diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 5e844da245571..c51704a269e1e 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -582,7 +582,7 @@ x-pack/plugins/security_solution/public/common/components/sessions_viewer @elast
/x-pack/plugins/osquery @elastic/security-asset-management
# Cloud Security Posture
-/x-pack/plugins/cloud_security_posture/ @elastic/cloud-security-posture-control-plane
+/x-pack/plugins/cloud_security_posture/ @elastic/kibana-cloud-security-posture
# Design (at the bottom for specificity of SASS files)
**/*.scss @elastic/kibana-design
diff --git a/docs/user/reporting/index.asciidoc b/docs/user/reporting/index.asciidoc
index 8e1589f985372..a10c3a6ec8737 100644
--- a/docs/user/reporting/index.asciidoc
+++ b/docs/user/reporting/index.asciidoc
@@ -28,8 +28,8 @@ You access the options from the *Share* menu in the toolbar. The sharing options
* *Embed code* — Embed a fully interactive dashboard or visualization as an iframe on a web page.
[[reporting-on-cloud-resource-requirements]]
-NOTE: On Elastic Cloud, Kibana requires a minimum of 2GB RAM to generate PDF or PNG reports. To edit Kibana deployments,
-use {ess-console}[Cloud Management].
+NOTE: For Elastic Cloud deployments, Kibana instances require a minimum of 2GB RAM to generate PDF or PNG reports. To
+change Kibana sizing, {ess-console}[edit the deployment].
[float]
[[manually-generate-reports]]
diff --git a/src/plugins/discover/public/application/main/components/document_explorer_callout/document_explorer_update_callout.tsx b/src/plugins/discover/public/application/main/components/document_explorer_callout/document_explorer_update_callout.tsx
index 67d647e9ee685..02972c9cabd26 100644
--- a/src/plugins/discover/public/application/main/components/document_explorer_callout/document_explorer_update_callout.tsx
+++ b/src/plugins/discover/public/application/main/components/document_explorer_callout/document_explorer_update_callout.tsx
@@ -16,6 +16,7 @@ import {
EuiCallOut,
EuiFlexGroup,
EuiFlexItem,
+ EuiLink,
useEuiTheme,
} from '@elastic/eui';
import { css } from '@emotion/react';
@@ -60,40 +61,48 @@ export const DocumentExplorerUpdateCallout = () => {
}
- iconType="search"
+ iconType="tableDensityNormal"
+ heading="h3"
+ size="s"
>
-
-
+
+
+
+
+
),
documentExplorer: (
-
-
-
+
+
+
+
+
),
}}
/>
@@ -106,7 +115,7 @@ function CalloutTitle({ onCloseCallout }: { onCloseCallout: () => void }) {
diff --git a/src/plugins/es_ui_shared/static/forms/components/fields/combobox_field.tsx b/src/plugins/es_ui_shared/static/forms/components/fields/combobox_field.tsx
index 981fd7c0a773b..7f3e476b21251 100644
--- a/src/plugins/es_ui_shared/static/forms/components/fields/combobox_field.tsx
+++ b/src/plugins/es_ui_shared/static/forms/components/fields/combobox_field.tsx
@@ -42,7 +42,8 @@ export const ComboBoxField = ({ field, euiFieldProps = {}, idAria, ...rest }: Pr
const onCreateComboOption = (value: string) => {
// Note: for now, all validations for a comboBox array item have to be synchronous
- // If there is a need to support asynchronous validation, we'll work on it (and will need to update the logic).
+ // If there is a need to support asynchronous validation, we'll need to update this handler and
+ // make the "onCreateOption" handler async).
const { isValid } = field.validate({
value,
validationType: VALIDATION_TYPES.ARRAY_ITEM,
@@ -84,7 +85,7 @@ export const ComboBoxField = ({ field, euiFieldProps = {}, idAria, ...rest }: Pr
placeholder={i18n.translate('esUi.forms.comboBoxField.placeHolderText', {
defaultMessage: 'Type and then hit "ENTER"',
})}
- selectedOptions={(field.value as any[]).map((v) => ({ label: v }))}
+ selectedOptions={(field.value as string[]).map((v) => ({ label: v }))}
onCreateOption={onCreateComboOption}
onChange={onComboChange}
onSearchChange={onSearchComboChange}
diff --git a/src/plugins/es_ui_shared/static/forms/docs/core/form_hook.mdx b/src/plugins/es_ui_shared/static/forms/docs/core/form_hook.mdx
index d66c0d867c275..46fac236123fd 100644
--- a/src/plugins/es_ui_shared/static/forms/docs/core/form_hook.mdx
+++ b/src/plugins/es_ui_shared/static/forms/docs/core/form_hook.mdx
@@ -212,3 +212,22 @@ Sets field errors imperatively.
```js
form.setFieldErrors('name', [{ message: 'There is an error in the field' }]);
```
+
+### updateFieldValues()
+
+**Arguments:** `updatedFormData: Partial, options?: { runDeserializer?: boolean }`
+
+Update multiple field values at once. You don't need to provide all the form fields, **partial** update is supported. This method is mainly useful to update an array of object fields or to avoid multiple `form.setFieldValue()` calls.
+
+```js
+// Update an array of object (e.g "myArray[0].foo", "myArray[0].baz"...)
+form.updateFieldValues({
+ myArray: [
+ { foo: 'bar', baz: true },
+ { foo2: 'bar2', baz: false }
+ ]
+});
+
+// or simply multiple fields at once
+form.updateFieldValues({ foo: 'bar', baz: false })
+```
\ No newline at end of file
diff --git a/src/plugins/es_ui_shared/static/forms/hook_form_lib/components/use_array.test.tsx b/src/plugins/es_ui_shared/static/forms/hook_form_lib/components/use_array.test.tsx
index dc8695190bdaf..8e9bdd35ffb7e 100644
--- a/src/plugins/es_ui_shared/static/forms/hook_form_lib/components/use_array.test.tsx
+++ b/src/plugins/es_ui_shared/static/forms/hook_form_lib/components/use_array.test.tsx
@@ -77,11 +77,7 @@ describe('', () => {
<>
{items.map(({ id, path }) => {
return (
-
+
);
})}
>
@@ -102,7 +98,7 @@ describe('', () => {
} = setup();
await act(async () => {
- setInputValue('nameField__0', 'John');
+ setInputValue('users[0]Name', 'John');
});
const formData = onFormData.mock.calls[onFormData.mock.calls.length - 1][0];
diff --git a/src/plugins/es_ui_shared/static/forms/hook_form_lib/components/use_array.ts b/src/plugins/es_ui_shared/static/forms/hook_form_lib/components/use_array.ts
index 78379aa9fffbf..d6ada976c875c 100644
--- a/src/plugins/es_ui_shared/static/forms/hook_form_lib/components/use_array.ts
+++ b/src/plugins/es_ui_shared/static/forms/hook_form_lib/components/use_array.ts
@@ -6,7 +6,6 @@
* Side Public License, v 1.
*/
-import uuid from 'uuid';
import { useEffect, useRef, useCallback, useMemo } from 'react';
import { FormHook, FieldConfig } from '../types';
@@ -37,6 +36,25 @@ export interface FormArrayField {
form: FormHook;
}
+let uniqueId = 0;
+
+export const createArrayItem = (path: string, index: number, isNew = true): ArrayItem => ({
+ id: uniqueId++,
+ path: `${path}[${index}]`,
+ isNew,
+});
+
+/**
+ * We create an internal field to represent the Array items. This field is not returned
+ * as part as the form data but is used internally to run validation on the array items.
+ * It is this internal field value (ArrayItem[]) that we then map to actual form fields
+ * (in the children func {({ items }) => (...)})
+ *
+ * @param path The array path in the form data
+ * @returns The internal array field path
+ */
+export const getInternalArrayFieldPath = (path: string): string => `${path}__array__`;
+
/**
* Use UseArray to dynamically add fields to your form.
*
@@ -60,41 +78,26 @@ export const UseArray = ({
children,
}: Props) => {
const isMounted = useRef(false);
- const uniqueId = useRef(0);
const form = useFormContext();
const { getFieldDefaultValue } = form;
- const getNewItemAtIndex = useCallback(
- (index: number): ArrayItem => ({
- id: uniqueId.current++,
- path: `${path}[${index}]`,
- isNew: true,
- }),
- [path]
- );
-
const fieldDefaultValue = useMemo(() => {
const defaultValues = readDefaultValueOnForm
? getFieldDefaultValue(path)
: undefined;
if (defaultValues) {
- return defaultValues.map((_, index) => ({
- id: uniqueId.current++,
- path: `${path}[${index}]`,
- isNew: false,
- }));
+ return defaultValues.map((_, index) => createArrayItem(path, index, false));
}
- return new Array(initialNumberOfItems).fill('').map((_, i) => getNewItemAtIndex(i));
- }, [path, initialNumberOfItems, readDefaultValueOnForm, getFieldDefaultValue, getNewItemAtIndex]);
+ return new Array(initialNumberOfItems).fill('').map((_, i) => createArrayItem(path, i));
+ }, [path, initialNumberOfItems, readDefaultValueOnForm, getFieldDefaultValue]);
// Create an internal hook field which behaves like any other form field except that it is not
// outputed in the form data (when calling form.submit() or form.getFormData())
// This allow us to run custom validations (passed to the props) on the Array items
-
- const internalFieldPath = useMemo(() => `${path}__${uuid.v4()}`, [path]);
+ const internalFieldPath = useMemo(() => getInternalArrayFieldPath(path), [path]);
const fieldConfigBase: FieldConfig & InternalFieldConfig = {
defaultValue: fieldDefaultValue,
@@ -132,9 +135,9 @@ export const UseArray = ({
const addItem = useCallback(() => {
setValue((previousItems) => {
const itemIndex = previousItems.length;
- return [...previousItems, getNewItemAtIndex(itemIndex)];
+ return [...previousItems, createArrayItem(path, itemIndex)];
});
- }, [setValue, getNewItemAtIndex]);
+ }, [setValue, path]);
const removeItem = useCallback(
(id: number) => {
diff --git a/src/plugins/es_ui_shared/static/forms/hook_form_lib/hooks/use_form.test.tsx b/src/plugins/es_ui_shared/static/forms/hook_form_lib/hooks/use_form.test.tsx
index afaaaaedef23e..9f57432b5d6a1 100644
--- a/src/plugins/es_ui_shared/static/forms/hook_form_lib/hooks/use_form.test.tsx
+++ b/src/plugins/es_ui_shared/static/forms/hook_form_lib/hooks/use_form.test.tsx
@@ -6,12 +6,13 @@
* Side Public License, v 1.
