System',
+                dos_name: 'D:',
+                product_id: 'Virtual DVD-ROM',
+                vendor_id: 'Msft',
+                nt_name: 'CdRom0',
+                file_system_type: 'CDFS',
+              },
+              effective_parent: {
+                name: 'file.exe',
+                pid: 6792,
+                entity_id: 'some_entity_id',
+                executable: 'DeviceHarddiskVolume3WindowsSystem32file.exe',
+              },
               session_info: {
                 logon_type: 'Interactive',
                 client_address: '127.0.0.1',
@@ -271,16 +291,6 @@ describe('TelemetryEventsSender', () => {
             ruleset: 'Z',
             version: '100',
           },
-          dll: {
-            Ext: {
-              device: {
-                volume_device_type: 'Disk File System',
-              },
-              load_index: 1,
-              relative_file_creation_time: 48628704.4029488,
-              relative_file_name_modify_time: 48628704.4029488,
-            },
-          },
           file: {
             extension: '.exe',
             size: 3,
@@ -349,6 +359,21 @@ describe('TelemetryEventsSender', () => {
               protection: 'PsProtectedSignerAntimalware-Light',
               relative_file_creation_time: 48628704.4029488,
               relative_file_name_modify_time: 48628704.4029488,
+              device: {
+                bus_type: 'FileBackedVirtual',
+                volume_device_type: 'CD-ROM File System',
+                dos_name: 'D:',
+                product_id: 'Virtual DVD-ROM',
+                vendor_id: 'Msft',
+                nt_name: 'CdRom0',
+                file_system_type: 'CDFS',
+              },
+              effective_parent: {
+                name: 'file.exe',
+                pid: 6792,
+                entity_id: 'some_entity_id',
+                executable: 'DeviceHarddiskVolume3WindowsSystem32file.exe',
+              },
               session_info: {
                 logon_type: 'Interactive',
                 client_address: '127.0.0.1',
@@ -375,6 +400,21 @@ describe('TelemetryEventsSender', () => {
             runatload: true,
             args: ['foo', 'bar'],
           },
+          dll: {
+            Ext: {
+              relative_file_creation_time: 35588490.2737149,
+              relative_file_name_modify_time: 35588490.2424634,
+              device: {
+                bus_type: 'FileBackedVirtual',
+                volume_device_type: 'CD-ROM File System',
+                dos_name: 'D:',
+                product_id: 'Virtual DVD-ROM',
+                vendor_id: 'Msft',
+                nt_name: 'CdRom0',
+                file_system_type: 'CDFS',
+              },
+            },
+          },
         },
       ]);
     });