elasticmachine
commented
10 months ago Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
Closed bhapas closed 10 months ago
elasticmachine
commented
10 months ago Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
There was a user report of pipeline failure renaming to the existing field
process.executalbe. This happens when bothImageFileNameandCommandLineare populated in the incoming data.The table of existing test data below suggests that
ImageFileNamevalues will better match the ECS fieldprocess.executable, which is described as "Absolute path to the process executable".ImageFileNameCommandLine/bin/sh/bin/sh -s unix:cmd/usr/libexec/xpcproxyxpcproxy com.apple.mdworker.shared.01000000-0600-0000-0000-000000000000/usr/bin/pgbackrestpgbackrest --stanza\u003dmain archive-get 000000020004D51F0000009F pg_wal/RECOVERYXLOG/bin/unameuname -a\Device\HarddiskVolume2\projects\splunk-forwarder\bin\splunk-powershell.exeD:\projects\splunk-forwarder\bin\splunk-powershell.exe --ps2/usr/bin/plutil/usr/bin/plutil -convert xml1 -o - /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/Library/CoreSimulator/Profiles/Runtimes/tvOS.simruntime/Contents/Resources/RuntimeRoot/System/Library/PrivateFrameworks/DiagnosticExtensions.framework/PlugIns/com.apple.DiagnosticExtensions.CrashLogs.appex/Info.plist\Device\HarddiskVolume3\Windows\System32\svchost.exeC:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wlidsvc\Device\HarddiskVolume3\Windows\System32\svchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcs -p -s NetSetupSvc\Device\HarddiskVolume3\Windows\System32\backgroundTaskHost.exe"C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:App.AppXnme9zjyebb2xnyygh6q9ev6p5d234br2.mca