This PR aims to add a subfield to the process.name and process.executable fields to improve the compatibility of data sources like System, Sysmon, etc., with our Elastic Defend data. This enables us to handle language limitations in KQL more effectively.
Summary
Related PR: https://github.com/elastic/integrations/pull/9850
This PR aims to add a subfield to the
process.nameandprocess.executablefields to improve the compatibility of data sources like System, Sysmon, etc., with our Elastic Defend data. This enables us to handle language limitations in KQL more effectively.Elastic Defend Mapping: