Collect additional fields for alert telemetry. (#101578)

elastic · Jun 8, 2021 · f0e2a50 · f0e2a50
1 parent c1924c3
commit f0e2a50
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts b/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts
@@ -293,6 +293,9 @@ const allowlistProcessFields: AllowlistFields = {
   command_line: true,
   hash: true,
   pid: true,
+  pe: {
+    original_file_name: true,
+  },
   uptime: true,
   Ext: {
     architecture: true,
@@ -313,6 +316,9 @@ const allowlistBaseEventFields: AllowlistFields = {
     path: true,
     code_signature: true,
     malware_signature: true,
+    pe: {
+      original_file_name: true,
+    },
   },
   event: true,
   file: {
@@ -326,6 +332,7 @@ const allowlistBaseEventFields: AllowlistFields = {
     hash: true,
     Ext: {
       code_signature: true,
+      header_data: true,
       malware_classification: true,
       malware_signature: true,
       quarantine_result: true,
@@ -351,6 +358,9 @@ const allowlistBaseEventFields: AllowlistFields = {
       ...allowlistProcessFields,
     },
   },
+  user: {
+    id: true,
+  },
 };
 
 // Allow list for the data we include in the events. True means that it is deep-cloned