*/
-import React, { useEffect } from 'react';
+import React, { useEffect, useState } from 'react';
import { act } from 'react-dom/test-utils';
import { registerTestBed, getRandomString, TestBed } from '../shared_imports';
import { emptyField } from '../../helpers/field_validators';
-import { Form, UseField } from '../components';
+import { ComboBoxField } from '../../components';
+import { Form, UseField, UseArray } from '../components';
import {
FormSubmitHandler,
OnUpdateHandler,
@@ -274,7 +275,7 @@ describe('useForm() hook', () => {
onFormData.mockReset();
});
- test('should set the default value of a field ', async () => {
+ test('should set the default value of a field ', () => {
const defaultValue = {
title: getRandomString(),
subTitle: getRandomString(),
@@ -285,6 +286,7 @@ describe('useForm() hook', () => {
const TestComp = ({ onData }: { onData: OnUpdateHandler }) => {
const { form } = useForm({ defaultValue });
+ formHook = form;
const { subscribe } = form;
useEffect(() => subscribe(onData).unsubscribe, [subscribe, onData]);
@@ -316,6 +318,40 @@ describe('useForm() hook', () => {
name: defaultValue.user.name,
},
});
+
+ expect(formHook?.__getFormDefaultValue()).toEqual({
+ ...defaultValue,
+ subTitle: 'hasBeenOverridden',
+ });
+ });
+
+ test('should be updated with the UseField "defaultValue" prop', () => {
+ const TestComp = () => {
+ const { form } = useForm({ defaultValue: { name: 'Mike' } });
+ const [_, setDate] = useState(new Date());
+ formHook = form;
+
+ return (
+
+ );
+ };
+
+ const { find } = registerTestBed(TestComp, { memoryRouter: { wrapComponent: false } })();
+
+ expect(formHook?.__getFormDefaultValue()).toEqual({ name: 'John' });
+
+ // Make sure a re-render of the component does not re-update the defaultValue
+ act(() => {
+ find('forceUpdateBtn').simulate('click');
+ });
+
+ expect(formHook?.__getFormDefaultValue()).toEqual({ name: 'John' });
});
});
@@ -653,4 +689,321 @@ describe('useForm() hook', () => {
expect(errors).toEqual(['Field1 can not be empty', 'Field2 is invalid']);
});
});
+
+ describe('form.updateFieldValues()', () => {
+ test('should update field values and discard unknwon fields provided', async () => {
+ const TestComp = () => {
+ const { form } = useForm();
+ formHook = form;
+
+ return (
+
+ );
+ };
+
+ registerTestBed(TestComp)();
+
+ expect(formHook!.getFormData()).toEqual({
+ field1: 'field1_defaultValue',
+ field2: {
+ a: 'field2_a_defaultValue',
+ b: 'field2_b_defaultValue',
+ },
+ });
+
+ await act(async () => {
+ formHook!.updateFieldValues({
+ field1: 'field1_updated',
+ field2: {
+ a: 'field2_a_updated',
+ b: 'field2_b_updated',
+ },
+ unknownField: 'foo',
+ });
+ });
+
+ expect(formHook!.getFormData()).toEqual({
+ field1: 'field1_updated',
+ field2: {
+ a: 'field2_a_updated',
+ b: 'field2_b_updated',
+ },
+ });
+ });
+
+ test('should update an array of object fields', async () => {
+ const TestComp = () => {
+ const { form } = useForm();
+ formHook = form;
+
+ return (
+
+ );
+ };
+
+ registerTestBed(TestComp)();
+
+ if (formHook === null) {
+ throw new Error('Formhook has not been set.');
+ }
+
+ expect(formHook.getFormData()).toEqual({
+ users: [
+ {
+ name: 'John',
+ lastName: 'Snow',
+ },
+ ],
+ });
+
+ const newFormData = {
+ users: [
+ {
+ name: 'User1_name',
+ lastName: 'User1_lastName',
+ },
+ {
+ name: 'User2_name',
+ lastName: 'User2_lastName',
+ },
+ ],
+ };
+
+ await act(async () => {
+ formHook!.updateFieldValues(newFormData);
+ });
+
+ expect(formHook.getFormData()).toEqual(newFormData);
+ });
+
+ test('should update an array of string fields (ComboBox)', async () => {
+ const TestComp = () => {
+ const { form } = useForm();
+ formHook = form;
+
+ return (
+
+ );
+ };
+
+ registerTestBed(TestComp)();
+
+ if (formHook === null) {
+ throw new Error('Formhook has not been set.');
+ }
+
+ expect(formHook.getFormData()).toEqual({
+ tags: ['foo', 'bar'],
+ });
+
+ const newFormData = {
+ tags: ['updated', 'array'],
+ };
+
+ await act(async () => {
+ formHook!.updateFieldValues(newFormData);
+ });
+
+ expect(formHook.getFormData()).toEqual(newFormData);
+ });
+
+ test('should update recursively an array of object fields', async () => {
+ const TestComp = () => {
+ const { form } = useForm();
+ formHook = form;
+
+ return (
+
+ );
+ };
+
+ registerTestBed(TestComp)();
+
+ if (formHook === null) {
+ throw new Error('Formhook has not been set.');
+ }
+
+ expect(formHook.getFormData()).toEqual({
+ users: [
+ {
+ name: 'John',
+ address: [
+ {
+ street: 'Street name',
+ city: 'Lagos',
+ },
+ ],
+ tags: ['blue', 'red'],
+ },
+ ],
+ });
+
+ const newFormData = {
+ users: [
+ {
+ name: 'Balbina',
+ tags: ['yellow', 'pink'],
+ address: [
+ {
+ street: 'Rua direita',
+ city: 'Burgau',
+ },
+ ],
+ },
+ {
+ name: 'Mike',
+ tags: ['green', 'black', 'orange'],
+ address: [
+ {
+ street: 'Calle de Callao',
+ city: 'Madrid',
+ },
+ {
+ street: 'Rue de Flagey',
+ city: 'Brussels',
+ },
+ ],
+ },
+ ],
+ };
+
+ await act(async () => {
+ formHook!.updateFieldValues(newFormData);
+ });
+
+ expect(formHook.getFormData()).toEqual(newFormData);
+ });
+
+ describe('deserializer', () => {
+ const formDefaultValue = { foo: 'initial' };
+ const deserializer = (formData: typeof formDefaultValue) => ({
+ foo: { label: formData.foo.toUpperCase(), value: formData.foo },
+ });
+
+ const TestComp = () => {
+ const { form } = useForm({ defaultValue: formDefaultValue, deserializer });
+ formHook = form;
+
+ return (
+
+ );
+ };
+
+ test('should run deserializer on the new form data provided', async () => {
+ registerTestBed(TestComp)();
+
+ if (formHook === null) {
+ throw new Error('Formhook has not been set.');
+ }
+
+ expect(formHook.getFormData()).toEqual({
+ foo: { label: 'INITIAL', value: 'initial' },
+ });
+
+ const newFormData = {
+ foo: 'updated',
+ };
+
+ await act(async () => {
+ formHook!.updateFieldValues(newFormData);
+ });
+
+ expect(formHook.getFormData()).toEqual({
+ foo: { label: 'UPDATED', value: 'updated' },
+ });
+ });
+
+ test('should not run deserializer on the new form data provided', async () => {
+ registerTestBed(TestComp)();
+
+ if (formHook === null) {
+ throw new Error('Formhook has not been set.');
+ }
+
+ expect(formHook.getFormData()).toEqual({
+ foo: { label: 'INITIAL', value: 'initial' },
+ });
+
+ const newFormData = {
+ foo: 'updated',
+ };
+
+ await act(async () => {
+ formHook!.updateFieldValues(newFormData, { runDeserializer: false });
+ });
+
+ expect(formHook.getFormData()).toEqual({
+ foo: 'updated',
+ });
+ });
+ });
+ });
});
diff --git a/src/plugins/es_ui_shared/static/forms/hook_form_lib/hooks/use_form.ts b/src/plugins/es_ui_shared/static/forms/hook_form_lib/hooks/use_form.ts
index 3966f9cc61a70..b6b45c76e7115 100644
--- a/src/plugins/es_ui_shared/static/forms/hook_form_lib/hooks/use_form.ts
+++ b/src/plugins/es_ui_shared/static/forms/hook_form_lib/hooks/use_form.ts
@@ -7,11 +7,19 @@
*/
import { useState, useRef, useEffect, useMemo, useCallback } from 'react';
-import { get } from 'lodash';
+import { get, mergeWith } from 'lodash';
import { set } from '@elastic/safer-lodash-set';
import { FormHook, FieldHook, FormData, FieldsMap, FormConfig } from '../types';
-import { mapFormFields, unflattenObject, flattenObject, Subject, Subscription } from '../lib';
+import {
+ mapFormFields,
+ unflattenObject,
+ flattenObject,
+ stripOutUndefinedValues,
+ Subject,
+ Subscription,
+} from '../lib';
+import { createArrayItem, getInternalArrayFieldPath } from '../components/use_array';
const DEFAULT_OPTIONS = {
valueChangeDebounceTime: 500,
@@ -37,23 +45,23 @@ export function useForm(
// Strip out any "undefined" value and run the deserializer
const initDefaultValue = useCallback(
- (_defaultValue?: Partial): I | undefined => {
+ (_defaultValue?: Partial, runDeserializer: boolean = true): I | undefined => {
if (_defaultValue === undefined || Object.keys(_defaultValue).length === 0) {
return undefined;
}
- const filtered = Object.entries(_defaultValue as object)
- .filter(({ 1: value }) => value !== undefined)
- .reduce((acc, [key, value]) => ({ ...acc, [key]: value }), {} as T);
+ const filtered = stripOutUndefinedValues(_defaultValue);
- return deserializer ? deserializer(filtered) : (filtered as unknown as I);
+ return runDeserializer && deserializer
+ ? stripOutUndefinedValues(deserializer(filtered))
+ : (filtered as unknown as I);
},
[deserializer]
);
// We create this stable reference to be able to initialize our "defaultValueDeserialized" ref below
// as we can't initialize useRef by calling a function (e.g. useRef(initDefaultValue()))
- const defaultValueMemoized = useMemo(() => {
+ const defaultValueInitialized = useMemo(() => {
return initDefaultValue(defaultValue);
}, [defaultValue, initDefaultValue]);
@@ -91,7 +99,7 @@ export function useForm(
* Keep a reference to the form defaultValue once it has been deserialized.
* This allows us to reset the form and put back the initial value of each fields
*/
- const defaultValueDeserialized = useRef(defaultValueMemoized);
+ const defaultValueDeserialized = useRef(defaultValueInitialized);
/**
* We have both a state and a ref for the error messages so the consumer can, in the same callback,
@@ -440,6 +448,77 @@ export function useForm(
[]
);
+ const updateFieldValues: FormHook['updateFieldValues'] = useCallback(
+ (updatedFormData, { runDeserializer = true } = {}) => {
+ if (
+ !updatedFormData ||
+ typeof updatedFormData !== 'object' ||
+ Object.keys(updatedFormData).length === 0
+ ) {
+ return;
+ }
+
+ const updatedFormDataInitialized = initDefaultValue(updatedFormData, runDeserializer);
+
+ const mergedDefaultValue = mergeWith(
+ {},
+ defaultValueDeserialized.current,
+ updatedFormDataInitialized,
+ (_, srcValue) => {
+ if (Array.isArray(srcValue)) {
+ // Arrays are returned as provided, we don't want to merge
+ // previous array values with the new ones.
+ return srcValue;
+ }
+ }
+ );
+
+ defaultValueDeserialized.current = stripOutUndefinedValues(mergedDefaultValue);
+
+ const doUpdateValues = (obj: object, currentObjPath: string[] = []) => {
+ Object.entries(obj).forEach(([key, value]) => {
+ const fullPath = [...currentObjPath, key].join('.');
+ const internalArrayfieldPath = getInternalArrayFieldPath(fullPath);
+
+ // Check if there is an **internal array** (created by ) defined at this key.
+ // If there is one, we update that field value and don't go any further as from there it will
+ // be the individual fields (children) declared inside the UseArray that will read the "defaultValue"
+ // object of the form (which we've updated above).
+ if (Array.isArray(value) && fieldsRefs.current[internalArrayfieldPath]) {
+ const field = fieldsRefs.current[internalArrayfieldPath];
+ const fieldValue = value.map((_, index) => createArrayItem(fullPath, index, false));
+ field.setValue(fieldValue);
+ return;
+ }
+
+ if (typeof value === 'object' && value !== null && !Array.isArray(value)) {
+ // We make sure that at least _some_ leaf fields are present in the fieldsRefs object
+ // If not, we should not consider this as a multi fields but single field (e.g. a select field whose value is { label: 'Foo', value: 'foo' })
+ const hasSomeLeafField = Object.keys(value).some(
+ (leaf) => fieldsRefs.current[`${fullPath}.${leaf}`] !== undefined
+ );
+
+ if (hasSomeLeafField) {
+ // Recursively update internal objects
+ doUpdateValues(value, [...currentObjPath, key]);
+ return;
+ }
+ }
+
+ const field = fieldsRefs.current[fullPath];
+ if (!field) {
+ return;
+ }
+
+ field.setValue(value);
+ });
+ };
+
+ doUpdateValues(updatedFormDataInitialized!);
+ },
+ [initDefaultValue]
+ );
+
const submit: FormHook['submit'] = useCallback(
async (e) => {
if (e) {
@@ -536,6 +615,7 @@ export function useForm(
getFieldDefaultValue,
getFormData,
getErrors,
+ updateFieldValues,
reset,
validateFields,
__options: formOptions,
@@ -563,6 +643,7 @@ export function useForm(
getErrors,
getFormDefaultValue,
getFieldDefaultValue,
+ updateFieldValues,
reset,
formOptions,
getFormData$,
@@ -578,16 +659,6 @@ export function useForm(
// ----------------------------------
// -- EFFECTS
// ----------------------------------
-
- useEffect(() => {
- if (!isMounted.current) {
- return;
- }
-
- // Whenever the "defaultValue" prop changes, reinitialize our ref
- defaultValueDeserialized.current = defaultValueMemoized;
- }, [defaultValueMemoized]);
-
useEffect(() => {
isMounted.current = true;
diff --git a/src/plugins/es_ui_shared/static/forms/hook_form_lib/lib/index.ts b/src/plugins/es_ui_shared/static/forms/hook_form_lib/lib/index.ts
index b65dc0570acba..2bdf942c38d3a 100644
--- a/src/plugins/es_ui_shared/static/forms/hook_form_lib/lib/index.ts
+++ b/src/plugins/es_ui_shared/static/forms/hook_form_lib/lib/index.ts
@@ -10,4 +10,4 @@ export type { Subscription } from './subject';
export { Subject } from './subject';
-export { flattenObject, unflattenObject, mapFormFields } from './utils';
+export { flattenObject, unflattenObject, mapFormFields, stripOutUndefinedValues } from './utils';
diff --git a/src/plugins/es_ui_shared/static/forms/hook_form_lib/lib/utils.test.ts b/src/plugins/es_ui_shared/static/forms/hook_form_lib/lib/utils.test.ts
index f7d7429889eb2..df17700fc8c44 100644
--- a/src/plugins/es_ui_shared/static/forms/hook_form_lib/lib/utils.test.ts
+++ b/src/plugins/es_ui_shared/static/forms/hook_form_lib/lib/utils.test.ts
@@ -6,7 +6,7 @@
* Side Public License, v 1.
*/
-import { flattenObject } from './utils';
+import { flattenObject, stripOutUndefinedValues } from './utils';
describe('Form lib utils', () => {
describe('flattenObject', () => {
@@ -40,4 +40,28 @@ describe('Form lib utils', () => {
});
});
});
+
+ describe('stripOutUndefinedValues', () => {
+ test('should remove all undefined values', () => {
+ const obj = {
+ foo: undefined,
+ bar: {
+ a: true,
+ b: undefined,
+ c: ['foo', undefined, 'bar'],
+ d: {
+ d: undefined,
+ },
+ },
+ };
+
+ expect(stripOutUndefinedValues(obj)).toEqual({
+ bar: {
+ a: true,
+ c: ['foo', undefined, 'bar'],
+ d: {},
+ },
+ });
+ });
+ });
});
diff --git a/src/plugins/es_ui_shared/static/forms/hook_form_lib/lib/utils.ts b/src/plugins/es_ui_shared/static/forms/hook_form_lib/lib/utils.ts
index 8df6506ec2e7b..54f6726abb115 100644
--- a/src/plugins/es_ui_shared/static/forms/hook_form_lib/lib/utils.ts
+++ b/src/plugins/es_ui_shared/static/forms/hook_form_lib/lib/utils.ts
@@ -56,6 +56,24 @@ export const flattenObject = (
return acc;
}, {});
+/**
+ * Deeply remove all "undefined" value inside an Object
+ *
+ * @param obj The object to process
+ * @returns The object without any "undefined"
+ */
+export const stripOutUndefinedValues = (obj: GenericObject): R => {
+ return Object.entries(obj)
+ .filter(({ 1: value }) => value !== undefined)
+ .reduce((acc, [key, value]) => {
+ if (typeof value === 'object' && value !== null && !Array.isArray(value)) {
+ return { ...acc, [key]: stripOutUndefinedValues(value) };
+ }
+
+ return { ...acc, [key]: value };
+ }, {} as R);
+};
+
/**
* Helper to map the object of fields to any of its value
*
diff --git a/src/plugins/es_ui_shared/static/forms/hook_form_lib/types.ts b/src/plugins/es_ui_shared/static/forms/hook_form_lib/types.ts
index 80af60619a4e8..22b9fdc6229a7 100644
--- a/src/plugins/es_ui_shared/static/forms/hook_form_lib/types.ts
+++ b/src/plugins/es_ui_shared/static/forms/hook_form_lib/types.ts
@@ -42,6 +42,30 @@ export interface FormHook
getFormData: () => T;
/* Returns an array with of all errors in the form. */
getErrors: () => string[];
+ /**
+ * Update multiple field values at once. You don't need to provide all the form
+ * fields, **partial** update is supported. This method is mainly useful to update an array
+ * of object fields.
+ *
+ * @example
+ * ```js
+ * // Update an array of fields
+ * form.updateFieldValues({ myArray: [{ foo: 'bar', baz: true }, { foo2: 'bar2', baz: false }] })
+ *
+ * // or simply multiple fields at once
+ * form.updateFieldValues({ foo: 'bar', baz: false })
+ * ```
+ */
+ updateFieldValues: (
+ updatedFormData: Partial & FormData,
+ options?: {
+ /**
+ * Flag to indicate if the deserializer(s) are run against the provided form data.
+ * @default true
+ */
+ runDeserializer?: boolean;
+ }
+ ) => void;
/**
* Reset the form states to their initial value and optionally
* all the fields to their initial values.
diff --git a/test/functional/apps/discover/_large_string.ts b/test/functional/apps/discover/_large_string.ts
index de3f0f2c40ae1..11938f262ceeb 100644
--- a/test/functional/apps/discover/_large_string.ts
+++ b/test/functional/apps/discover/_large_string.ts
@@ -43,7 +43,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) {
await PageObjects.common.navigateToApp('discover');
await retry.try(async function tryingForTime() {
- const rowData = await PageObjects.discover.getDocTableIndex(1);
+ const rowData = await PageObjects.discover.getDocTableIndex(1, true);
expect(rowData).to.contain(expectedText);
});
});
diff --git a/test/functional/page_objects/discover_page.ts b/test/functional/page_objects/discover_page.ts
index 842f13f2666e1..ce25370493823 100644
--- a/test/functional/page_objects/discover_page.ts
+++ b/test/functional/page_objects/discover_page.ts
@@ -7,7 +7,6 @@
*/
import expect from '@kbn/expect';
-import _saved_queries from '../apps/discover/_saved_queries';
import { FtrService } from '../ftr_provider_context';
export class DiscoverPageObject extends FtrService {
@@ -244,7 +243,7 @@ export class DiscoverPageObject extends FtrService {
return (await this.kibanaServer.uiSettings.get('doc_table:legacy')) === true;
}
- public async getDocTableIndex(index: number) {
+ public async getDocTableIndex(index: number, visibleText = false) {
const isLegacyDefault = await this.useLegacyTable();
if (isLegacyDefault) {
const row = await this.find.byCssSelector(`tr.kbnDocTable__row:nth-child(${index})`);
@@ -252,7 +251,16 @@ export class DiscoverPageObject extends FtrService {
}
const row = await this.dataGrid.getRow({ rowIndex: index - 1 });
- const result = await Promise.all(row.map(async (cell) => await cell.getVisibleText()));
+ const result = await Promise.all(
+ row.map(async (cell) => {
+ if (visibleText) {
+ return await cell.getVisibleText();
+ } else {
+ const textContent = await cell.getAttribute('textContent');
+ return textContent.trim();
+ }
+ })
+ );
// Remove control columns
return result.slice(2).join(' ');
}
diff --git a/test/functional/services/data_grid.ts b/test/functional/services/data_grid.ts
index bbce097fa9fff..926bd5ab6b734 100644
--- a/test/functional/services/data_grid.ts
+++ b/test/functional/services/data_grid.ts
@@ -174,7 +174,8 @@ export class DataGridService extends FtrService {
const textArr = [];
for (const cell of result) {
- textArr.push(await cell.getVisibleText());
+ const textContent = await cell.getAttribute('textContent');
+ textArr.push(textContent.trim());
}
return Promise.resolve(textArr);
}
diff --git a/x-pack/plugins/cloud_security_posture/common/schemas/csp_rule.ts b/x-pack/plugins/cloud_security_posture/common/schemas/csp_rule.ts
index d5c8e9fab1f2e..a2c7f06e0a676 100644
--- a/x-pack/plugins/cloud_security_posture/common/schemas/csp_rule.ts
+++ b/x-pack/plugins/cloud_security_posture/common/schemas/csp_rule.ts
@@ -18,9 +18,12 @@ export const cspRuleSchema = rt.object({
default_value: rt.string(),
remediation: rt.string(),
benchmark: rt.object({ name: rt.string(), version: rt.string() }),
+ rego_rule_id: rt.string(),
tags: rt.arrayOf(rt.string()),
enabled: rt.boolean(),
muted: rt.boolean(),
+ package_policy_id: rt.string(),
+ policy_id: rt.string(),
});
export type CspRuleSchema = TypeOf;
diff --git a/x-pack/plugins/cloud_security_posture/common/schemas/csp_rule_template.ts b/x-pack/plugins/cloud_security_posture/common/schemas/csp_rule_template.ts
index e6c7740f87fd3..ec772e1595f0e 100644
--- a/x-pack/plugins/cloud_security_posture/common/schemas/csp_rule_template.ts
+++ b/x-pack/plugins/cloud_security_posture/common/schemas/csp_rule_template.ts
@@ -7,17 +7,18 @@
import { schema as rt, TypeOf } from '@kbn/config-schema';
const cspRuleTemplateSchema = rt.object({
+ id: rt.string(),
name: rt.string(),
+ tags: rt.arrayOf(rt.string()),
description: rt.string(),
rationale: rt.string(),
- impact: rt.string(),
default_value: rt.string(),
+ impact: rt.string(),
remediation: rt.string(),
benchmark: rt.object({ name: rt.string(), version: rt.string() }),
- severity: rt.string(),
- benchmark_rule_id: rt.string(),
rego_rule_id: rt.string(),
- tags: rt.arrayOf(rt.string()),
+ enabled: rt.boolean(),
+ muted: rt.boolean(),
});
export const cloudSecurityPostureRuleTemplateSavedObjectType = 'csp-rule-template';
export type CloudSecurityPostureRuleTemplateSchema = TypeOf;
diff --git a/x-pack/plugins/cloud_security_posture/server/fleet_integration/fleet_integration.test.ts b/x-pack/plugins/cloud_security_posture/server/fleet_integration/fleet_integration.test.ts
new file mode 100644
index 0000000000000..8872c359fc770
--- /dev/null
+++ b/x-pack/plugins/cloud_security_posture/server/fleet_integration/fleet_integration.test.ts
@@ -0,0 +1,77 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { loggingSystemMock, savedObjectsClientMock } from '@kbn/core/server/mocks';
+import { SavedObjectsClientContract, SavedObjectsFindResponse } from '@kbn/core/server';
+import { createPackagePolicyMock } from '@kbn/fleet-plugin/common/mocks';
+import { CIS_KUBERNETES_PACKAGE_NAME } from '../../common/constants';
+import { onPackagePolicyPostCreateCallback } from './fleet_integration';
+
+describe('create CSP rules with post package create callback', () => {
+ let logger: ReturnType;
+ let mockSoClient: jest.Mocked;
+ const ruleAttributes = {
+ id: '41308bcdaaf665761478bb6f0d745a5c',
+ name: 'Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)',
+ tags: ['CIS', 'Kubernetes', 'CIS 1.1.1', 'Master Node Configuration Files'],
+ description:
+ 'Ensure that the API server pod specification file has permissions of `644` or more restrictive.\n',
+ rationale:
+ 'The API server pod specification file controls various parameters that set the behavior of the API server. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n',
+ default_value: 'By default, the `kube-apiserver.yaml` file has permissions of `640`.\n',
+ impact: 'None\n',
+ remediation:
+ 'Run the below command (based on the file location on your system) on the\nmaster node.\nFor example,\n```\nchmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml\n```\n',
+ benchmark: {
+ name: 'CIS Kubernetes V1.20',
+ version: 'v1.0.0',
+ },
+ enabled: true,
+ rego_rule_id: 'cis_1_2_2',
+ };
+
+ beforeEach(() => {
+ logger = loggingSystemMock.createLogger();
+ mockSoClient = savedObjectsClientMock.create();
+ });
+ it('should create stateful rules based on rule template', async () => {
+ const mockPackagePolicy = createPackagePolicyMock();
+ mockPackagePolicy.package!.name = CIS_KUBERNETES_PACKAGE_NAME;
+ mockSoClient.find.mockResolvedValueOnce({
+ saved_objects: [
+ {
+ type: 'csp-rule-template',
+ id: 'csp_rule_template-41308bcdaaf665761478bb6f0d745a5c',
+ attributes: { ...ruleAttributes },
+ },
+ ],
+ pit_id: undefined,
+ } as unknown as SavedObjectsFindResponse);
+
+ await onPackagePolicyPostCreateCallback(logger, mockPackagePolicy, mockSoClient);
+
+ expect(mockSoClient.bulkCreate.mock.calls[0][0]).toMatchObject([
+ {
+ type: 'csp_rule',
+ attributes: {
+ ...ruleAttributes,
+ package_policy_id: mockPackagePolicy.id,
+ policy_id: mockPackagePolicy.policy_id,
+ },
+ },
+ ]);
+ });
+
+ it('should not create rules when the package policy is not csp package', async () => {
+ const mockPackagePolicy = createPackagePolicyMock();
+ mockPackagePolicy.package!.name = 'not_csp_package';
+
+ await onPackagePolicyPostCreateCallback(logger, mockPackagePolicy, mockSoClient);
+ expect(mockSoClient.find).toHaveBeenCalledTimes(0);
+ expect(mockSoClient.bulkCreate).toHaveBeenCalledTimes(0);
+ });
+});
diff --git a/x-pack/plugins/cloud_security_posture/server/fleet_integration/fleet_integration.ts b/x-pack/plugins/cloud_security_posture/server/fleet_integration/fleet_integration.ts
new file mode 100644
index 0000000000000..521252f1558e4
--- /dev/null
+++ b/x-pack/plugins/cloud_security_posture/server/fleet_integration/fleet_integration.ts
