sentinel_one_cloud_funnel: improve process handling (#9361)

Author: efd6

packages/sentinel_one_cloud_funnel/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.13.0"
+ changes:
+ - description: Improve detection rules support for process events.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/9361
 - version: "0.12.0"
  changes:
  - description: Improve detection rules support.

packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-process.log-expected.json

@@ -39,6 +39,7 @@
  "args_count": 1,
  "command_line": "./nr-winpkg",
  "entity_id": "D0046CBAF5BC03DA",
+ "executable": "C:\\ProgramFiles\\NewRelic\\newrelic-infra\\newrelic-integrations\\nr-winpkg.exe",
  "hash": {
  "md5": "65f9131df4b7c909ae41add0fcd172fa",
  "sha1": "a1d7ac9e15c26535a7dec40bba21cda4de078504",

packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-process.yml

@@ -274,6 +274,10 @@ processors:
  field: json.tgt.process.publisher
  target_field: sentinel_one_cloud_funnel.event.tgt.process.publisher
  ignore_missing: true
+ - set:
+ field: process.code_signature.subject_name
+ copy_from: sentinel_one_cloud_funnel.event.tgt.process.publisher
+ ignore_empty_value: true
  - rename:
  field: json.tgt.process.reasonSignatureInvalid
  target_field: sentinel_one_cloud_funnel.event.tgt.process.reason_signature_invalid
@@ -293,6 +297,14 @@ processors:
  field: json.tgt.process.signedStatus
  target_field: sentinel_one_cloud_funnel.event.tgt.process.signed_status
  ignore_missing: true
+ - set:
+ field: process.code_signature.exists
+ value: true
+ if: ctx.sentinel_one_cloud_funnel?.event?.tgt?.process?.signed_status == 'signed'
+ - set:
+ field: process.code_signature.exists
+ value: false
+ if: ctx.sentinel_one_cloud_funnel?.event?.tgt?.process?.signed_status != 'signed'
  - date:
  field: json.tgt.process.startTime
  tag: 'date_json_tgt_process_startTime'
@@ -321,6 +333,14 @@ processors:
  field: json.tgt.process.verifiedStatus
  target_field: sentinel_one_cloud_funnel.event.tgt.process.verified_status
  ignore_missing: true
+ - set:
+ field: process.code_signature.trusted
+ value: true
+ if: ctx.sentinel_one_cloud_funnel?.event?.tgt?.process?.verified_status == 'verified'
+ - set:
+ field: process.code_signature.trusted
+ value: false
+ if: ctx.process?.code_signature?.exists == true && ctx.sentinel_one_cloud_funnel?.event?.tgt?.process?.verified_status != 'verified'
  - remove:
  field:
  - process.parent
@@ -336,6 +356,10 @@ processors:
  field: process.name
  copy_from: sentinel_one_cloud_funnel.event.tgt.process.name
  ignore_empty_value: true
+ - set:
+ field: process.executable
+ copy_from: sentinel_one_cloud_funnel.event.tgt.process.image.path
+ ignore_empty_value: true
  - convert:
  field: sentinel_one_cloud_funnel.event.tgt.process.pid
  target_field: process.pid

packages/sentinel_one_cloud_funnel/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.2"
 name: sentinel_one_cloud_funnel
 title: SentinelOne Cloud Funnel
-version: "0.12.0"
+version: "0.13.0"
 description: Collect logs from SentinelOne Cloud Funnel with Elastic Agent.
 type: integration
 categories: ["security", "edr_xdr"]