Added in 'Responses' field in alert telemetry & updated test (#111892)

elastic · Sep 10, 2021 · 7ee4a08 · 7ee4a08
1 parent 13560c0
commit 7ee4a08
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/filters.ts b/x-pack/plugins/security_solution/server/lib/telemetry/filters.ts
@@ -111,6 +111,8 @@ export const allowlistEventFields: AllowlistFields = {
   events: allowlistBaseEventFields,
   // behavioral protection re-nests some field sets under Events.* (>=7.15)
   Events: allowlistBaseEventFields,
+  // behavioral protection response data under Response.* (>=7.15)
+  Responses: true,
   rule: {
     id: true,
     name: true,

diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts b/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts
@@ -80,6 +80,7 @@ describe('TelemetryEventsSender', () => {
             executable: null, // null fields are never allowlisted
             working_directory: '/some/usr/dir',
           },
+          Responses: '{ "result": 0 }', // >= 7.15
           Target: {
             process: {
               name: 'bar.exe',
@@ -89,6 +90,9 @@ describe('TelemetryEventsSender', () => {
               },
             },
           },
+          threat: {
+            ignored_object: true, // this field is not allowlisted
+          },
         },
       ];
 
@@ -136,6 +140,7 @@ describe('TelemetryEventsSender', () => {
             name: 'foo.exe',
             working_directory: '/some/usr/dir',
           },
+          Responses: '{ "result": 0 }',
           Target: {
             process: {
               name: 'bar.exe',