eset_protect: add support for fields that were missed

Sample event provided by user.

Field docs obtained from https://help.eset.com/protect_cloud/en-US/events-exported-to-json-format.html.

packages/eset_protect/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.6.1"
+  changes:
+    - description: Add missing field support.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/12934
 - version: "1.6.0"
   changes:
     - description: Update Kibana constraint to support 9.0.0.

packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log

@@ -22,3 +22,4 @@
 {"event_type":"FirewallAggregated_Event","ipv4":"1.128.0.5","hostname":"machine4","source_uuid":"c539dbdf-2063-477b-81d7-8081a6f7a080","occured":"12-Mar-2024 11:00:26","severity":"Fatal","event":"Web threat","source_address":"192.168.30.32","source_address_type":"IPv4","source_port":37966,"target_address":"1.128.0.5","target_address_type":"IPv4","target_port":49677,"protocol":"TCP","account":"NT AUTHORITY\\SYSTEM","process_name":"C:\\Windows\\System32\\lsass.exe","inbound":true,"threat_name":"RPC/Exploit.CVE-2020-1472","aggregate_count":1}
 {"event_type":"Threat_Event","ipv4":"192.168.30.31","hostname":"machine5","source_uuid":"f193d96b-cbd8-4402-94fc-6993efc30b11","occured":"11-Mar-2024 05:56:58","severity":"Warning","threat_type":"Trojan","threat_name":"LNK/Agent.BZ","scanner_id":"Real-time file system protection","scan_id":"virlog.dat","engine_version":"28873 (20240310)","object_type":"File","object_uri":"file:///E:/Removable Drive (1GB).lnk","action_taken":"Cleaned by deleting","threat_handled":true,"need_restart":false,"username":"machine5\\Administrator","processname":"C:\\Windows\\explorer.exe","circumstances":"Event occurred during an attempt to access the file.","firstseen":"28-Jul-2021 07:20:55","hash":"1A45EBA0F9EF909E6F3C87B0D5CEDAD27BDB6CF2"}
 {"event_type":"Threat_Event","ipv4":"192.168.112.128","ipv6":"","hostname":"kate-ebademo","source_uuid":"16b429cb-c064-4a31-98ba-62fff54f0c96","os_name":"Microsoft Windows 11 Pro","occured":"27-Mar-2024 09:54:20","group_name":"All","group_description":"","severity":"Warning","threat_type":"Trojan","threat_name":"VBS\/TrojanDownloader.Agent.YUI","threat_flags":"","scanner_id":"Script scanner","scan_id":"virlog.dat","engine_version":"28962 (20240327)","object_type":"File","object_uri":"script","action_taken":"Blocked","action_error":"","threat_handled":"true","need_restart":"false","username":"KATE-EBADEMO\\Kate","processname":"PowerShell_C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe_10.0.22621.1","circumstances":"","firstseen":"","hash":"22B9B35A804A7A3739CBD007E00959075AECF0FC"}
+{"event_type":"ESET Inspect Alert","ipv4":"10.0.0.47","ipv6":"","hostname":"wsu-pf3r12l5","source_uuid":"08764ed7-7480-482a-8eaa-da8e2084fe22","os_name":"Microsoft Windows 11 Business","occured":"25-Feb-2025 13:57:46","group_name":"All","group_description":"","severity":"Information","processname":"%SYSTEM%\\taskkill.exe","username":"nt authority\\local service","rulename":"Processes killing from command line [B0401]","count":"1","eiconsolelink":"https://inspect.eset.com:443/console/detection/993374","resolved":"","hash":"912DC85EAFCE7FC20247715ADC5ACB4C43555BC8","computer_severity_score":"20","severity_score":"34","trigger_event":"%SYSTEM%\\cmd.exe","command_line":"/PID 21288 /F","detection_uuid":"3f3f5a5a-87de-49f2-adaf-e2158d8666a7"}

packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log-expected.json

@@ -2272,6 +2272,88 @@
                 "domain": "KATE-EBADEMO",
                 "name": "Kate"
             }
+        },
+        {
+            "@timestamp": "2025-02-25T13:57:46.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "eset_protect": {
+                "event": {
+                    "command_line": "/PID 21288 /F",
+                    "computer_severity_score": 20,
+                    "count": 1,
+                    "detection_uuid": "3f3f5a5a-87de-49f2-adaf-e2158d8666a7",
+                    "eiconsolelink": "https://inspect.eset.com:443/console/detection/993374",
+                    "group_name": "All",
+                    "hash": "912DC85EAFCE7FC20247715ADC5ACB4C43555BC8",
+                    "hostname": "wsu-pf3r12l5",
+                    "ipv4": "10.0.0.47",
+                    "is_handled": false,
+                    "occured": "2025-02-25T13:57:46.000Z",
+                    "os_name": "Microsoft Windows 11 Business",
+                    "processname": "%SYSTEM%\\taskkill.exe",
+                    "rulename": "Processes killing from command line [B0401]",
+                    "severity": "Information",
+                    "severity_score": 34,
+                    "source_uuid": "08764ed7-7480-482a-8eaa-da8e2084fe22",
+                    "trigger_event": "%SYSTEM%\\cmd.exe",
+                    "type": "ESET Inspect Alert",
+                    "username": "nt authority\\local service"
+                }
+            },
+            "event": {
+                "kind": "alert",
+                "original": "{\"event_type\":\"ESET Inspect Alert\",\"ipv4\":\"10.0.0.47\",\"ipv6\":\"\",\"hostname\":\"wsu-pf3r12l5\",\"source_uuid\":\"08764ed7-7480-482a-8eaa-da8e2084fe22\",\"os_name\":\"Microsoft Windows 11 Business\",\"occured\":\"25-Feb-2025 13:57:46\",\"group_name\":\"All\",\"group_description\":\"\",\"severity\":\"Information\",\"processname\":\"%SYSTEM%\\\\taskkill.exe\",\"username\":\"nt authority\\\\local service\",\"rulename\":\"Processes killing from command line [B0401]\",\"count\":\"1\",\"eiconsolelink\":\"https://inspect.eset.com:443/console/detection/993374\",\"resolved\":\"\",\"hash\":\"912DC85EAFCE7FC20247715ADC5ACB4C43555BC8\",\"computer_severity_score\":\"20\",\"severity_score\":\"34\",\"trigger_event\":\"%SYSTEM%\\\\cmd.exe\",\"command_line\":\"/PID 21288 /F\",\"detection_uuid\":\"3f3f5a5a-87de-49f2-adaf-e2158d8666a7\"}",
+                "reference": "https://inspect.eset.com:443/console/detection/993374",
+                "severity": 34,
+                "type": [
+                    "info"
+                ]
+            },
+            "group": {
+                "name": "All"
+            },
+            "host": {
+                "hostname": "wsu-pf3r12l5",
+                "id": "08764ed7-7480-482a-8eaa-da8e2084fe22",
+                "ip": [
+                    "10.0.0.47"
+                ],
+                "name": "wsu-pf3r12l5",
+                "os": {
+                    "name": "Microsoft Windows 11 Business"
+                }
+            },
+            "process": {
+                "executable": "%SYSTEM%\\taskkill.exe",
+                "name": "taskkill.exe"
+            },
+            "related": {
+                "hash": [
+                    "912dc85eafce7fc20247715adc5acb4c43555bc8"
+                ],
+                "hosts": [
+                    "wsu-pf3r12l5",
+                    "08764ed7-7480-482a-8eaa-da8e2084fe22"
+                ],
+                "ip": [
+                    "10.0.0.47"
+                ],
+                "user": [
+                    "nt authority\\local service"
+                ]
+            },
+            "rule": {
+                "name": "Processes killing from command line [B0401]"
+            },
+            "tags": [
+                "preserve_original_event",
+                "preserve_duplicate_custom_fields"
+            ],
+            "user": {
+                "name": "nt authority\\local service"
+            }
         }
     ]
-}
+}

packages/eset_protect/data_stream/event/elasticsearch/ingest_pipeline/default.yml

