Added in 'Responses' field in alert telemetry & updated test (#111892)

2021-09-10 16:47:43 -04:00 · 2021-09-10 16:47:43 -04:00 · 7ee4a086c3
parent 13560c01fc
commit 7ee4a086c3
2 changed files with 7 additions and 0 deletions
--- a/x-pack/plugins/security_solution/server/lib/telemetry/filters.ts
+++ b/x-pack/plugins/security_solution/server/lib/telemetry/filters.ts
@ -111,6 +111,8 @@ export const allowlistEventFields: AllowlistFields = {
  events: allowlistBaseEventFields,
  // behavioral protection re-nests some field sets under Events.* (>=7.15)
  Events: allowlistBaseEventFields,
+  // behavioral protection response data under Response.* (>=7.15)
+  Responses: true,
  rule: {
    id: true,
    name: true,
--- a/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts
@ -80,6 +80,7 @@ describe('TelemetryEventsSender', () => {
            executable: null, // null fields are never allowlisted
            working_directory: '/some/usr/dir',
          },
+          Responses: '{ "result": 0 }', // >= 7.15
          Target: {
            process: {
              name: 'bar.exe',
@ -89,6 +90,9 @@ describe('TelemetryEventsSender', () => {
              },
            },
          },
+          threat: {
+            ignored_object: true, // this field is not allowlisted
+          },
        },
      ];

@ -136,6 +140,7 @@ describe('TelemetryEventsSender', () => {
            name: 'foo.exe',
            working_directory: '/some/usr/dir',
          },
+          Responses: '{ "result": 0 }',
          Target: {
            process: {
              name: 'bar.exe',