From 0eae57bab46f1420d1ce8cc73749c1d921e1a270 Mon Sep 17 00:00:00 2001
From: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Date: Tue, 17 Aug 2021 04:42:19 -0600
Subject: [PATCH] Collect Events.* fields for telemetry (#107976)

* Collect Events.* fields for telemetry
* Add process.code_signature
---
 .../plugins/security_solution/server/lib/telemetry/sender.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts b/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts
index e8ef18ec798ae..6c0b9f4b8236e 100644
--- a/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts
+++ b/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts
@@ -464,6 +464,7 @@ const allowlistProcessFields: AllowlistFields = {
   args: true,
   name: true,
   executable: true,
+  code_signature: true,
   command_line: true,
   hash: true,
   pid: true,
@@ -555,8 +556,10 @@ const allowlistEventFields: AllowlistFields = {
   data_stream: true,
   ecs: true,
   elastic: true,
-  // behavioral protection re-nests some field sets under events.*
+  // behavioral protection re-nests some field sets under events.* (< 7.15)
   events: allowlistBaseEventFields,
+  // behavioral protection re-nests some field sets under Events.* (>=7.15)
+  Events: allowlistBaseEventFields,
   rule: {
     id: true,
     name: true,