From 504f07ebf82d86810a1197bc8af96f16ff07476c Mon Sep 17 00:00:00 2001
From: Pete Hampton <peter.hampton@elastic.co>
Date: Thu, 18 Feb 2021 19:17:54 +0000
Subject: [PATCH 1/4] Add missing fields + ignore naming convention.

---
 .../server/lib/telemetry/sender.ts            | 77 +++++++++++++++++++
 1 file changed, 77 insertions(+)

diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts b/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts
index a18604fb92a40..38137b04f957d 100644
--- a/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts
+++ b/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts
@@ -296,10 +296,12 @@ interface AllowlistFields {
 // Allow list for the data we include in the events. True means that it is deep-cloned
 // blindly. Object contents means that we only copy the fields that appear explicitly in
 // the sub-object.
+/* eslint-disable @typescript-eslint/naming-convention */
 const allowlistEventFields: AllowlistFields = {
   '@timestamp': true,
   agent: true,
   Endpoint: true,
+  Memory_protection: true,
   Ransomware: true,
   data_stream: true,
   ecs: true,
@@ -335,7 +337,12 @@ const allowlistEventFields: AllowlistFields = {
     pid: true,
     uptime: true,
     Ext: {
+      architecture: true,
       code_signature: true,
+      dll: true,
+      token: {
+        integrity_level_name: true,
+      },
     },
     parent: {
       name: true,
@@ -343,12 +350,82 @@ const allowlistEventFields: AllowlistFields = {
       command_line: true,
       hash: true,
       Ext: {
+        architecture: true,
         code_signature: true,
+        dll: true,
+        token: {
+          integrity_level_name: true,
+        },
       },
       uptime: true,
       pid: true,
       ppid: true,
     },
+    Target: {
+      process: {
+        Ext: {
+          architecture: true,
+          code_signature: true,
+          dll: true,
+          token: {
+            integrity_level_name: true,
+          },
+        },
+        parent: {
+          process: {
+            Ext: {
+              architecture: true,
+              code_signature: true,
+              dll: true,
+              token: {
+                integrity_level_name: true,
+              },
+            },
+          },
+        },
+        thread: {
+          Ext: {
+            call_stack: true,
+            start_address: true,
+            start_address_details: {
+              address_offset: true,
+              allocation_base: true,
+              allocation_protection: true,
+              allocation_size: true,
+              allocation_type: true,
+              base_address: true,
+              bytes_start_address: true,
+              compressed_bytes: true,
+              dest_bytes: true,
+              dest_bytes_disasm: true,
+              dest_bytes_disasm_hash: true,
+              pe: {
+                Ext: {
+                  legal_copyright: true,
+                  product_version: true,
+                  code_signature: {
+                    status: true,
+                    subject_name: true,
+                    trusted: true,
+                  },
+                  company: true,
+                  description: true,
+                  file_version: true,
+                  imphash: true,
+                  original_file_name: true,
+                  product: true,
+                },
+              },
+              pe_detected: true,
+              region_protection: true,
+              region_size: true,
+              region_state: true,
+              strings: true,
+            },
+          },
+        },
+      },
+    },
     token: {
       integrity_level_name: true,
     },

From 6d441e36a4c6d84f8f20a342e544e7eeac94a9d3 Mon Sep 17 00:00:00 2001
From: Thiago Souza <thiago@elastic.co>
Date: Fri, 19 Feb 2021 13:23:19 +0000
Subject: [PATCH 2/4] adding missing test to rule.ruleset

---
 .../security_solution/server/lib/telemetry/sender.test.ts      | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts b/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts
index 56e2f9c7c7304..589af01145253 100644
--- a/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts
@@ -34,6 +34,9 @@ describe('TelemetryEventsSender', () => {
           agent: {
             name: 'test',
           },
+          rule: {
+            ruleset: 'Z',
+          },
           file: {
             size: 3,
             path: 'X',

From 0b8809c27c54e31504a2444892b9497b0971108f Mon Sep 17 00:00:00 2001
From: Thiago Souza <thiago@elastic.co>
Date: Fri, 19 Feb 2021 13:23:38 +0000
Subject: [PATCH 3/4] adding missing fields

---
 .../security_solution/server/lib/telemetry/sender.test.ts    | 5 +++++
 .../plugins/security_solution/server/lib/telemetry/sender.ts | 3 +++
 2 files changed, 8 insertions(+)

diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts b/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts
index 589af01145253..10f18481ecc19 100644
--- a/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts
@@ -35,6 +35,8 @@ describe('TelemetryEventsSender', () => {
             name: 'test',
           },
           rule: {
+            id: 'X',
+            name: 'Y',
             ruleset: 'Z',
           },
           file: {
@@ -50,6 +52,9 @@ describe('TelemetryEventsSender', () => {
               malware_classification: {
                 key1: 'X',
               },
+              malware_signature: {
+                key1: 'X',
+              },
               quarantine_result: true,
               quarantine_message: 'this file is bad',
               something_else: 'nope',
diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts b/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts
index 38137b04f957d..3ee18a84e1133 100644
--- a/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts
+++ b/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts
@@ -308,6 +308,8 @@ const allowlistEventFields: AllowlistFields = {
   elastic: true,
   event: true,
   rule: {
+    id: true,
+    name: true,
     ruleset: true,
   },
   file: {
@@ -322,6 +324,7 @@ const allowlistEventFields: AllowlistFields = {
     Ext: {
       code_signature: true,
       malware_classification: true,
+      malware_signature: true,
       quarantine_result: true,
       quarantine_message: true,
     },

From 838cd77fd107435a2eac1ef91744088ca76737f4 Mon Sep 17 00:00:00 2001
From: Thiago Souza <thiago@elastic.co>
Date: Fri, 19 Feb 2021 15:14:00 +0000
Subject: [PATCH 4/4] fix tests

---
 .../security_solution/server/lib/telemetry/sender.test.ts | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts b/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts
index 10f18481ecc19..d5edd4678a9a2 100644
--- a/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts
@@ -78,6 +78,11 @@ describe('TelemetryEventsSender', () => {
           agent: {
             name: 'test',
           },
+          rule: {
+            id: 'X',
+            name: 'Y',
+            ruleset: 'Z',
+          },
           file: {
             size: 3,
             path: 'X',
@@ -89,6 +94,9 @@ describe('TelemetryEventsSender', () => {
               malware_classification: {
                 key1: 'X',
               },
+              malware_signature: {
+                key1: 'X',
+              },
               quarantine_result: true,
               quarantine_message: 'this file is bad',
             },