Skip to content

[elastic_security] Align Process Fields with ECS Schema #14637

New issue
New issue
Open
#14638
Open
[elastic_security] Align Process Fields with ECS Schema#14637
#14638
Assignees
mohitjha-elastic
Labels
Integration:elastic_securityElastic SecurityTeam:Security-Service IntegrationsSecurity Service Integrations team [elastic/security-service-integrations]Team:Sit-CrestCrest developers on the Security Integrations team [elastic/sit-crest-contractors]enhancementNew feature or request
@mohitjha-elastic

Description

@mohitjha-elastic
mohitjha-elastic
opened on Jul 22, 2025

Description:
We need to address inconsistencies between our process.* fields and the Elastic Common Schema (ECS):

Several process-related fields are not currently importing ECS definitions. These should use external: ecs to ensure alignment with the ECS schema and avoid manually duplicating field definitions.

Fields such as process.*.supplemental_groups.id are being ingested as numeric values but ECS expects them as keyword (string). Additionally, supplemental_groups is an array of objects, which differs from ECS expectations and requires explicit nested or group mapping.

Issue discussion here - #14305 (comment)

Proposed Fix:
Apply external: ecs to relevant process fields.

Convert all *.supplemental_groups.id fields to keyword in ingest pipeline.

Ensure supplemental_groups, previous, and similar fields are explicitly defined as nested or group in the field mapping.

Metadata

Metadata

Assignees

Labels

Integration:elastic_securityElastic SecurityTeam:Security-Service IntegrationsSecurity Service Integrations team [elastic/security-service-integrations]Team:Sit-CrestCrest developers on the Security Integrations team [elastic/sit-crest-contractors]enhancementNew feature or request

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions