[Enhancement] Improve S1 Cloud Funnel Process event parity with other…

… EDR data sources (#11019)

Uses a field alias to map the process integrity field to the one used in the
rules based on our Elastic Defend for more straightforward rule conditions.

Adds caseless versions of process.name and process.executable as done
in #10533.

packages/sentinel_one_cloud_funnel/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.4.0"
+  changes:
+    - description: Improve detection rules compatibility for process events.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/11019
 - version: "1.3.1"
   changes:
     - description: Fix IPv6 cleanup step.

packages/sentinel_one_cloud_funnel/data_stream/event/fields/ecs.yml

@@ -0,0 +1,18 @@
+- external: ecs
+  name: process.executable
+  multi_fields:
+    - name: caseless
+      ignore_above: 1024
+      normalizer: lowercase
+      type: keyword
+    - name: text
+      type: match_only_text
+- external: ecs
+  name: process.name
+  multi_fields:
+    - name: caseless
+      ignore_above: 1024
+      normalizer: lowercase
+      type: keyword
+    - name: text
+      type: match_only_text

packages/sentinel_one_cloud_funnel/data_stream/event/fields/fields.yml

@@ -1515,3 +1515,6 @@
         Text of the executed script block.
 
       example: ".\\a_script.ps1"
+- name: process.Ext.token.integrity_level_name
+  type: alias
+  path: sentinel_one_cloud_funnel.event.tgt.process.integrity_level

packages/sentinel_one_cloud_funnel/docs/README.md

@@ -446,6 +446,13 @@ An example event for `event` looks as following:
 | input.type | Type of filebeat input. | keyword |
 | log.offset | Log offset. | long |
 | powershell.file.script_block_text | Text of the executed script block. | text |
+| process.Ext.token.integrity_level_name |  | alias |
+| process.executable | Absolute path to the process executable. | keyword |
+| process.executable.caseless | Multi-field of `process.executable`. | keyword |
+| process.executable.text | Multi-field of `process.executable`. | match_only_text |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.caseless | Multi-field of `process.name`. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
 | sentinel_one_cloud_funnel.event.account_id | SentinelOne Account ID. | keyword |
 | sentinel_one_cloud_funnel.event.agent.uuid | Agent Unique ID. | keyword |
 | sentinel_one_cloud_funnel.event.agent.version | Version of SentinelOne Agent. | keyword |

packages/sentinel_one_cloud_funnel/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.2"
 name: sentinel_one_cloud_funnel
 title: SentinelOne Cloud Funnel
-version: "1.3.1"
+version: "1.4.0"
 description: Collect logs from SentinelOne Cloud Funnel with Elastic Agent.
 type: integration
 categories: ["security", "edr_xdr"]