Collect Events.* fields for telemetry (#107976) (#108861)

* Collect Events.* fields for telemetry * Add process.code_signature Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
elastic · Aug 17, 2021 · 55db4df · 55db4df
1 parent 70d8ef3
commit 55db4df
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts b/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts
@@ -464,6 +464,7 @@ const allowlistProcessFields: AllowlistFields = {
   args: true,
   name: true,
   executable: true,
+  code_signature: true,
   command_line: true,
   hash: true,
   pid: true,
@@ -555,8 +556,10 @@ const allowlistEventFields: AllowlistFields = {
   data_stream: true,
   ecs: true,
   elastic: true,
-  // behavioral protection re-nests some field sets under events.*
+  // behavioral protection re-nests some field sets under events.* (< 7.15)
   events: allowlistBaseEventFields,
+  // behavioral protection re-nests some field sets under Events.* (>=7.15)
+  Events: allowlistBaseEventFields,
   rule: {
     id: true,
     name: true,