Skip to content

m365_defender: fix construction of file.path fields in the incident data stream #15728

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+18 −8
Open

m365_defender: fix construction of file.path fields in the incident data stream #15728

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/m365_defender/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "5.1.0"
changes:
- description: Fix construction of `file.path` fields in the incident data stream to conform to ECS.
type: bugfix
link: https://github.com/elastic/integrations/pull/15728
- version: "5.0.0"
changes:
- description: |
Expand Down
12 changes: 6 additions & 6 deletions ...ges/m365_defender/data_stream/incident/_dev/test/pipeline/test-incident.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@
"MsSense.exe"
],
"path": [
"C:\\Program Files\\temp"
"C:\\Program Files\\temp\\MsSense.exe"
],
"size": [
6136392
Expand Down Expand Up @@ -364,7 +364,7 @@
"MsSense.exe"
],
"path": [
"C:\\Program Files\\temp"
"C:\\Program Files\\temp\\MsSense.exe"
],
"size": [
6136392
Expand Down Expand Up @@ -849,7 +849,7 @@
"K3V15.1安装盘访问密码i5fy.zip"
],
"path": [
"E:"
"E:\\K3V15.1安装盘访问密码i5fy.zip"
],
"size": [
36864
Expand Down Expand Up @@ -1040,7 +1040,7 @@
"K3V15.1安装盘访问密码i5fy.zip"
],
"path": [
"E:"
"E:\\K3V15.1安装盘访问密码i5fy.zip"
],
"size": [
36864
Expand Down Expand Up @@ -1345,7 +1345,7 @@
"PDFpower.exe"
],
"path": [
"C:\\Users\\user6\\Downloads"
"C:\\Users\\user6\\Downloads\\PDFpower.exe"
],
"size": [
1086184
Expand Down Expand Up @@ -1546,7 +1546,7 @@
"PDFpower.exe"
],
"path": [
"C:\\Users\\user6\\Downloads"
"C:\\Users\\user6\\Downloads\\PDFpower.exe"
],
"size": [
1086184
Expand Down
7 changes: 6 additions & 1 deletion packages/m365_defender/data_stream/incident/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1412,9 +1412,14 @@ processors:
processor:
append:
field: file.path
value: '{{{_ingest._value.file_details.path}}}'
value: '{{{_ingest._value.file_details.path}}}\{{{_ingest._value.file_details.name}}}'
allow_duplicates: false
ignore_failure: true
- script:
tag: script_remove_backslash
if: ctx.file?.path instanceof List
source: |-
ctx.file.path.removeIf(v -> v == '\\');
- foreach:
field: json.alerts.evidence
if: ctx.json?.alerts?.evidence instanceof List
Expand Down
2 changes: 1 addition & 1 deletion packages/m365_defender/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: "3.4.0"
name: m365_defender
title: Microsoft Defender XDR
version: "5.0.0"
version: "5.1.0"
description: Collect logs from Microsoft Defender XDR with Elastic Agent.
categories:
- "security"
Expand Down