diff --git a/packages/m365_defender/changelog.yml b/packages/m365_defender/changelog.yml index 62aaa12a678..b4174e87d6d 100644 --- a/packages/m365_defender/changelog.yml +++ b/packages/m365_defender/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "5.1.1" + changes: + - description: Fix construction of `file.path` fields in the incident data stream to conform to ECS. + type: bugfix + link: https://github.com/elastic/integrations/pull/15728 - version: "5.1.0" changes: - description: Add support for OAuth2 Endpoint Params option. diff --git a/packages/m365_defender/data_stream/incident/_dev/test/pipeline/test-incident.log-expected.json b/packages/m365_defender/data_stream/incident/_dev/test/pipeline/test-incident.log-expected.json index dda4e06b478..1fa892a621a 100644 --- a/packages/m365_defender/data_stream/incident/_dev/test/pipeline/test-incident.log-expected.json +++ b/packages/m365_defender/data_stream/incident/_dev/test/pipeline/test-incident.log-expected.json @@ -38,7 +38,7 @@ "MsSense.exe" ], "path": [ - "C:\\Program Files\\temp" + "C:\\Program Files\\temp\\MsSense.exe" ], "size": [ 6136392 @@ -364,7 +364,7 @@ "MsSense.exe" ], "path": [ - "C:\\Program Files\\temp" + "C:\\Program Files\\temp\\MsSense.exe" ], "size": [ 6136392 @@ -849,7 +849,7 @@ "K3V15.1安装盘访问密码i5fy.zip" ], "path": [ - "E:" + "E:\\K3V15.1安装盘访问密码i5fy.zip" ], "size": [ 36864 @@ -1040,7 +1040,7 @@ "K3V15.1安装盘访问密码i5fy.zip" ], "path": [ - "E:" + "E:\\K3V15.1安装盘访问密码i5fy.zip" ], "size": [ 36864 @@ -1345,7 +1345,7 @@ "PDFpower.exe" ], "path": [ - "C:\\Users\\user6\\Downloads" + "C:\\Users\\user6\\Downloads\\PDFpower.exe" ], "size": [ 1086184 @@ -1546,7 +1546,7 @@ "PDFpower.exe" ], "path": [ - "C:\\Users\\user6\\Downloads" + "C:\\Users\\user6\\Downloads\\PDFpower.exe" ], "size": [ 1086184 diff --git a/packages/m365_defender/data_stream/incident/elasticsearch/ingest_pipeline/default.yml b/packages/m365_defender/data_stream/incident/elasticsearch/ingest_pipeline/default.yml index 067ec31db5a..c2745986ae6 100644 --- a/packages/m365_defender/data_stream/incident/elasticsearch/ingest_pipeline/default.yml +++ b/packages/m365_defender/data_stream/incident/elasticsearch/ingest_pipeline/default.yml @@ -1412,9 +1412,14 @@ processors: processor: append: field: file.path - value: '{{{_ingest._value.file_details.path}}}' + value: '{{{_ingest._value.file_details.path}}}\{{{_ingest._value.file_details.name}}}' allow_duplicates: false ignore_failure: true + - script: + tag: script_remove_backslash + if: ctx.file?.path instanceof List + source: |- + ctx.file.path.removeIf(v -> v == '\\'); - foreach: field: json.alerts.evidence if: ctx.json?.alerts?.evidence instanceof List diff --git a/packages/m365_defender/manifest.yml b/packages/m365_defender/manifest.yml index f5e921ae516..ef143bbf844 100644 --- a/packages/m365_defender/manifest.yml +++ b/packages/m365_defender/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.4.0" name: m365_defender title: Microsoft Defender XDR -version: "5.1.0" +version: "5.1.1" description: Collect logs from Microsoft Defender XDR with Elastic Agent. categories: - "security"