elastic · rw-access · Apr 20, 2021 · Apr 20, 2021 · Apr 20, 2021 · Apr 20, 2021
diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts b/x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts
@@ -38,6 +38,7 @@ describe('TelemetryEventsSender', () => {
             id: 'X',
             name: 'Y',
             ruleset: 'Z',
+            version: '100',
           },
           file: {
             size: 3,
@@ -97,6 +98,7 @@ describe('TelemetryEventsSender', () => {
             id: 'X',
             name: 'Y',
             ruleset: 'Z',
+            version: '100',
           },
           file: {
             size: 3,
@@ -253,6 +255,57 @@ describe('allowlistEventFields', () => {
     });
   });
 
+  it('filters arrays of objects', () => {
+    const event = {
+      a: [
+        {
+          a1: 'a1',
+        },
+      ],
+      b: {
+        b1: 'b1',
+      },
+      c: [
+        {
+          d: 'd1',
+          e: 'e1',
+          f: 'f1',
+        },
+        {
+          d: 'd2',
+          e: 'e2',
+          f: 'f2',
+        },
+        {
+          d: 'd3',
+          e: 'e3',
+          f: 'f3',
+        },
+      ],
+    };
+    expect(copyAllowlistedFields(allowlist, event)).toStrictEqual({
+      a: [
+        {
+          a1: 'a1',
+        },
+      ],
+      b: {
+        b1: 'b1',
+      },
+      c: [
+        {
+          d: 'd1',
+        },
+        {
+          d: 'd2',
+        },
+        {
+          d: 'd3',
+        },
+      ],
+    });
+  });
+
   it("doesn't create empty objects", () => {
     const event = {
       a: 'a',

diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts b/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts
@@ -21,16 +21,8 @@ import {
 } from '../../../../task_manager/server';
 import { TelemetryDiagTask } from './task';
 
-export type SearchTypes =
-  | string
-  | string[]
-  | number
-  | number[]
-  | boolean
-  | boolean[]
-  | object
-  | object[]
-  | undefined;
+type BaseSearchTypes = string | number | boolean | object;
+export type SearchTypes = BaseSearchTypes | BaseSearchTypes[] | undefined;
 
 export interface TelemetryEvent {
   [key: string]: SearchTypes;
@@ -294,8 +286,8 @@ interface AllowlistFields {
 }
 
 // Allow list process fields within events.  This includes "process" and "Target.process".'
-/* eslint-disable @typescript-eslint/naming-convention */
 const allowlistProcessFields: AllowlistFields = {
+  args: true,
   name: true,
   executable: true,
   command_line: true,
@@ -306,28 +298,59 @@ const allowlistProcessFields: AllowlistFields = {
     architecture: true,
     code_signature: true,
     dll: true,
+    malware_signature: true,
     token: {
       integrity_level_name: true,
     },
   },
-  parent: {
+  thread: true,
+};
+
+// Allow list for event-related fields, which can also be nested under events[]
+const allowlistBaseEventFields: AllowlistFields = {
+  dll: {
     name: true,
-    executable: true,
-    command_line: true,
+    path: true,
+    code_signature: true,
+    malware_signature: true,
+  },
+  event: true,
+  file: {
+    name: true,
+    path: true,
+    size: true,
+    created: true,
+    accessed: true,
+    mtime: true,
+    directory: true,
     hash: true,
     Ext: {
-      architecture: true,
       code_signature: true,
-      dll: true,
-      token: {
-        integrity_level_name: true,
-      },
+      malware_classification: true,
+      malware_signature: true,
+      quarantine_result: true,
+      quarantine_message: true,
+    },
+  },
+  process: {
+    parent: allowlistProcessFields,
+    ...allowlistProcessFields,
+  },
+  network: {
+    direction: true,
+  },
+  registry: {
+    hive: true,
+    key: true,
+    path: true,
+    value: true,
+  },
+  Target: {
+    process: {
+      parent: allowlistProcessFields,
+      ...allowlistProcessFields,
     },
-    uptime: true,
-    pid: true,
-    ppid: true,
   },
-  thread: true,
 };
 
 // Allow list for the data we include in the events. True means that it is deep-cloned
@@ -337,41 +360,24 @@ const allowlistEventFields: AllowlistFields = {
   '@timestamp': true,
   agent: true,
   Endpoint: true,
+  /* eslint-disable @typescript-eslint/naming-convention */
   Memory_protection: true,
   Ransomware: true,
   data_stream: true,
   ecs: true,
   elastic: true,
-  event: true,
+  // behavioral protection re-nests some field sets under events.*
+  events: allowlistBaseEventFields,
   rule: {
     id: true,
     name: true,
     ruleset: true,
-  },
-  file: {
-    name: true,
-    path: true,
-    size: true,
-    created: true,
-    accessed: true,
-    mtime: true,
-    directory: true,
-    hash: true,
-    Ext: {
-      code_signature: true,
-      malware_classification: true,
-      malware_signature: true,
-      quarantine_result: true,
-      quarantine_message: true,
-    },
+    version: true,
   },
   host: {
     os: true,
   },
-  process: allowlistProcessFields,
-  Target: {
-    process: allowlistProcessFields,
-  },
+  ...allowlistBaseEventFields,
 };
 
 export function copyAllowlistedFields(
@@ -383,6 +389,12 @@ export function copyAllowlistedFields(
     if (eventValue !== null && eventValue !== undefined) {
       if (allowValue === true) {
         return { ...newEvent, [allowKey]: eventValue };
+      } else if (typeof allowValue === 'object' && Array.isArray(eventValue)) {
+        const subValues = eventValue.filter((v) => typeof v === 'object');
+        return {
+          ...newEvent,
+          [allowKey]: subValues.map((v) => copyAllowlistedFields(allowValue, v as TelemetryEvent)),
+        };
       } else if (typeof allowValue === 'object' && typeof eventValue === 'object') {
         const values = copyAllowlistedFields(allowValue, eventValue as TelemetryEvent);
         return {