m365_defender: fix construction of file.path fields in the incident data stream (#15728)

The ECS definition states that the file.path field should include the
file's basename as well as the directory.

Author: efd6

packages/m365_defender/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "5.1.1"
+  changes:
+    - description: Fix construction of `file.path` fields in the incident data stream to conform to ECS.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/15728
 - version: "5.1.0"
   changes:
     - description: Add support for OAuth2 Endpoint Params option.

packages/m365_defender/data_stream/incident/_dev/test/pipeline/test-incident.log-expected.json

@@ -38,7 +38,7 @@
                     "MsSense.exe"
                 ],
                 "path": [
-                    "C:\\Program Files\\temp"
+                    "C:\\Program Files\\temp\\MsSense.exe"
                 ],
                 "size": [
                     6136392
@@ -364,7 +364,7 @@
                     "MsSense.exe"
                 ],
                 "path": [
-                    "C:\\Program Files\\temp"
+                    "C:\\Program Files\\temp\\MsSense.exe"
                 ],
                 "size": [
                     6136392
@@ -849,7 +849,7 @@
                     "K3V15.1安装盘访问密码i5fy.zip"
                 ],
                 "path": [
-                    "E:"
+                    "E:\\K3V15.1安装盘访问密码i5fy.zip"
                 ],
                 "size": [
                     36864
@@ -1040,7 +1040,7 @@
                     "K3V15.1安装盘访问密码i5fy.zip"
                 ],
                 "path": [
-                    "E:"
+                    "E:\\K3V15.1安装盘访问密码i5fy.zip"
                 ],
                 "size": [
                     36864
@@ -1345,7 +1345,7 @@
                     "PDFpower.exe"
                 ],
                 "path": [
-                    "C:\\Users\\user6\\Downloads"
+                    "C:\\Users\\user6\\Downloads\\PDFpower.exe"
                 ],
                 "size": [
                     1086184
@@ -1546,7 +1546,7 @@
                     "PDFpower.exe"
                 ],
                 "path": [
-                    "C:\\Users\\user6\\Downloads"
+                    "C:\\Users\\user6\\Downloads\\PDFpower.exe"
                 ],
                 "size": [
                     1086184

packages/m365_defender/data_stream/incident/elasticsearch/ingest_pipeline/default.yml

@@ -1412,9 +1412,14 @@ processors:
       processor:
         append:
           field: file.path
-          value: '{{{_ingest._value.file_details.path}}}'
+          value: '{{{_ingest._value.file_details.path}}}\{{{_ingest._value.file_details.name}}}'
           allow_duplicates: false
           ignore_failure: true
+  - script:
+      tag: script_remove_backslash
+      if: ctx.file?.path instanceof List
+      source: |-
+        ctx.file.path.removeIf(v -> v == '\\');
   - foreach:
       field: json.alerts.evidence
       if: ctx.json?.alerts?.evidence instanceof List

packages/m365_defender/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.4.0"
 name: m365_defender
 title: Microsoft Defender XDR
-version: "5.1.0"
+version: "5.1.1"
 description: Collect logs from Microsoft Defender XDR with Elastic Agent.
 categories:
   - "security"