@@ -0,0 +1,105 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import type {
+ SavedObjectsBulkCreateObject,
+ SavedObjectsFindResponse,
+ SavedObjectsFindResult,
+ ISavedObjectsRepository,
+ SavedObjectsClientContract,
+ Logger,
+} from '@kbn/core/server';
+import { PackagePolicy, DeletePackagePoliciesResponse } from '@kbn/fleet-plugin/common';
+import {
+ cloudSecurityPostureRuleTemplateSavedObjectType,
+ CloudSecurityPostureRuleTemplateSchema,
+} from '../../common/schemas/csp_rule_template';
+import { CIS_KUBERNETES_PACKAGE_NAME } from '../../common/constants';
+import { CspRuleSchema, cspRuleAssetSavedObjectType } from '../../common/schemas/csp_rule';
+
+type ArrayElement = ArrayType extends ReadonlyArray<
+ infer ElementType
+>
+ ? ElementType
+ : never;
+
+const isCspPackagePolicy = (
+ packagePolicy: T
+): boolean => {
+ return packagePolicy.package?.name === CIS_KUBERNETES_PACKAGE_NAME;
+};
+
+/**
+ * Callback to handle creation of PackagePolicies in Fleet
+ */
+export const onPackagePolicyPostCreateCallback = async (
+ logger: Logger,
+ packagePolicy: PackagePolicy,
+ savedObjectsClient: SavedObjectsClientContract
+): Promise => {
+ // We only care about Cloud Security Posture package policies
+ if (!isCspPackagePolicy(packagePolicy)) {
+ return;
+ }
+ // Create csp-rules from the generic asset
+ const existingRuleTemplates: SavedObjectsFindResponse =
+ await savedObjectsClient.find({ type: cloudSecurityPostureRuleTemplateSavedObjectType });
+
+ if (existingRuleTemplates.total === 0) {
+ return;
+ }
+
+ const cspRules = generateRulesFromTemplates(
+ packagePolicy.id,
+ packagePolicy.policy_id,
+ existingRuleTemplates.saved_objects
+ );
+
+ try {
+ await savedObjectsClient.bulkCreate(cspRules);
+ logger.info(`Generated CSP rules for package ${packagePolicy.policy_id}`);
+ } catch (e) {
+ logger.error('failed to generate rules out of template');
+ logger.error(e);
+ }
+};
+
+/**
+ * Callback to handle deletion of PackagePolicies in Fleet
+ */
+export const onPackagePolicyDeleteCallback = async (
+ logger: Logger,
+ deletedPackagePolicy: ArrayElement,
+ soClient: ISavedObjectsRepository
+): Promise => {
+ try {
+ const { saved_objects: cspRules }: SavedObjectsFindResponse =
+ await soClient.find({
+ type: cspRuleAssetSavedObjectType,
+ filter: `csp_rule.attributes.package_policy_id: ${deletedPackagePolicy.id} AND csp_rule.attributes.policy_id: ${deletedPackagePolicy.policy_id}`,
+ });
+ await Promise.all(
+ cspRules.map((rule) => soClient.delete(cspRuleAssetSavedObjectType, rule.id))
+ );
+ } catch (e) {
+ logger.error(`Failed to delete CSP rules after delete package ${deletedPackagePolicy.id}`);
+ logger.error(e);
+ }
+};
+
+const generateRulesFromTemplates = (
+ packagePolicyId: string,
+ policyId: string,
+ cspRuleTemplates: Array>
+): Array> =>
+ cspRuleTemplates.map((template) => ({
+ type: cspRuleAssetSavedObjectType,
+ attributes: {
+ ...template.attributes,
+ package_policy_id: packagePolicyId,
+ policy_id: policyId,
+ },
+ }));
diff --git a/x-pack/plugins/cloud_security_posture/server/plugin.ts b/x-pack/plugins/cloud_security_posture/server/plugin.ts
index b2108dc24a926..99900d4aed0d4 100755
--- a/x-pack/plugins/cloud_security_posture/server/plugin.ts
+++ b/x-pack/plugins/cloud_security_posture/server/plugin.ts
@@ -12,6 +12,9 @@ import type {
Plugin,
Logger,
} from '@kbn/core/server';
+import { KibanaRequest, RequestHandlerContext } from '@kbn/core/server';
+import { DeepReadonly } from 'utility-types';
+import { DeletePackagePoliciesResponse, PackagePolicy } from '@kbn/fleet-plugin/common';
import { CspAppService } from './lib/csp_app_services';
import type {
CspServerPluginSetup,
@@ -23,9 +26,12 @@ import type {
import { defineRoutes } from './routes';
import { cspRuleTemplateAssetType } from './saved_objects/csp_rule_template';
import { cspRuleAssetType } from './saved_objects/csp_rule_type';
-import { initializeCspRules } from './saved_objects/initialize_rules';
import { initializeCspTransformsIndices } from './create_indices/create_transforms_indices';
-import { initializeCspTransforms } from './create_transforms/create_transforms';
+import {
+ onPackagePolicyPostCreateCallback,
+ onPackagePolicyDeleteCallback,
+} from './fleet_integration/fleet_integration';
+import { CIS_KUBERNETES_PACKAGE_NAME } from '../common/constants';
export interface CspAppContext {
logger: Logger;
@@ -72,10 +78,42 @@ export class CspPlugin
...plugins.fleet,
});
- initializeCspRules(core.savedObjects.createInternalRepository());
- initializeCspTransformsIndices(core.elasticsearch.client.asInternalUser, this.logger).then(
- (_) => initializeCspTransforms(core.elasticsearch.client.asInternalUser, this.logger)
- );
+ initializeCspTransformsIndices(core.elasticsearch.client.asInternalUser, this.logger);
+ plugins.fleet.fleetSetupCompleted().then(() => {
+ plugins.fleet.registerExternalCallback(
+ 'packagePolicyPostCreate',
+ async (
+ packagePolicy: PackagePolicy,
+ context: RequestHandlerContext,
+ request: KibanaRequest
+ ): Promise => {
+ if (packagePolicy.package?.name === CIS_KUBERNETES_PACKAGE_NAME) {
+ await onPackagePolicyPostCreateCallback(
+ this.logger,
+ packagePolicy,
+ context.core.savedObjects.client
+ );
+ }
+
+ return packagePolicy;
+ }
+ );
+
+ plugins.fleet.registerExternalCallback(
+ 'postPackagePolicyDelete',
+ async (deletedPackagePolicies: DeepReadonly) => {
+ for (const deletedPackagePolicy of deletedPackagePolicies) {
+ if (deletedPackagePolicy.package?.name === CIS_KUBERNETES_PACKAGE_NAME) {
+ await onPackagePolicyDeleteCallback(
+ this.logger,
+ deletedPackagePolicy,
+ core.savedObjects.createInternalRepository()
+ );
+ }
+ }
+ }
+ );
+ });
return {};
}
diff --git a/x-pack/plugins/cloud_security_posture/server/routes/compliance_dashboard/compliance_dashboard.ts b/x-pack/plugins/cloud_security_posture/server/routes/compliance_dashboard/compliance_dashboard.ts
index 0cd301dde8d6d..c271208120ae4 100644
--- a/x-pack/plugins/cloud_security_posture/server/routes/compliance_dashboard/compliance_dashboard.ts
+++ b/x-pack/plugins/cloud_security_posture/server/routes/compliance_dashboard/compliance_dashboard.ts
@@ -5,16 +5,10 @@
* 2.0.
*/
-import type { ElasticsearchClient } from '@kbn/core/server';
import { transformError } from '@kbn/securitysolution-es-utils';
-import type {
- AggregationsMultiBucketAggregateBase as Aggregation,
- AggregationsTopHitsAggregate,
- QueryDslQueryContainer,
- SearchRequest,
-} from '@elastic/elasticsearch/lib/api/types';
+import type { QueryDslQueryContainer } from '@elastic/elasticsearch/lib/api/types';
import type { ComplianceDashboardData } from '../../../common/types';
-import { CSP_KUBEBEAT_INDEX_PATTERN, STATS_ROUTE_PATH } from '../../../common/constants';
+import { LATEST_FINDINGS_INDEX_PATTERN, STATS_ROUTE_PATH } from '../../../common/constants';
import { CspAppContext } from '../../plugin';
import { getResourcesTypes } from './get_resources_types';
import { ClusterWithoutTrend, getClusters } from './get_clusters';
@@ -22,59 +16,11 @@ import { getStats } from './get_stats';
import { CspRouter } from '../../types';
import { getTrends, Trends } from './get_trends';
-export interface ClusterBucket {
- ordered_top_hits: AggregationsTopHitsAggregate;
-}
-
-interface ClustersQueryResult {
- aggs_by_cluster_id: Aggregation;
-}
-
export interface KeyDocCount {
key: TKey;
doc_count: number;
}
-export const getLatestFindingQuery = (): SearchRequest => ({
- index: CSP_KUBEBEAT_INDEX_PATTERN,
- size: 0,
- query: {
- match_all: {},
- },
- aggs: {
- aggs_by_cluster_id: {
- terms: { field: 'cluster_id.keyword' },
- aggs: {
- ordered_top_hits: {
- top_hits: {
- size: 1,
- sort: {
- '@timestamp': {
- order: 'desc',
- },
- },
- },
- },
- },
- },
- },
-});
-
-const getLatestCyclesIds = async (esClient: ElasticsearchClient): Promise => {
- const queryResult = await esClient.search(getLatestFindingQuery(), {
- meta: true,
- });
-
- const clusters = queryResult.body.aggregations?.aggs_by_cluster_id.buckets;
- if (!Array.isArray(clusters)) throw new Error('missing aggs by cluster id');
-
- return clusters.map((c) => {
- const topHit = c.ordered_top_hits.hits.hits[0];
- if (!topHit) throw new Error('missing cluster latest hit');
- return topHit._source.cycle_id;
- });
-};
-
const getClustersTrends = (clustersWithoutTrends: ClusterWithoutTrend[], trends: Trends) =>
clustersWithoutTrends.map((cluster) => ({
...cluster,
@@ -87,7 +33,6 @@ const getClustersTrends = (clustersWithoutTrends: ClusterWithoutTrend[], trends:
const getSummaryTrend = (trends: Trends) =>
trends.map(({ timestamp, summary }) => ({ timestamp, ...summary }));
-// TODO: Utilize ES "Point in Time" feature https://www.elastic.co/guide/en/elasticsearch/reference/current/point-in-time-api.html
export const defineGetComplianceDashboardRoute = (
router: CspRouter,
cspContext: CspAppContext
@@ -100,22 +45,29 @@ export const defineGetComplianceDashboardRoute = (
async (context, _, response) => {
try {
const esClient = context.core.elasticsearch.client.asCurrentUser;
- const latestCyclesIds = await getLatestCyclesIds(esClient);
+
+ const { id: pitId } = await esClient.openPointInTime({
+ index: LATEST_FINDINGS_INDEX_PATTERN,
+ keep_alive: '30s',
+ });
+
const query: QueryDslQueryContainer = {
- bool: {
- should: latestCyclesIds.map((id) => ({
- match: { 'cycle_id.keyword': { query: id } },
- })),
- },
+ match_all: {},
};
const [stats, resourcesTypes, clustersWithoutTrends, trends] = await Promise.all([
- getStats(esClient, query),
- getResourcesTypes(esClient, query),
- getClusters(esClient, query),
+ getStats(esClient, query, pitId),
+ getResourcesTypes(esClient, query, pitId),
+ getClusters(esClient, query, pitId),
getTrends(esClient),
]);
+ // Try closing the PIT, if it fails we can safely ignore the error since it closes itself after the keep alive
+ // ends. Not waiting on the promise returned from the `closePointInTime` call to avoid delaying the request
+ esClient.closePointInTime({ id: pitId }).catch((err) => {
+ cspContext.logger.warn(`Could not close PIT for stats endpoint: ${err}`);
+ });
+
const clusters = getClustersTrends(clustersWithoutTrends, trends);
const trend = getSummaryTrend(trends);
@@ -131,6 +83,7 @@ export const defineGetComplianceDashboardRoute = (
});
} catch (err) {
const error = transformError(err);
+ cspContext.logger.error(`Error while fetching CSP stats: ${err}`);
return response.customError({
body: { message: error.message },
diff --git a/x-pack/plugins/cloud_security_posture/server/routes/compliance_dashboard/get_clusters.ts b/x-pack/plugins/cloud_security_posture/server/routes/compliance_dashboard/get_clusters.ts
index 076205289b8b3..4a4afda9a12b2 100644
--- a/x-pack/plugins/cloud_security_posture/server/routes/compliance_dashboard/get_clusters.ts
+++ b/x-pack/plugins/cloud_security_posture/server/routes/compliance_dashboard/get_clusters.ts
@@ -14,7 +14,6 @@ import type {
import { Cluster } from '../../../common/types';
import { getResourceTypeFromAggs, resourceTypeAggQuery } from './get_resources_types';
import type { ResourceTypeQueryResult } from './get_resources_types';
-import { CSP_KUBEBEAT_INDEX_PATTERN } from '../../../common/constants';
import { findingsEvaluationAggsQuery, getStatsFromFindingsEvaluationsAggs } from './get_stats';
import { KeyDocCount } from './compliance_dashboard';
@@ -37,8 +36,7 @@ interface ClustersQueryResult {
export type ClusterWithoutTrend = Omit;
-export const getClustersQuery = (query: QueryDslQueryContainer): SearchRequest => ({
- index: CSP_KUBEBEAT_INDEX_PATTERN,
+export const getClustersQuery = (query: QueryDslQueryContainer, pitId: string): SearchRequest => ({
size: 0,
query,
aggs: {
@@ -66,6 +64,9 @@ export const getClustersQuery = (query: QueryDslQueryContainer): SearchRequest =
},
},
},
+ pit: {
+ id: pitId,
+ },
});
export const getClustersFromAggs = (clusters: ClusterBucket[]): ClusterWithoutTrend[] =>
@@ -102,13 +103,14 @@ export const getClustersFromAggs = (clusters: ClusterBucket[]): ClusterWithoutTr
export const getClusters = async (
esClient: ElasticsearchClient,
- query: QueryDslQueryContainer
+ query: QueryDslQueryContainer,
+ pitId: string
): Promise => {
- const queryResult = await esClient.search(getClustersQuery(query), {
- meta: true,
- });
+ const queryResult = await esClient.search(
+ getClustersQuery(query, pitId)
+ );
- const clusters = queryResult.body.aggregations?.aggs_by_cluster_id.buckets;
+ const clusters = queryResult.aggregations?.aggs_by_cluster_id.buckets;
if (!Array.isArray(clusters)) throw new Error('missing aggs by cluster id');
return getClustersFromAggs(clusters);
diff --git a/x-pack/plugins/cloud_security_posture/server/routes/compliance_dashboard/get_resources_types.ts b/x-pack/plugins/cloud_security_posture/server/routes/compliance_dashboard/get_resources_types.ts
index 703c2ee0f5107..ecb5ee755fb64 100644
--- a/x-pack/plugins/cloud_security_posture/server/routes/compliance_dashboard/get_resources_types.ts
+++ b/x-pack/plugins/cloud_security_posture/server/routes/compliance_dashboard/get_resources_types.ts
@@ -13,7 +13,6 @@ import type {
} from '@elastic/elasticsearch/lib/api/types';
import type { ComplianceDashboardData } from '../../../common/types';
import { KeyDocCount } from './compliance_dashboard';
-import { CSP_KUBEBEAT_INDEX_PATTERN } from '../../../common/constants';
export interface ResourceTypeQueryResult {
aggs_by_resource_type: Aggregation;
@@ -44,11 +43,13 @@ export const resourceTypeAggQuery = {
},
};
-export const getRisksEsQuery = (query: QueryDslQueryContainer): SearchRequest => ({
- index: CSP_KUBEBEAT_INDEX_PATTERN,
+export const getRisksEsQuery = (query: QueryDslQueryContainer, pitId: string): SearchRequest => ({
size: 0,
query,
aggs: resourceTypeAggQuery,
+ pit: {
+ id: pitId,
+ },
});
export const getResourceTypeFromAggs = (
@@ -63,14 +64,14 @@ export const getResourceTypeFromAggs = (
export const getResourcesTypes = async (
esClient: ElasticsearchClient,
- query: QueryDslQueryContainer
+ query: QueryDslQueryContainer,
+ pitId: string
): Promise => {
const resourceTypesQueryResult = await esClient.search(
- getRisksEsQuery(query),
- { meta: true }
+ getRisksEsQuery(query, pitId)
);
- const resourceTypes = resourceTypesQueryResult.body.aggregations?.aggs_by_resource_type.buckets;
+ const resourceTypes = resourceTypesQueryResult.aggregations?.aggs_by_resource_type.buckets;
if (!Array.isArray(resourceTypes)) throw new Error('missing resources types buckets');
return getResourceTypeFromAggs(resourceTypes);
diff --git a/x-pack/plugins/cloud_security_posture/server/routes/compliance_dashboard/get_stats.ts b/x-pack/plugins/cloud_security_posture/server/routes/compliance_dashboard/get_stats.ts
index a0840fd3c5ad0..788a519138aa0 100644
--- a/x-pack/plugins/cloud_security_posture/server/routes/compliance_dashboard/get_stats.ts
+++ b/x-pack/plugins/cloud_security_posture/server/routes/compliance_dashboard/get_stats.ts
@@ -7,7 +7,6 @@
import { ElasticsearchClient } from '@kbn/core/server';
import type { QueryDslQueryContainer, SearchRequest } from '@elastic/elasticsearch/lib/api/types';
-import { CSP_KUBEBEAT_INDEX_PATTERN } from '../../../common/constants';
import type { ComplianceDashboardData, Score } from '../../../common/types';
/**
@@ -36,10 +35,16 @@ export const findingsEvaluationAggsQuery = {
},
};
-export const getEvaluationsQuery = (query: QueryDslQueryContainer): SearchRequest => ({
- index: CSP_KUBEBEAT_INDEX_PATTERN,
+export const getEvaluationsQuery = (
+ query: QueryDslQueryContainer,
+ pitId: string
+): SearchRequest => ({
query,
+ size: 0,
aggs: findingsEvaluationAggsQuery,
+ pit: {
+ id: pitId,
+ },
});
export const getStatsFromFindingsEvaluationsAggs = (
@@ -61,13 +66,14 @@ export const getStatsFromFindingsEvaluationsAggs = (
export const getStats = async (
esClient: ElasticsearchClient,
- query: QueryDslQueryContainer
+ query: QueryDslQueryContainer,
+ pitId: string
): Promise => {
const evaluationsQueryResult = await esClient.search(
- getEvaluationsQuery(query),
- { meta: true }
+ getEvaluationsQuery(query, pitId)
);
- const findingsEvaluations = evaluationsQueryResult.body.aggregations;
+
+ const findingsEvaluations = evaluationsQueryResult.aggregations;
if (!findingsEvaluations) throw new Error('missing findings evaluations');
return getStatsFromFindingsEvaluationsAggs(findingsEvaluations);
diff --git a/x-pack/plugins/cloud_security_posture/server/routes/compliance_dashboard/get_trends.ts b/x-pack/plugins/cloud_security_posture/server/routes/compliance_dashboard/get_trends.ts
index f5c3d16241408..eba14cb8215c2 100644
--- a/x-pack/plugins/cloud_security_posture/server/routes/compliance_dashboard/get_trends.ts
+++ b/x-pack/plugins/cloud_security_posture/server/routes/compliance_dashboard/get_trends.ts
@@ -25,7 +25,7 @@ export interface ScoreTrendDoc {
>;
}
-export const getTrendsAggsQuery = () => ({
+export const getTrendsQuery = () => ({
index: BENCHMARK_SCORE_INDEX_PATTERN,
size: 5,
sort: '@timestamp:desc',
@@ -60,7 +60,7 @@ export const getTrendsFromQueryResult = (scoreTrendDocs: ScoreTrendDoc[]): Trend
}));
export const getTrends = async (esClient: ElasticsearchClient): Promise => {
- const trendsQueryResult = await esClient.search(getTrendsAggsQuery());
+ const trendsQueryResult = await esClient.search(getTrendsQuery());
if (!trendsQueryResult.hits.hits) throw new Error('missing trend results from score index');
diff --git a/x-pack/plugins/cloud_security_posture/server/saved_objects/cis_1_4_1/rules.ts b/x-pack/plugins/cloud_security_posture/server/saved_objects/cis_1_4_1/rules.ts
deleted file mode 100644
index 4e01301e2783a..0000000000000
--- a/x-pack/plugins/cloud_security_posture/server/saved_objects/cis_1_4_1/rules.ts
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import type { SavedObjectsBulkCreateObject } from '@kbn/core/server';
-import type { CspRuleSchema } from '../../../common/schemas/csp_rule';
-import { cspRuleAssetSavedObjectType } from '../../../common/schemas/csp_rule';
-
-const benchmark = { name: 'CIS', version: '1.4.1' } as const;
-
-const RULES: CspRuleSchema[] = [
- {
- id: '1.1.1',
- name: 'Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)',
- description: 'Disable anonymous requests to the API server',
- rationale:
- 'When enabled, requests that are not rejected by other configured authentication methods\nare treated as anonymous requests. These requests are then served by the API server. You\nshould rely on authentication to authorize access and disallow anonymous requests.\nIf you are using RBAC authorization, it is generally considered reasonable to allow\nanonymous access to the API Server for health checks and discovery purposes, and hence\nthis recommendation is not scored. However, you should consider whether anonymous\ndiscovery is an acceptable risk for your purposes.',
- impact: 'Anonymous requests will be rejected.',
- default_value: 'By default, anonymous access is enabled.',
- remediation:
- 'Edit the API server pod specification file /etc/kubernetes/manifests/kubeapiserver.yaml on the master node and set the below parameter.\n--anonymous-auth=false',
- tags: [],
- enabled: true,
- muted: false,
- benchmark,
- },
- {
- id: '1.1.2',
- name: 'Ensure that the --basic-auth-file argument is not set (Scored)',
- description: 'Do not use basic authentication',
- rationale:
- 'Basic authentication uses plaintext credentials for authentication. Currently, the basic\nauthentication credentials last indefinitely, and the password cannot be changed without\nrestarting API server. The basic authentication is currently supported for convenience.\nHence, basic authentication should not be used',
- impact:
- 'You will have to configure and use alternate authentication mechanisms such as tokens and\ncertificates. Username and password for basic authentication could no longer be used.',
- default_value: 'By default, basic authentication is not set',
- remediation:
- 'Follow the documentation and configure alternate mechanisms for authentication. Then,\nedit the API server pod specification file /etc/kubernetes/manifests/kubeapiserver.yaml on the master node and remove the --basic-auth-file=\nparameter.',
- tags: [],
- enabled: true,
- muted: false,
- benchmark,
- },
-];
-
-export const CIS_BENCHMARK_1_4_1_RULES: Array> =
- RULES.map((rule) => ({
- attributes: rule,
- id: rule.id,
- type: cspRuleAssetSavedObjectType,
- }));
diff --git a/x-pack/plugins/cloud_security_posture/server/saved_objects/csp_rule_type.ts b/x-pack/plugins/cloud_security_posture/server/saved_objects/csp_rule_type.ts
index 7d40d4f6a1928..a6309f321328f 100644
--- a/x-pack/plugins/cloud_security_posture/server/saved_objects/csp_rule_type.ts
+++ b/x-pack/plugins/cloud_security_posture/server/saved_objects/csp_rule_type.ts
@@ -29,6 +29,12 @@ export const ruleAssetSavedObjectMappings: SavedObjectsType['mapp
},
},
},
+ package_policy_id: {
+ type: 'keyword',
+ },
+ policy_id: {
+ type: 'keyword',
+ },
description: {
type: 'text',
},
diff --git a/x-pack/plugins/cloud_security_posture/server/saved_objects/initialize_rules.ts b/x-pack/plugins/cloud_security_posture/server/saved_objects/initialize_rules.ts
deleted file mode 100644
index 6ec6d572209c5..0000000000000
--- a/x-pack/plugins/cloud_security_posture/server/saved_objects/initialize_rules.ts
+++ /dev/null
@@ -1,24 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import type { ISavedObjectsRepository } from '@kbn/core/server';
-import { CIS_BENCHMARK_1_4_1_RULES } from './cis_1_4_1/rules';
-import { cspRuleAssetSavedObjectType } from '../../common/schemas/csp_rule';
-
-export const initializeCspRules = async (client: ISavedObjectsRepository) => {
- const existingRules = await client.find({ type: cspRuleAssetSavedObjectType, perPage: 1 });
-
- // TODO: version?
- if (existingRules.total !== 0) return;
-
- try {
- await client.bulkCreate(CIS_BENCHMARK_1_4_1_RULES);
- } catch (e) {
- // TODO: add logger
- // TODO: handle error
- }
-};
diff --git a/x-pack/plugins/observability/public/hooks/use_fetch_rules.ts b/x-pack/plugins/observability/public/hooks/use_fetch_rules.ts
index b241cb3529f89..00cb58e504bdc 100644
--- a/x-pack/plugins/observability/public/hooks/use_fetch_rules.ts
+++ b/x-pack/plugins/observability/public/hooks/use_fetch_rules.ts
@@ -7,19 +7,12 @@
import { useEffect, useState, useCallback } from 'react';
import { isEmpty } from 'lodash';
-import { loadRules, Rule } from '@kbn/triggers-actions-ui-plugin/public';
+import { loadRules } from '@kbn/triggers-actions-ui-plugin/public';
import { RULES_LOAD_ERROR } from '../pages/rules/translations';
-import { FetchRulesProps } from '../pages/rules/types';
+import { FetchRulesProps, RuleState } from '../pages/rules/types';
import { OBSERVABILITY_RULE_TYPES } from '../pages/rules/config';
import { useKibana } from '../utils/kibana_react';
-interface RuleState {
- isLoading: boolean;
- data: Rule[];
- error: string | null;
- totalItemCount: number;
-}
-
export function useFetchRules({
searchText,
ruleLastResponseFilter,
diff --git a/x-pack/plugins/observability/public/observability_public_plugins_start.mock.ts b/x-pack/plugins/observability/public/observability_public_plugins_start.mock.ts
index 4d6d312bcf199..62edefc1b737d 100644
--- a/x-pack/plugins/observability/public/observability_public_plugins_start.mock.ts
+++ b/x-pack/plugins/observability/public/observability_public_plugins_start.mock.ts
@@ -32,12 +32,26 @@ const embeddableStartMock = {
},
};
+const triggersActionsUiStartMock = {
+ createStart() {
+ return {
+ getAddAlertFlyout: jest.fn(),
+ ruleTypeRegistry: {
+ has: jest.fn(),
+ register: jest.fn(),
+ get: jest.fn(),
+ list: jest.fn(),
+ },
+ };
+ },
+};
+
export const observabilityPublicPluginsStartMock = {
createStart() {
return {
cases: casesUiStartMock.createStart(),
embeddable: embeddableStartMock.createStart(),
- triggersActionsUi: null,
+ triggersActionsUi: triggersActionsUiStartMock.createStart(),
data: null,
lens: null,
discover: null,
diff --git a/x-pack/plugins/observability/public/pages/rules/components/prompts/no_data_prompt.tsx b/x-pack/plugins/observability/public/pages/rules/components/prompts/no_data_prompt.tsx
index b9c0e24160004..bacc311357fd7 100644
--- a/x-pack/plugins/observability/public/pages/rules/components/prompts/no_data_prompt.tsx
+++ b/x-pack/plugins/observability/public/pages/rules/components/prompts/no_data_prompt.tsx
@@ -58,7 +58,7 @@ export function NoDataPrompt({
/>
,
-
+
Documentation
,
diff --git a/x-pack/plugins/observability/public/pages/rules/components/prompts/no_permission_prompt.tsx b/x-pack/plugins/observability/public/pages/rules/components/prompts/no_permission_prompt.tsx
index edfe1c6840d8b..7201e0cc45d16 100644
--- a/x-pack/plugins/observability/public/pages/rules/components/prompts/no_permission_prompt.tsx
+++ b/x-pack/plugins/observability/public/pages/rules/components/prompts/no_permission_prompt.tsx
@@ -19,6 +19,7 @@ export function NoPermissionPrompt() {
}}
>
({
+ __esModule: true,
+ useKibana: jest.fn(() => mockUseKibanaReturnValue),
+}));
+
+jest.mock('../../hooks/use_breadcrumbs', () => ({
+ useBreadcrumbs: jest.fn(),
+}));
+
+jest.mock('../../hooks/use_fetch_rules', () => ({
+ useFetchRules: jest.fn(),
+}));
+
+jest.mock('@kbn/triggers-actions-ui-plugin/public', () => ({
+ useLoadRuleTypes: jest.fn(),
+}));
+
+jest.spyOn(pluginContext, 'usePluginContext').mockImplementation(() => ({
+ appMountParameters: {} as AppMountParameters,
+ config: {
+ unsafe: {
+ alertingExperience: { enabled: true },
+ cases: { enabled: true },
+ overviewNext: { enabled: false },
+ rules: { enabled: true },
+ },
+ },
+ observabilityRuleTypeRegistry: createObservabilityRuleTypeRegistryMock(),
+ ObservabilityPageTemplate: KibanaPageTemplate,
+ kibanaFeatures: [],
+}));
+
+const { useFetchRules } = jest.requireMock('../../hooks/use_fetch_rules');
+const { useLoadRuleTypes } = jest.requireMock('@kbn/triggers-actions-ui-plugin/public');
+
+describe('empty RulesPage', () => {
+ let wrapper: ReactWrapper;
+ async function setup() {
+ const rulesState: RuleState = {
+ isLoading: false,
+ data: [],
+ error: null,
+ totalItemCount: 0,
+ };
+
+ useLoadRuleTypes.mockReturnValue({
+ ruleTypes: [
+ {
+ id: 'test_rule_type',
+ name: 'some rule type',
+ actionGroups: [{ id: 'default', name: 'Default' }],
+ recoveryActionGroup: { id: 'recovered', name: 'Recovered' },
+ actionVariables: { context: [], state: [] },
+ defaultActionGroupId: 'default',
+ producer: ALERTS_FEATURE_ID,
+ minimumLicenseRequired: 'basic',
+ enabledInLicense: true,
+ authorizedConsumers: {
+ [ALERTS_FEATURE_ID]: { read: true, all: true },
+ },
+ ruleTaskTimeout: '1m',
+ },
+ ],
+ });
+ useFetchRules.mockReturnValue({ rulesState, noData: true });
+ wrapper = mountWithIntl();
+ }
+ it('renders empty screen', async () => {
+ await setup();
+
+ await act(async () => {
+ await nextTick();
+ wrapper.update();
+ });
+ expect(wrapper.find(RulesTable).exists()).toBe(false);
+ expect(wrapper.find('[data-test-subj="createFirstRuleEmptyPrompt"]').exists()).toBeTruthy();
+ });
+ it('renders Create rule button', async () => {
+ await setup();
+ expect(wrapper.find('EuiButton[data-test-subj="createFirstRuleButton"]')).toHaveLength(1);
+ });
+ it('renders Documentation link', async () => {
+ await setup();
+ expect(wrapper.find('EuiLink[data-test-subj="documentationLink"]')).toHaveLength(1);
+ expect(
+ wrapper.find('EuiLink[data-test-subj="documentationLink"]').getElement().props.href
+ ).toContain('create-alerts.html');
+ });
+});
+
+describe('empty RulesPage with show only capability', () => {
+ let wrapper: ReactWrapper;
+ async function setup() {
+ const rulesState: RuleState = {
+ isLoading: false,
+ data: [],
+ error: null,
+ totalItemCount: 0,
+ };
+ const ruleTypes = [
+ {
+ id: 'test_rule_type',
+ name: 'some rule type',
+ actionGroups: [{ id: 'default', name: 'Default' }],
+ recoveryActionGroup: { id: 'recovered', name: 'Recovered' },
+ actionVariables: { context: [], state: [] },
+ defaultActionGroupId: 'default',
+ producer: ALERTS_FEATURE_ID,
+ minimumLicenseRequired: 'basic',
+ enabledInLicense: true,
+ authorizedConsumers: {
+ [ALERTS_FEATURE_ID]: { read: true, all: false },
+ },
+ ruleTaskTimeout: '1m',
+ },
+ ];
+ useFetchRules.mockReturnValue({ rulesState, noData: true });
+ useLoadRuleTypes.mockReturnValue({ ruleTypes });
+
+ wrapper = mountWithIntl();
+ }
+
+ it('renders no permission screen', async () => {
+ await setup();
+
+ await act(async () => {
+ await nextTick();
+ wrapper.update();
+ });
+
+ expect(wrapper.find('[data-test-subj="noPermissionPrompt"]').exists()).toBeTruthy();
+ });
+
+ it('does not render no data screen', async () => {
+ await setup();
+
+ await act(async () => {
+ await nextTick();
+ wrapper.update();
+ });
+ expect(wrapper.find('[data-test-subj="createFirstRuleEmptyPrompt"]').exists()).toBeFalsy();
+ });
+});
+
+describe('RulesPage with items', () => {
+ let wrapper: ReactWrapper;
+ async function setup() {
+ const mockedRulesData: Rule[] = [
+ {
+ id: '1',
+ name: 'test rule',
+ tags: ['tag1'],
+ enabled: true,
+ ruleTypeId: 'test_rule_type',
+ schedule: { interval: '1s' },
+ actions: [],
+ params: { name: 'test rule type name' },
+ createdBy: null,
+ updatedBy: null,
+ apiKeyOwner: null,
+ throttle: '1m',
+ muteAll: false,
+ mutedInstanceIds: [],
+ createdAt: new Date(),
+ updatedAt: new Date(),
+ consumer: 'alerts',
+ notifyWhen: 'onActiveAlert',
+ executionStatus: {
+ status: 'active',
+ lastDuration: 500,
+ lastExecutionDate: new Date('2020-08-20T19:23:38Z'),
+ },
+ monitoring: {
+ execution: {
+ history: [
+ {
+ success: true,
+ duration: 1000000,
+ timestamp: 1234567,
+ },
+ {
+ success: true,
+ duration: 200000,
+ timestamp: 1234567,
+ },
+ {
+ success: false,
+ duration: 300000,
+ timestamp: 1234567,
+ },
+ ],
+ calculated_metrics: {
+ success_ratio: 0.66,
+ p50: 200000,
+ p95: 300000,
+ p99: 300000,
+ },
+ },
+ },
+ },
+ {
+ id: '2',
+ name: 'test rule ok',
+ tags: ['tag1'],
+ enabled: true,
+ ruleTypeId: 'test_rule_type',
+ schedule: { interval: '5d' },
+ actions: [],
+ params: { name: 'test rule type name' },
+ createdBy: null,
+ updatedBy: null,
+ apiKeyOwner: null,
+ throttle: '1m',
+ muteAll: false,
+ mutedInstanceIds: [],
+ createdAt: new Date(),
+ updatedAt: new Date(),
+ consumer: 'alerts',
+ notifyWhen: 'onActiveAlert',
+ executionStatus: {
+ status: 'ok',
+ lastDuration: 61000,
+ lastExecutionDate: new Date('2020-08-20T19:23:38Z'),
+ error: undefined,
+ },
+ monitoring: {
+ execution: {
+ history: [
+ {
+ success: true,
+ duration: 100000,
+ timestamp: 1234567,
+ },
+ {
+ success: true,
+ duration: 500000,
+ timestamp: 1234567,
+ },
+ ],
+ calculated_metrics: {
+ success_ratio: 1,
+ p50: 0,
+ p95: 100000,
+ p99: 500000,
+ },
+ },
+ },
+ },
+ {
+ id: '3',
+ name: 'test rule pending',
+ tags: ['tag1'],
+ enabled: true,
+ ruleTypeId: 'test_rule_type',
+ schedule: { interval: '5d' },
+ actions: [],
+ params: { name: 'test rule type name' },
+ createdBy: null,
+ updatedBy: null,
+ apiKeyOwner: null,
+ throttle: '1m',
+ muteAll: false,
+ mutedInstanceIds: [],
+ createdAt: new Date(),
+ updatedAt: new Date(),
+ consumer: 'alerts',
+ notifyWhen: 'onActiveAlert',
+ executionStatus: {
+ status: 'pending',
+ lastDuration: 30234,
+ lastExecutionDate: new Date('2020-08-20T19:23:38Z'),
+ },
+ monitoring: {
+ execution: {
+ history: [{ success: false, duration: 100, timestamp: 1234567 }],
+ calculated_metrics: {
+ success_ratio: 0,
+ },
+ },
+ },
+ },
+ ];
+
+ const rulesState: RuleState = {
+ isLoading: false,
+ data: mockedRulesData,
+ error: null,
+ totalItemCount: 3,
+ };
+
+ const mockedRuleTypeIndex = new Map(
+ Object.entries({
+ '1': {
+ enabledInLicense: true,
+ id: '1',
+ name: 'test rule',
+ },
+ '2': {
+ enabledInLicense: true,
+ id: '2',
+ name: 'test rule ok',
+ },
+ '3': {
+ enabledInLicense: true,
+ id: '3',
+ name: 'test rule pending',
+ },
+ })
+ );
+ const ruleTypes = [
+ {
+ id: 'test_rule_type',
+ name: 'some rule type',
+ actionGroups: [{ id: 'default', name: 'Default' }],
+ recoveryActionGroup: { id: 'recovered', name: 'Recovered' },
+ actionVariables: { context: [], state: [] },
+ defaultActionGroupId: 'default',
+ producer: ALERTS_FEATURE_ID,
+ minimumLicenseRequired: 'basic',
+ enabledInLicense: true,
+ authorizedConsumers: {
+ [ALERTS_FEATURE_ID]: { read: true, all: false },
+ },
+ ruleTaskTimeout: '1m',
+ },
+ ];
+ useLoadRuleTypes.mockReturnValue({
+ ruleTypes,
+ ruleTypeIndex: mockedRuleTypeIndex,
+ });
+ useFetchRules.mockReturnValue({ rulesState });
+ wrapper = mountWithIntl();
+ await act(async () => {
+ await nextTick();
+ wrapper.update();
+ });
+ }
+
+ it('renders table of rules', async () => {
+ await setup();
+ expect(wrapper.find(RulesTable).exists()).toBe(true);
+ });
+});
+
+describe('RulesPage with items and show only capability', () => {
+ let wrapper: ReactWrapper;
+ async function setup() {
+ const mockedRulesData: Rule[] = [
+ {
+ id: '1',
+ name: 'test rule',
+ tags: ['tag1'],
+ enabled: true,
+ ruleTypeId: 'test_rule_type',
+ schedule: { interval: '1s' },
+ actions: [],
+ params: { name: 'test rule type name' },
+ createdBy: null,
+ updatedBy: null,
+ apiKeyOwner: null,
+ throttle: '1m',
+ muteAll: false,
+ mutedInstanceIds: [],
+ createdAt: new Date(),
+ updatedAt: new Date(),
+ consumer: 'alerts',
+ notifyWhen: 'onActiveAlert',
+ executionStatus: {
+ status: 'active',
+ lastDuration: 500,
+ lastExecutionDate: new Date('2020-08-20T19:23:38Z'),
+ },
+ monitoring: {
+ execution: {
+ history: [
+ {
+ success: true,
+ duration: 1000000,
+ timestamp: 1234567,
+ },
+ {
+ success: true,
+ duration: 200000,
+ timestamp: 1234567,
+ },
+ {
+ success: false,
+ duration: 300000,
+ timestamp: 1234567,
+ },
+ ],
+ calculated_metrics: {
+ success_ratio: 0.66,
+ p50: 200000,
+ p95: 300000,
+ p99: 300000,
+ },
+ },
+ },
+ },
+ {
+ id: '2',
+ name: 'test rule ok',
+ tags: ['tag1'],
+ enabled: true,
+ ruleTypeId: 'test_rule_type',
+ schedule: { interval: '5d' },
+ actions: [],
+ params: { name: 'test rule type name' },
+ createdBy: null,
+ updatedBy: null,
+ apiKeyOwner: null,
+ throttle: '1m',
+ muteAll: false,
+ mutedInstanceIds: [],
+ createdAt: new Date(),
+ updatedAt: new Date(),
+ consumer: 'alerts',
+ notifyWhen: 'onActiveAlert',
+ executionStatus: {
+ status: 'ok',
+ lastDuration: 61000,
+ lastExecutionDate: new Date('2020-08-20T19:23:38Z'),
+ },
+ monitoring: {
+ execution: {
+ history: [
+ {
+ success: true,
+ duration: 100000,
+ timestamp: 1234567,
+ },
+ {
+ success: true,
+ duration: 500000,
+ timestamp: 1234567,
+ },
+ ],
+ calculated_metrics: {
+ success_ratio: 1,
+ p50: 0,
+ p95: 100000,
+ p99: 500000,
+ },
+ },
+ },
+ },
+ {
+ id: '3',
+ name: 'test rule pending',
+ tags: ['tag1'],
+ enabled: true,
+ ruleTypeId: 'test_rule_type',
+ schedule: { interval: '5d' },
+ actions: [],
+ params: { name: 'test rule type name' },
+ createdBy: null,
+ updatedBy: null,
+ apiKeyOwner: null,
+ throttle: '1m',
+ muteAll: false,
+ mutedInstanceIds: [],
+ createdAt: new Date(),
+ updatedAt: new Date(),
+ consumer: 'alerts',
+ notifyWhen: 'onActiveAlert',
+ executionStatus: {
+ status: 'pending',
+ lastDuration: 30234,
+ lastExecutionDate: new Date('2020-08-20T19:23:38Z'),
+ },
+ monitoring: {
+ execution: {
+ history: [{ success: false, duration: 100, timestamp: 1234567 }],
+ calculated_metrics: {
+ success_ratio: 0,
+ },
+ },
+ },
+ },
+ ];
+ const rulesState: RuleState = {
+ isLoading: false,
+ data: mockedRulesData,
+ error: null,
+ totalItemCount: 3,
+ };
+ useFetchRules.mockReturnValue({ rulesState });
+
+ const mockedRuleTypeIndex = new Map(
+ Object.entries({
+ '1': {
+ enabledInLicense: true,
+ id: '1',
+ name: 'test rule',
+ },
+ '2': {
+ enabledInLicense: true,
+ id: '2',
+ name: 'test rule ok',
+ },
+ '3': {
+ enabledInLicense: true,
+ id: '3',
+ name: 'test rule pending',
+ },
+ })
+ );
+ const ruleTypes = [
+ {
+ id: 'test_rule_type',
+ name: 'some rule type',
+ actionGroups: [{ id: 'default', name: 'Default' }],
+ recoveryActionGroup: { id: 'recovered', name: 'Recovered' },
+ actionVariables: { context: [], state: [] },
+ defaultActionGroupId: 'default',
+ producer: ALERTS_FEATURE_ID,
+ minimumLicenseRequired: 'basic',
+ enabledInLicense: true,
+ authorizedConsumers: {
+ [ALERTS_FEATURE_ID]: { read: true, all: false },
+ },
+ ruleTaskTimeout: '1m',
+ },
+ ];
+ useLoadRuleTypes.mockReturnValue({ ruleTypes, ruleTypeIndex: mockedRuleTypeIndex });
+
+ wrapper = mountWithIntl();
+ }
+
+ it('does not render create rule button', async () => {
+ await setup();
+ expect(wrapper.find('[data-test-subj="createRuleButton"]')).toHaveLength(0);
+ });
+});
diff --git a/x-pack/plugins/observability/public/pages/rules/types.ts b/x-pack/plugins/observability/public/pages/rules/types.ts
index c3e2d8248e2fe..cbcd97919cddc 100644
--- a/x-pack/plugins/observability/public/pages/rules/types.ts
+++ b/x-pack/plugins/observability/public/pages/rules/types.ts
@@ -85,3 +85,10 @@ export interface RulesTableProps {
onSortChange: (changedSort: EuiTableSortingType['sort']) => void;
isLoading: boolean;
}
+
+export interface RuleState {
+ isLoading: boolean;
+ data: Rule[];
+ error: string | null;
+ totalItemCount: number;
+}
diff --git a/x-pack/plugins/security_solution/cypress/integration/exceptions/from_alert.spec.ts b/x-pack/plugins/security_solution/cypress/integration/exceptions/from_alert.spec.ts
index 5f6837e3e38d8..9ab4c1559c4cd 100644
--- a/x-pack/plugins/security_solution/cypress/integration/exceptions/from_alert.spec.ts
+++ b/x-pack/plugins/security_solution/cypress/integration/exceptions/from_alert.spec.ts
@@ -17,7 +17,6 @@ import { waitForAlertsToPopulate } from '../../tasks/create_new_rule';
import { esArchiverLoad, esArchiverUnload } from '../../tasks/es_archiver';
import { login, visitWithoutDateRange } from '../../tasks/login';
import {
- enablesRule,
addsException,
goToAlertsTab,
goToExceptionsTab,
@@ -28,20 +27,25 @@ import {
import { DETECTIONS_RULE_MANAGEMENT_URL } from '../../urls/navigation';
import { cleanKibana, deleteAlertsAndRules } from '../../tasks/common';
-describe.skip('From alert', () => {
+describe('From alert', () => {
const NUMBER_OF_AUDITBEAT_EXCEPTIONS_ALERTS = '1 alert';
before(() => {
cleanKibana();
login();
});
+
beforeEach(() => {
- esArchiverLoad('auditbeat_for_exceptions');
+ esArchiverLoad('exceptions');
deleteAlertsAndRules();
- createCustomRule({ ...getNewRule(), index: ['exceptions-*'] }, 'rule_testing');
+ createCustomRule(
+ { ...getNewRule(), customQuery: 'agent.name:*', index: ['exceptions*'] },
+ 'rule_testing',
+ '5s',
+ true
+ );
visitWithoutDateRange(DETECTIONS_RULE_MANAGEMENT_URL);
goToRuleDetails();
- enablesRule();
waitForTheRuleToBeExecuted();
waitForAlertsToPopulate();
@@ -50,31 +54,32 @@ describe.skip('From alert', () => {
});
afterEach(() => {
- esArchiverUnload('auditbeat_for_exceptions');
- esArchiverUnload('auditbeat_for_exceptions2');
+ esArchiverUnload('exceptions');
+ esArchiverUnload('exceptions_2');
});
it('Creates an exception and deletes it', () => {
+ // Create an exception from the alerts actions menu that matches
+ // the existing alert
addExceptionFromFirstAlert();
addsException(getException());
- esArchiverLoad('auditbeat_for_exceptions2');
+ // Alerts table should now be empty from having added exception and closed
+ // matching alert
cy.get(EMPTY_ALERT_TABLE).should('exist');
+ // Closed alert should appear in table
goToClosedAlerts();
-
cy.get(ALERTS_COUNT).should('exist');
cy.get(NUMBER_OF_ALERTS).should('have.text', `${NUMBER_OF_AUDITBEAT_EXCEPTIONS_ALERTS}`);
- goToOpenedAlerts();
- waitForTheRuleToBeExecuted();
-
- cy.get(EMPTY_ALERT_TABLE).should('exist');
-
+ // Remove the exception and load an event that would have matched that exception
+ // to show that said exception now starts to show up again
goToExceptionsTab();
removeException();
- esArchiverLoad('auditbeat_for_exceptions2');
+ esArchiverLoad('exceptions_2');
goToAlertsTab();
+ goToOpenedAlerts();
waitForTheRuleToBeExecuted();
waitForAlertsToPopulate();
diff --git a/x-pack/plugins/security_solution/cypress/integration/exceptions/from_rule.spec.ts b/x-pack/plugins/security_solution/cypress/integration/exceptions/from_rule.spec.ts
index 144e276735620..5e8c542b369a6 100644
--- a/x-pack/plugins/security_solution/cypress/integration/exceptions/from_rule.spec.ts
+++ b/x-pack/plugins/security_solution/cypress/integration/exceptions/from_rule.spec.ts
@@ -17,7 +17,6 @@ import { waitForAlertsToPopulate } from '../../tasks/create_new_rule';
import { esArchiverLoad, esArchiverUnload } from '../../tasks/es_archiver';
import { login, visitWithoutDateRange } from '../../tasks/login';
import {
- enablesRule,
addsExceptionFromRuleSettings,
goToAlertsTab,
goToExceptionsTab,
@@ -28,7 +27,7 @@ import {
import { DETECTIONS_RULE_MANAGEMENT_URL } from '../../urls/navigation';
import { cleanKibana, deleteAlertsAndRules } from '../../tasks/common';
-describe.skip('From rule', () => {
+describe('From rule', () => {
const NUMBER_OF_AUDITBEAT_EXCEPTIONS_ALERTS = '1';
before(() => {
cleanKibana();
@@ -36,12 +35,16 @@ describe.skip('From rule', () => {
});
beforeEach(() => {
- esArchiverLoad('auditbeat_for_exceptions');
+ esArchiverLoad('exceptions');
deleteAlertsAndRules();
- createCustomRule({ ...getNewRule(), index: ['exceptions-*'] }, 'rule_testing');
+ createCustomRule(
+ { ...getNewRule(), customQuery: 'agent.name:*', index: ['exceptions*'] },
+ 'rule_testing',
+ '5s',
+ true
+ );
visitWithoutDateRange(DETECTIONS_RULE_MANAGEMENT_URL);
goToRuleDetails();
- enablesRule();
waitForTheRuleToBeExecuted();
waitForAlertsToPopulate();
@@ -50,33 +53,33 @@ describe.skip('From rule', () => {
});
afterEach(() => {
- esArchiverUnload('auditbeat_for_exceptions');
- esArchiverUnload('auditbeat_for_exceptions2');
+ esArchiverUnload('exceptions');
+ esArchiverUnload('exceptions_2');
});
it('Creates an exception and deletes it', () => {
+ // Create an exception from the exception tab that matches
+ // the existing alert
goToExceptionsTab();
addsExceptionFromRuleSettings(getException());
- esArchiverLoad('auditbeat_for_exceptions2');
- waitForTheRuleToBeExecuted();
- goToAlertsTab();
+ // Alerts table should now be empty from having added exception and closed
+ // matching alert
+ goToAlertsTab();
cy.get(EMPTY_ALERT_TABLE).should('exist');
+ // Closed alert should appear in table
goToClosedAlerts();
-
cy.get(ALERTS_COUNT).should('exist');
cy.get(NUMBER_OF_ALERTS).should('have.text', `${NUMBER_OF_AUDITBEAT_EXCEPTIONS_ALERTS} alert`);
- goToOpenedAlerts();
- waitForTheRuleToBeExecuted();
-
- cy.get(EMPTY_ALERT_TABLE).should('exist');
-
+ // Remove the exception and load an event that would have matched that exception
+ // to show that said exception now starts to show up again
goToExceptionsTab();
removeException();
- esArchiverLoad('auditbeat_for_exceptions2');
+ esArchiverLoad('exceptions_2');
goToAlertsTab();
+ goToOpenedAlerts();
waitForTheRuleToBeExecuted();
waitForAlertsToPopulate();
diff --git a/x-pack/plugins/security_solution/cypress/objects/exception.ts b/x-pack/plugins/security_solution/cypress/objects/exception.ts
index 637adc9fc0134..8427d828b6eea 100644
--- a/x-pack/plugins/security_solution/cypress/objects/exception.ts
+++ b/x-pack/plugins/security_solution/cypress/objects/exception.ts
@@ -43,9 +43,9 @@ export const getExceptionList = (): ExceptionList => ({
});
export const getException = (): Exception => ({
- field: 'host.name',
+ field: 'agent.name',
operator: 'is',
- values: ['suricata-iowa'],
+ values: ['foo'],
});
export const expectedExportedExceptionList = (
diff --git a/x-pack/plugins/security_solution/cypress/tasks/api_calls/rules.ts b/x-pack/plugins/security_solution/cypress/tasks/api_calls/rules.ts
index 405c118140395..ab58d60044a21 100644
--- a/x-pack/plugins/security_solution/cypress/tasks/api_calls/rules.ts
+++ b/x-pack/plugins/security_solution/cypress/tasks/api_calls/rules.ts
@@ -7,7 +7,12 @@
import { CustomRule, ThreatIndicatorRule } from '../../objects/rule';
-export const createCustomRule = (rule: CustomRule, ruleId = 'rule_testing', interval = '100m') =>
+export const createCustomRule = (
+ rule: CustomRule,
+ ruleId = 'rule_testing',
+ interval = '100m',
+ enabled = false
+) =>
cy.request({
method: 'POST',
url: 'api/detection_engine/rules',
@@ -23,7 +28,7 @@ export const createCustomRule = (rule: CustomRule, ruleId = 'rule_testing', inte
index: rule.index,
query: rule.customQuery,
language: 'kuery',
- enabled: false,
+ enabled,
exceptions_list: rule.exceptionLists ?? [],
},
headers: { 'kbn-xsrf': 'cypress-creds' },
diff --git a/x-pack/plugins/security_solution/cypress/tasks/rule_details.ts b/x-pack/plugins/security_solution/cypress/tasks/rule_details.ts
index 35def6967485c..267988462cfb8 100644
--- a/x-pack/plugins/security_solution/cypress/tasks/rule_details.ts
+++ b/x-pack/plugins/security_solution/cypress/tasks/rule_details.ts
@@ -70,12 +70,7 @@ export const openExceptionFlyoutFromRuleSettings = () => {
};
export const addsExceptionFromRuleSettings = (exception: Exception) => {
- cy.get(ADD_EXCEPTIONS_BTN).click();
- cy.get(LOADING_SPINNER).should('exist');
- cy.get(LOADING_SPINNER).should('not.exist');
- cy.get(LOADING_SPINNER).should('exist');
- cy.get(LOADING_SPINNER).should('not.exist');
- cy.get(FIELD_INPUT).should('be.visible');
+ openExceptionFlyoutFromRuleSettings();
cy.get(FIELD_INPUT).type(`${exception.field}{enter}`);
cy.get(OPERATOR_INPUT).type(`${exception.operator}{enter}`);
exception.values.forEach((value) => {
diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_flyout/index.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_flyout/index.tsx
index 83446fd564eff..0e063a05bab0c 100644
--- a/x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_flyout/index.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_flyout/index.tsx
@@ -167,35 +167,6 @@ export const AddExceptionFlyout = memo(function AddExceptionFlyout({
}, [jobs, ruleIndices]);
const [isIndexPatternLoading, { indexPatterns }] = useFetchIndex(memoRuleIndices);
- const onError = useCallback(
- (error: Error): void => {
- addError(error, { title: i18n.ADD_EXCEPTION_ERROR });
- onCancel();
- },
- [addError, onCancel]
- );
-
- const onSuccess = useCallback(
- (updated: number, conflicts: number): void => {
- addSuccess(i18n.ADD_EXCEPTION_SUCCESS);
- onConfirm(shouldCloseAlert, shouldBulkCloseAlert);
- if (conflicts > 0) {
- addWarning({
- title: i18nCommon.UPDATE_ALERT_STATUS_FAILED(conflicts),
- text: i18nCommon.UPDATE_ALERT_STATUS_FAILED_DETAILED(updated, conflicts),
- });
- }
- },
- [addSuccess, addWarning, onConfirm, shouldBulkCloseAlert, shouldCloseAlert]
- );
-
- const [{ isLoading: addExceptionIsLoading }, addOrUpdateExceptionItems] = useAddOrUpdateException(
- {
- http,
- onSuccess,
- onError,
- }
- );
const handleBuilderOnChange = useCallback(
({
@@ -237,6 +208,37 @@ export const AddExceptionFlyout = memo(function AddExceptionFlyout({
[addError, onCancel]
);
+ const onError = useCallback(
+ (error: Error): void => {
+ addError(error, { title: i18n.ADD_EXCEPTION_ERROR });
+ onCancel();
+ },
+ [addError, onCancel]
+ );
+
+ const onSuccess = useCallback(
+ (updated: number, conflicts: number): void => {
+ handleRuleChange(true);
+ addSuccess(i18n.ADD_EXCEPTION_SUCCESS);
+ onConfirm(shouldCloseAlert, shouldBulkCloseAlert);
+ if (conflicts > 0) {
+ addWarning({
+ title: i18nCommon.UPDATE_ALERT_STATUS_FAILED(conflicts),
+ text: i18nCommon.UPDATE_ALERT_STATUS_FAILED_DETAILED(updated, conflicts),
+ });
+ }
+ },
+ [addSuccess, addWarning, onConfirm, shouldBulkCloseAlert, shouldCloseAlert, handleRuleChange]
+ );
+
+ const [{ isLoading: addExceptionIsLoading }, addOrUpdateExceptionItems] = useAddOrUpdateException(
+ {
+ http,
+ onSuccess,
+ onError,
+ }
+ );
+
const handleFetchOrCreateExceptionListError = useCallback(
(error: Error, statusCode: number | null, message: string | null): void => {
setFetchOrCreateListError({
diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/use_fetch_or_create_rule_exception_list.test.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/use_fetch_or_create_rule_exception_list.test.tsx
index dee56966ccc20..9ddc6dbae31de 100644
--- a/x-pack/plugins/security_solution/public/common/components/exceptions/use_fetch_or_create_rule_exception_list.test.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/exceptions/use_fetch_or_create_rule_exception_list.test.tsx
@@ -175,13 +175,13 @@ describe('useFetchOrCreateRuleExceptionList', () => {
expect(patchRule).toHaveBeenCalledTimes(1);
});
});
- it('invokes onSuccess indicating that the rule changed', async () => {
+ it('invokes onSuccess', async () => {
await act(async () => {
const { waitForNextUpdate } = render();
await waitForNextUpdate();
await waitForNextUpdate();
await waitForNextUpdate();
- expect(onSuccess).toHaveBeenCalledWith(true);
+ expect(onSuccess).toHaveBeenCalledWith(false);
});
});
});
@@ -223,7 +223,7 @@ describe('useFetchOrCreateRuleExceptionList', () => {
expect(result.current[1]).toEqual(detectionExceptionList);
});
});
- it('invokes onSuccess indicating that the rule did not change', async () => {
+ it('invokes onSuccess indicating', async () => {
await act(async () => {
const { waitForNextUpdate } = render();
await waitForNextUpdate();
diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/use_fetch_or_create_rule_exception_list.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/use_fetch_or_create_rule_exception_list.tsx
index 3aef525e26ad6..24d647bdae10b 100644
--- a/x-pack/plugins/security_solution/public/common/components/exceptions/use_fetch_or_create_rule_exception_list.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/exceptions/use_fetch_or_create_rule_exception_list.tsx
@@ -173,7 +173,7 @@ export const useFetchOrCreateRuleExceptionList = ({
setExceptionList(exceptionListToUse);
setIsLoading(false);
if (onSuccess) {
- onSuccess(matchingList == null);
+ onSuccess(false);
}
}
} catch (error) {
diff --git a/x-pack/test/security_solution_cypress/es_archives/auditbeat_for_exceptions/data.json.gz b/x-pack/test/security_solution_cypress/es_archives/auditbeat_for_exceptions/data.json.gz
deleted file mode 100644
index 4139fd9d28f46..0000000000000
Binary files a/x-pack/test/security_solution_cypress/es_archives/auditbeat_for_exceptions/data.json.gz and /dev/null differ
diff --git a/x-pack/test/security_solution_cypress/es_archives/auditbeat_for_exceptions/mappings.json b/x-pack/test/security_solution_cypress/es_archives/auditbeat_for_exceptions/mappings.json
deleted file mode 100644
index 4e5c6e9955310..0000000000000
--- a/x-pack/test/security_solution_cypress/es_archives/auditbeat_for_exceptions/mappings.json
+++ /dev/null
@@ -1,3577 +0,0 @@
-{
- "type": "index",
- "value": {
- "aliases": {
- "exceptions-8.0.0": {
- "is_write_index": false
- },
- "beats": {
- },
- "siem-read-alias": {
- }
- },
- "index": "exceptions-8.0.0-2019.08.30-000021",
- "mappings": {
- "_meta": {
- "beat": "auditbeat",
- "version": "8.0.0"
- },
- "date_detection": false,
- "dynamic_templates": [
- {
- "labels": {
- "mapping": {
- "type": "keyword"
- },
- "match_mapping_type": "string",
- "path_match": "labels.*"
- }
- },
- {
- "container.labels": {
- "mapping": {
- "type": "keyword"
- },
- "match_mapping_type": "string",
- "path_match": "container.labels.*"
- }
- },
- {
- "fields": {
- "mapping": {
- "type": "keyword"
- },
- "match_mapping_type": "string",
- "path_match": "fields.*"
- }
- },
- {
- "docker.container.labels": {
- "mapping": {
- "type": "keyword"
- },
- "match_mapping_type": "string",
- "path_match": "docker.container.labels.*"
- }
- },
- {
- "strings_as_keyword": {
- "mapping": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "match_mapping_type": "string"
- }
- }
- ],
- "properties": {
- "@timestamp": {
- "type": "date"
- },
- "agent": {
- "properties": {
- "ephemeral_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "hostname": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "auditd": {
- "properties": {
- "data": {
- "properties": {
- "a0": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "a1": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "a2": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "a3": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "a[0-3]": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "acct": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "acl": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "action": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "added": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "addr": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "apparmor": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "arch": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "argc": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "audit_backlog_limit": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "audit_backlog_wait_time": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "audit_enabled": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "audit_failure": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "banners": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "bool": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "bus": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cap_fe": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cap_fi": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cap_fp": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cap_fver": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cap_pe": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cap_pi": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cap_pp": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "capability": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cgroup": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "changed": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cipher": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "class": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cmd": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "compat": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "daddr": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "data": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "default-context": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "device": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "dir": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "direction": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "dmac": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "dport": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "enforcing": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "entries": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "exit": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "fam": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "family": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "fd": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "fe": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "feature": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "fi": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "file": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "flags": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "format": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "fp": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "fver": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "grantors": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "grp": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "hook": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "hostname": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "icmp_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "igid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "img-ctx": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "info": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "inif": