Add elastic-endpoint filter for DGA, LMD, LotL (#16209)

* Add elastic endpoint filters

* add pr link

Author: jmcarlock

packages/dga/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.3.4"
+  changes:
+    - description: Add filtering for Elastic endpoint agents
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/16209
 - version: "2.3.3"
   changes:
     - description: Remove instructions to change the `default_pipeline` for an index

packages/dga/kibana/ml_module/dga-ml.json

@@ -85,6 +85,8 @@
                                         "process.name": [
                                             "elastic-agent.exe",
                                             "elastic-agent",
+                                            "elastic-endpoint.exe",
+                                            "elastic-endpoint",
                                             "metricbeat.exe",
                                             "metricbeat",
                                             "filebeat.exe",

packages/dga/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.0.4
 name: dga
 title: "Domain Generation Algorithm Detection"
-version: 2.3.3
+version: 2.3.4
 source:
   license: "Elastic-2.0"
 description: "ML solution package to detect domain generation algorithm (DGA) activity in your network data."

packages/lmd/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.5.4"
+  changes:
+    - description: Add filtering for Elastic endpoint agents
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/16209
 - version: "2.5.3"
   changes:
     - description: Update documentation on configuring data view for dashboards

packages/lmd/elasticsearch/transform/pivot_transform/transform.yml

@@ -7,7 +7,7 @@ source:
             'user.name':
               value: system
         - terms:
-              'process.name': [ "elastic-agent.exe","elastic-agent","metricbeat.exe","metricbeat","filebeat.exe","filebeat","packetbeat.exe","packetbeat","winlogbeat.exe","winlogbeat" ]
+            'process.name': [ "elastic-agent.exe","elastic-agent","elastic-endpoint.exe","elastic-endpoint","metricbeat.exe","metricbeat","filebeat.exe","filebeat","packetbeat.exe","packetbeat","winlogbeat.exe","winlogbeat" ]
       filter:
         - exists:
             field: process.Ext.session_info.client_address
@@ -75,5 +75,5 @@ sync:
     delay: 60s
     field: '@timestamp'
 _meta:
-  fleet_transform_version: 2.4.1
+  fleet_transform_version: 2.4.2
   run_as_kibana_system: false

packages/lmd/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.0.0
 name: lmd
 title: "Lateral Movement Detection"
-version: 2.5.3
+version: 2.5.4
 source:
   license: "Elastic-2.0"
 description: "ML package to detect lateral movement based on file transfer activity and Windows RDP events."

packages/problemchild/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.4.4"
+  changes:
+    - description: Add filtering for Elastic endpoint agents
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/16209
 - version: "2.4.3"
   changes:
     - description: Update installation instructions

packages/problemchild/kibana/ml_module/problemchild-ml.json

@@ -297,6 +297,8 @@
                                         "process.name": [
                                             "elastic-agent.exe",
                                             "elastic-agent",
+                                            "elastic-endpoint.exe",
+                                            "elastic-endpoint",
                                             "metricbeat.exe",
                                             "metricbeat",
                                             "filebeat.exe",
@@ -342,6 +344,8 @@
                                         "process.name": [
                                             "elastic-agent.exe",
                                             "elastic-agent",
+                                            "elastic-endpoint.exe",
+                                            "elastic-endpoint",
                                             "metricbeat.exe",
                                             "metricbeat",
                                             "filebeat.exe",
@@ -387,6 +391,8 @@
                                         "process.name": [
                                             "elastic-agent.exe",
                                             "elastic-agent",
+                                            "elastic-endpoint.exe",
+                                            "elastic-endpoint",
                                             "metricbeat.exe",
                                             "metricbeat",
                                             "filebeat.exe",
@@ -432,6 +438,8 @@
                                         "process.name": [
                                             "elastic-agent.exe",
                                             "elastic-agent",
+                                            "elastic-endpoint.exe",
+                                            "elastic-endpoint",
                                             "metricbeat.exe",
                                             "metricbeat",
                                             "filebeat.exe",
@@ -477,6 +485,8 @@
                                         "process.name": [
                                             "elastic-agent.exe",
                                             "elastic-agent",
+                                            "elastic-endpoint.exe",
+                                            "elastic-endpoint",
                                             "metricbeat.exe",
                                             "metricbeat",
                                             "filebeat.exe",
@@ -522,6 +532,8 @@
                                         "process.name": [
                                             "elastic-agent.exe",
                                             "elastic-agent",
+                                            "elastic-endpoint.exe",
+                                            "elastic-endpoint",
                                             "metricbeat.exe",
                                             "metricbeat",
                                             "filebeat.exe",

packages/problemchild/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.0.0
 name: problemchild
 title: "Living off the Land Attack Detection"
-version: 2.4.3
+version: 2.4.4
 source:
   license: "Elastic-2.0"
 description: "ML solution package to detect Living off the Land (LotL) attacks in your environment. Requires a Platinum subscription."