Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Enhancement] Field adjusts to better compatibility with Detection Rules #9234

Open
w0rk3r opened this issue Feb 23, 2024 · 0 comments · May be fixed by #9850
Open

[Enhancement] Field adjusts to better compatibility with Detection Rules #9234

w0rk3r opened this issue Feb 23, 2024 · 0 comments · May be fixed by #9850
Assignees
@w0rk3r
Labels
enhancement New feature or request

Comments

@w0rk3r
Copy link
Contributor

w0rk3r commented Feb 23, 2024
edited

For Detection compatibility purposes, we need to adjust and add some fields to the integrations shipped process creation logs.

System Integration:

  • process.name.caseless
  • process.executable.caseless
  • process.args_count

Windows Integration:

  • process.name.caseless
  • process.executable.caseless
  • process.args_count (Sysmon logs already have these, needs to be added to win forwarded logs)

In Sysmon and in the winevent logs, we don't have a caseless field as we do in Elastic Defend, which prevents them from working with rules that use KQL, like new_terms.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@w0rk3r w0rk3r

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Enhancement] Add ".caseless" fields to process events elastic/integrations
1 participant
@w0rk3r