@@ -385,6 +385,16 @@ processors:
       tag: rename_event
       target_field: eset_protect.event.name
       ignore_missing: true
+  - rename:
+      field: json.trigger_event
+      tag: rename_trigger_event
+      target_field: eset_protect.event.trigger_event
+      ignore_missing: true
+  - rename:
+      field: json.detection_uuid
+      tag: rename_detection_uuid
+      target_field: eset_protect.event.detection_uuid
+      ignore_missing: true
   - set:
       field: message
       tag: set_message_from_event_name
@@ -527,6 +537,11 @@ processors:
       tag: set_process_executable_from_event_processname
       copy_from: eset_protect.event.processname
       ignore_empty_value: true
+  - rename:
+      field: json.command_line
+      tag: rename_command_line
+      target_field: eset_protect.event.command_line
+      ignore_missing: true
   - grok:
       field: eset_protect.event.processname
       tag: grok_processname

packages/eset_protect/data_stream/event/fields/fields.yml

@@ -30,6 +30,9 @@
         - name: computer_severity_score
           type: long
           description: Computer severity score associated with the event.
+        - name: command_line
+          type: keyword
+          description: Command line of process which triggered detection.
         - name: count
           type: long
           description: Number of alerts of this type generated since last alarm.
@@ -39,6 +42,9 @@
         - name: detail
           type: keyword
           description: Detailed description of the action.
+        - name: detection_uuid
+          type: keyword
+          description: A detection's unique identifier can be used to query details via ESET CONNECT API.
         - name: domain
           type: keyword
           description: Audit log domain.
@@ -165,6 +171,9 @@
         - name: threat_type
           type: keyword
           description: Type of detection.
+        - name: trigger_event
+          type: keyword
+          description: Description of event which triggered detection.
         - name: type
           type: keyword
           description: Type of exported events.

packages/eset_protect/docs/README.md

@@ -570,10 +570,12 @@ An example event for `event` looks as following:
 | eset_protect.event.application | Application name associated with the event. | keyword |
 | eset_protect.event.cause |  | keyword |
 | eset_protect.event.circumstances | Short description of what caused the event. | keyword |
+| eset_protect.event.command_line | Command line of process which triggered detection. | keyword |
 | eset_protect.event.computer_severity_score | Computer severity score associated with the event. | long |
 | eset_protect.event.count | Number of alerts of this type generated since last alarm. | long |
 | eset_protect.event.description | Description of the blocked file. | keyword |
 | eset_protect.event.detail | Detailed description of the action. | keyword |
+| eset_protect.event.detection_uuid | A detection's unique identifier can be used to query details via ESET CONNECT API. | keyword |
 | eset_protect.event.domain | Audit log domain. | keyword |
 | eset_protect.event.eialarmid | ID sub-part of the alarm link ($1 in ^http.\*/alarm/([0-9]+)$). | keyword |
 | eset_protect.event.eiconsolelink | Link to the alarm in ESET Inspect console. | keyword |
@@ -616,6 +618,7 @@ An example event for `event` looks as following:
 | eset_protect.event.threat_handled | Indicates whether or not the detection was handled. | boolean |
 | eset_protect.event.threat_name | Name of the detection. | keyword |
 | eset_protect.event.threat_type | Type of detection. | keyword |
+| eset_protect.event.trigger_event | Description of event which triggered detection. | keyword |
 | eset_protect.event.type | Type of exported events. | keyword |
 | eset_protect.event.username | Name of the user account associated with the event. | keyword |
 | event.dataset | Event dataset. | constant_keyword |

packages/eset_protect/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.0.3
 name: eset_protect
 title: ESET PROTECT
-version: "1.6.0"
+version: "1.6.1"
 description: Collect logs from ESET PROTECT with Elastic Agent.
 type: integration
 categories: