Skip to content

Backport kernel_process_events custom documentation to 9.3#755

Open
nicholasberlin wants to merge 5 commits into
9.3from
field-mappings-9.3
Open

Backport kernel_process_events custom documentation to 9.3#755
nicholasberlin wants to merge 5 commits into
9.3from
field-mappings-9.3

Conversation

@nicholasberlin

@nicholasberlin nicholasberlin commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Adds the custom documentation entry the endpoint-dev EAF suite found missing when endpoint-dev #20923 pinned this repo's 9.3 branch as the endpoint-package submodule (build: https://buildkite.com/elastic/endpoint-dev/builds/23076).

Cherry-picked from main:

Fixes EAF failures asserting missing custom documentation for:

  • Endpoint.metrics.system_impact.kernel_process_events.week_ms
  • Endpoint.metrics.system_impact.kernel_process_events.week_idle_ms

Generated with Claude Code.


Update: Follow-up build #23081 (after the fix above landed on this branch) flagged 2 more undocumented fields. Added:
2. 89c1a22 - Add missing field in the ASM API events custom documentation (#726)
3. 332151d - Fix Linux and macOS behavior alert custom doc for subtechnique fields (#740)

Fixes additional EAF failures for:

  • process.Ext.api.metadata.security_descriptor (windows_api_asm.yaml)
  • threat.technique.subtechnique.{id,name,reference} (linux/macos_malicious_behavior_alert.yaml)

(Build #23081 also had one test_noisy_processes_configuration failure on Windows 11 Arm64 - unrelated, a pre-existing ~4% flake on main too.)


Update 2 (mappings, not just docs): review feedback on the endpoint-dev side pointed out that Endpoint.metrics.documents_volume.{process,security}_events.sources.* had only ever been added to custom_documentation - the fields were never defined in custom_schemas, so they are missing from the actual package mappings (the metrics index template is dynamic: false, so they are not indexed). This was true on main as well; fixed there by #762 and cherry-picked here (regeneration verified on this branch).

Note: the sources.* fields are not among the EAF failures this PR originally fixed for 9.3 (endpoint 9.3 documentation for them already existed), but 9.3 endpoint emits them, so the mapping backport applies here too. The other fields in this PR did not need mapping changes: subtechnique.* and security_descriptor were already mapped on 9.3 (only documentation lagged), and kernel_process_events.* lives under system_impact which is enabled: false (intentionally not indexed), matching main.

@nicholasberlin nicholasberlin requested a review from a team as a code owner July 6, 2026 12:49
@nicholasberlin

Copy link
Copy Markdown
Contributor Author

This is a work in progress, please ignore for now.

AsuNa-jp and others added 2 commits July 6, 2026 19:23
* add missing field

* add generated file

(cherry picked from commit 89c1a22)
…#740)

Some rules emit populated threat.technique.subtechnique.{id,name,reference}
fields. The Linux and macOS malicious_behavior_alert custom_documentation
only listed the parent threat.technique.subtechnique path, causing the EAF
custom-documentation validator to fail with undocumented keys. Mirrors the
shape already present in the Windows alert (PR #614 era).

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
(cherry picked from commit 332151d)
@nicholasberlin

Copy link
Copy Markdown
Contributor Author

Ok, this is ready for review now.

@nicholasberlin nicholasberlin requested a review from pzl July 10, 2026 13:59
@pzl

pzl commented Jul 10, 2026

Copy link
Copy Markdown
Member

AFAIK everything under custom_documentation only effects two things:

  • tests in endpoint-dev, with EAF etc
  • I believe the contents are pulled and displayed on a website or wiki somewhere for users? But I have no idea what that pipeline is. It isn't a push-from-this-repo, it is a pulled-from-url type deal.

I don't manage the endpoint tests, nor the website page output, so you only need reviews from fellow elastic-endpoint folks for custom docs changes. It's not part of the "release process" of the integration, per se

you are good to merge when you get endpoint thumbs 👍

Endpoint.metrics.documents_volume.{process,security}_events.sources.*
were added to custom_documentation only (#652, #653), so the fields were
never mapped in the package. The metrics index template sets
dynamic: false, so these fields are currently not indexed on any stack.

Define them in custom_schemas/custom_endpoint.yml mirroring the existing
api_events.sources.* mappings, and regenerate with make.

(cherry picked from commit 322d76a)
@nicholasberlin nicholasberlin requested a review from a team as a code owner July 10, 2026 14:41
Requested in review: sample values for the new
documents_volume.{process,security}_events.sources.* mappings so the
automated mapping tests exercise them. Source values reflect what the
endpoint emits: process event sources are opcode names (load_module),
security event sources are diagnostic_<event id> strings.

(cherry picked from commit 52535bc)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants