Skip to content

[m365_defender] Unique entity_id values#18891

Open
chrisberkhout wants to merge 5 commits intoelastic:mainfrom
chrisberkhout:m365_defender-entity_id
Open

[m365_defender] Unique entity_id values#18891
chrisberkhout wants to merge 5 commits intoelastic:mainfrom
chrisberkhout:m365_defender-entity_id

Conversation

@chrisberkhout
Copy link
Copy Markdown
Contributor

@chrisberkhout chrisberkhout commented May 8, 2026
edited
Loading

Proposed commit message

[m365_defender] Unique `entity_id` values

Set values in `entity_id` that uniquely identify a process, rather than
using the OS PID value, which may not be unique. Since PIDs can repeat
across hosts and be reused on a single host, additional fields are
necessary to identify the process.

This change should prevent irrelevant documents being shown in the Event
Analyzer due to ID clashes.

ECS defines `process.entity_id` as:

> Unique identifier for the process.
>
> The implementation of this is specified by the data source, but some
> examples of what could be used here are a process-generated UUID,
> Sysmon Process GUIDs, or a hash of some uniquely identifying
> components of a process.
>
> Constructing a globally unique identifier is a common practice to
> mitigate PID reuse as well as to identify a specific process over
> time, across multiple monitored hosts.

Although that defintion says it should identify a process globally, in
practice, other EDR integrations such as `crowdstrike` and
`sentinel_one_cloud_funnel` use globally unique IDs assigned by an
agent, not a value based on the OS PID. That means the ID for a process
won't clash with another, but may also not match the ID used for the
same process in data from a different source.

The [Resolver Schemas](1) document in Kibana refers to `entity_id` but
provides no further guidance on this point.

[1]: https://github.com/elastic/kibana/blob/fb26c1c/x-pack/solutions/security/plugins/security_solution/public/resolver/documentation/schema.md

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@chrisberkhout chrisberkhout self-assigned this May 8, 2026
@chrisberkhout chrisberkhout added the Integration:m365_defender Microsoft Defender XDR label May 8, 2026
@chrisberkhout chrisberkhout requested a review from a team as a code owner May 8, 2026 07:49
@chrisberkhout chrisberkhout added bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels May 8, 2026
@infra-vault-gh-plugin-prod
Copy link
Copy Markdown

infra-vault-gh-plugin-prod Bot commented May 8, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod Bot commented May 8, 2026
edited
Loading

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented May 8, 2026

💚 Build Succeeded

History

cc @chrisberkhout

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@chrisberkhout chrisberkhout

Labels

bugfix Pull request that fixes a bug issue Integration:m365_defender Microsoft Defender XDR Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chrisberkhout @elasticmachine