Skip to content

Backport missing custom-documentation fields to 8.19#754

Open
nicholasberlin wants to merge 9 commits into
8.19from
field-mappings-8.19
Open

Backport missing custom-documentation fields to 8.19#754
nicholasberlin wants to merge 9 commits into
8.19from
field-mappings-8.19

Conversation

@nicholasberlin

@nicholasberlin nicholasberlin commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Adds the custom documentation entries the endpoint-dev EAF suite found missing when endpoint-dev #20922 pinned this repo's 8.19 branch as the endpoint-package submodule (build: https://buildkite.com/elastic/endpoint-dev/builds/23075).

Cherry-picked from main, in original order:

  1. f74d96a - Add security event metrics to custom documentation (Add security event metrics to custom documentation #652)
  2. fe393fa - Enhance process event metrics (Enhance process event metrics #653)
  3. 7d45502 - Add network.direction to docs ([macOS] Add network.direction to docs #659)
  4. e745043 - Add kernel_process_events fields (Add custom documentation for kernel_process_events metrics fields #716)

Fixes EAF failures asserting missing custom documentation for:

  • Endpoint.metrics.documents_volume.process_events.sources.{sent_bytes,sent_count,source,suppressed_bytes,suppressed_count}
  • Endpoint.metrics.documents_volume.security_events.sources.{sent_bytes,sent_count,source,suppressed_bytes,suppressed_count}
  • Endpoint.metrics.system_impact.kernel_process_events.{week_ms,week_idle_ms}
  • network.direction (macos network connection attempted/disconnect doc)

Generated with Claude Code.


Update: Follow-up build #23099 (after the fixes above landed on this branch) flagged 3 more undocumented fields. Added:
5. 0068ff3 - Add process.Ext.trusted to custom docs for already-running process events (#697)
6. 89c1a22 - Add missing field in the ASM API events custom documentation (#726)
7. 332151d - Fix Linux and macOS behavior alert custom doc for subtechnique fields (#740)

Fixes additional EAF failures for:

  • process.Ext.trusted / process.Ext.trusted_descendant (windows_process_already_running.yaml)
  • process.Ext.api.metadata.security_descriptor (windows_api_asm.yaml)
  • threat.technique.subtechnique.{id,name,reference} (linux/macos_malicious_behavior_alert.yaml)

Update 2 (mappings, not just docs): review feedback on the endpoint-dev side pointed out that Endpoint.metrics.documents_volume.{process,security}_events.sources.* had only ever been added to custom_documentation - the fields were never defined in custom_schemas, so they are missing from the actual package mappings (the metrics index template is dynamic: false, so they are not indexed). This was true on main as well; fixed there by #762 and cherry-picked here (regeneration verified on this branch).

The other fields in this PR did not need mapping changes: subtechnique.*, security_descriptor, Ext.trusted{,_descendant}, and network.direction were already mapped on 8.19 (only the documentation lagged), and kernel_process_events.* lives under system_impact which is enabled: false (intentionally not indexed), matching main.

AsuNa-jp and others added 4 commits July 6, 2026 08:49
* add new security event metrics to custom documentation

* add generated files

(cherry picked from commit f74d96a)
This adds sources info to process events in the metrics document.
```
        "process_events": {
          "sent_bytes": 1478944,
          "sent_count": 732,
          "sources": [
            {
              "sent_bytes": 0,
              "sent_count": 0,
              "source": "shmget",
              "suppressed_bytes": 0,
              "suppressed_count": 1
            }
          ],
          "suppressed_bytes": 0,
          "suppressed_count": 7
        }
```
This change allows for data based diag->prod decisions for new Linux
process events: load_module, ptrace, and shmget

(cherry picked from commit fe393fa)
@nicholasberlin nicholasberlin requested a review from a team as a code owner July 6, 2026 12:49
@nicholasberlin

Copy link
Copy Markdown
Contributor Author

This is a work in progress. Please ignore for now.

gabriellandau and others added 3 commits July 6, 2026 19:23
* add missing field

* add generated file

(cherry picked from commit 89c1a22)
…#740)

Some rules emit populated threat.technique.subtechnique.{id,name,reference}
fields. The Linux and macOS malicious_behavior_alert custom_documentation
only listed the parent threat.technique.subtechnique path, causing the EAF
custom-documentation validator to fail with undocumented keys. Mirrors the
shape already present in the Windows alert (PR #614 era).

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
(cherry picked from commit 332151d)
Endpoint.metrics.documents_volume.{process,security}_events.sources.*
were added to custom_documentation only (#652, #653), so the fields were
never mapped in the package. The metrics index template sets
dynamic: false, so these fields are currently not indexed on any stack.

Define them in custom_schemas/custom_endpoint.yml mirroring the existing
api_events.sources.* mappings, and regenerate with make.

(cherry picked from commit 322d76a)
@nicholasberlin nicholasberlin requested a review from a team as a code owner July 10, 2026 14:41
Requested in review: sample values for the new
documents_volume.{process,security}_events.sources.* mappings so the
automated mapping tests exercise them. Source values reflect what the
endpoint emits: process event sources are opcode names (load_module),
security event sources are diagnostic_<event id> strings.

(cherry picked from commit 52535bc)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants