From f0e2a50da44c1b6741d3734ac81418257acad68a Mon Sep 17 00:00:00 2001
From: Pete Hampton <pjhampton@users.noreply.github.com>
Date: Tue, 8 Jun 2021 14:51:31 +0100
Subject: [PATCH] Collect additional fields for alert telemetry. (#101578)

---
 .../security_solution/server/lib/telemetry/sender.ts   | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts b/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts
index b47edbb21d178b..baf4fb2d2cfd0d 100644
--- a/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts
+++ b/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts
@@ -293,6 +293,9 @@ const allowlistProcessFields: AllowlistFields = {
   command_line: true,
   hash: true,
   pid: true,
+  pe: {
+    original_file_name: true,
+  },
   uptime: true,
   Ext: {
     architecture: true,
@@ -313,6 +316,9 @@ const allowlistBaseEventFields: AllowlistFields = {
     path: true,
     code_signature: true,
     malware_signature: true,
+    pe: {
+      original_file_name: true,
+    },
   },
   event: true,
   file: {
@@ -326,6 +332,7 @@ const allowlistBaseEventFields: AllowlistFields = {
     hash: true,
     Ext: {
       code_signature: true,
+      header_data: true,
       malware_classification: true,
       malware_signature: true,
       quarantine_result: true,
@@ -351,6 +358,9 @@ const allowlistBaseEventFields: AllowlistFields = {
       ...allowlistProcessFields,
     },
   },
+  user: {
+    id: true,
+  },
 };
 
 // Allow list for the data we include in the events. True means that it is deep-cloned