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ino": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "inode_gid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "inode_uid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "invalid_context": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ioctlcmd": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ip": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ipid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ipx-net": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "items": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "iuid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "kernel": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "kind": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ksize": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "laddr": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "len": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "list": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "lport": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "mac": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "macproto": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "maj": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "major": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "minor": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "model": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "msg": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "nargs": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "net": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new-chardev": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new-disk": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new-enabled": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new-fs": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new-level": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new-log_passwd": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new-mem": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new-net": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new-range": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new-rng": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new-role": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new-seuser": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new-vcpu": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new_gid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new_lock": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new_pe": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new_pi": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new_pp": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "nlnk-fam": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "nlnk-grp": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "nlnk-pid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "oauid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "obj": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "obj_gid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "obj_uid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ocomm": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "oflag": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-auid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-chardev": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-disk": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-enabled": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-fs": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-level": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-log_passwd": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-mem": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-net": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-range": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-rng": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-role": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-ses": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-seuser": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-vcpu": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old_enforcing": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old_lock": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old_pa": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old_pe": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old_pi": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old_pp": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old_prom": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old_val": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "op": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "operation": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "opid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "oses": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "outif": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "pa": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "parent": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "path": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "pe": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "per": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "perm": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "perm_mask": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "permissive": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "pfs": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "pi": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "pp": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "printer": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "profile": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "prom": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "proto": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "qbytes": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "range": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "reason": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "removed": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "res": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "resrc": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "rport": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sauid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "scontext": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "selected-context": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "seperm": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "seperms": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "seqno": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "seresult": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ses": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "seuser": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sig": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sigev_signo": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "smac": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "socket": {
- "properties": {
- "addr": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "family": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "path": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "port": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "saddr": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "spid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sport": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "state": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "subj": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "success": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "syscall": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "table": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "tclass": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "tcontext": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "terminal": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "tty": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "unit": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "uri": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "uuid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "val": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ver": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "virt": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "vm": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "vm-ctx": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "vm-pid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "watch": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "message_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "paths": {
- "properties": {
- "cap_fe": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cap_fi": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cap_fp": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cap_fver": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "dev": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "inode": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "item": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "mode": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "nametype": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "obj_domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "obj_level": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "obj_role": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "obj_user": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "objtype": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ogid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ouid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "rdev": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "result": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sequence": {
- "type": "long"
- },
- "session": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "summary": {
- "properties": {
- "actor": {
- "properties": {
- "primary": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "secondary": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "how": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "object": {
- "properties": {
- "primary": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "secondary": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- }
- }
- },
- "client": {
- "properties": {
- "address": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "bytes": {
- "type": "long"
- },
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "geo": {
- "properties": {
- "city_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "continent_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "location": {
- "type": "geo_point"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "ip": {
- "type": "ip"
- },
- "mac": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "packets": {
- "type": "long"
- },
- "port": {
- "type": "long"
- },
- "user": {
- "properties": {
- "email": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "group": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "hash": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "cloud": {
- "properties": {
- "account": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "availability_zone": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "instance": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "machine": {
- "properties": {
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "project": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "provider": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "container": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "image": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "tag": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "labels": {
- "type": "object"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "runtime": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "destination": {
- "properties": {
- "address": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "bytes": {
- "type": "long"
- },
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "geo": {
- "properties": {
- "city_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "continent_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "location": {
- "type": "geo_point"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "ip": {
- "type": "ip"
- },
- "mac": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "packets": {
- "type": "long"
- },
- "path": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "port": {
- "type": "long"
- },
- "user": {
- "properties": {
- "email": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "group": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "hash": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "docker": {
- "properties": {
- "container": {
- "properties": {
- "labels": {
- "type": "object"
- }
- }
- }
- }
- },
- "ecs": {
- "properties": {
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "error": {
- "properties": {
- "code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "message": {
- "norms": false,
- "type": "text"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "event": {
- "properties": {
- "action": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "category": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "created": {
- "type": "date"
- },
- "dataset": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "duration": {
- "type": "long"
- },
- "end": {
- "type": "date"
- },
- "hash": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "kind": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "module": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "origin": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "original": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "outcome": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "risk_score": {
- "type": "float"
- },
- "risk_score_norm": {
- "type": "float"
- },
- "severity": {
- "type": "long"
- },
- "start": {
- "type": "date"
- },
- "timezone": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "fields": {
- "type": "object"
- },
- "file": {
- "properties": {
- "ctime": {
- "type": "date"
- },
- "device": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "extension": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "gid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "group": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "inode": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "mode": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "mtime": {
- "type": "date"
- },
- "origin": {
- "fields": {
- "raw": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "owner": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "path": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "selinux": {
- "properties": {
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "level": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "role": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "user": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "setgid": {
- "type": "boolean"
- },
- "setuid": {
- "type": "boolean"
- },
- "size": {
- "type": "long"
- },
- "target_path": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "uid": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "flow": {
- "properties": {
- "complete": {
- "type": "boolean"
- },
- "final": {
- "type": "boolean"
- }
- }
- },
- "geo": {
- "properties": {
- "city_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "continent_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "location": {
- "type": "geo_point"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "geoip": {
- "properties": {
- "city_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "continent_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "location": {
- "type": "geo_point"
- },
- "region_name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "group": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "hash": {
- "properties": {
- "blake2b_256": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "blake2b_384": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "blake2b_512": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "md5": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha1": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha224": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha256": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha384": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha3_224": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha3_256": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha3_384": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha3_512": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha512": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha512_224": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha512_256": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "xxh64": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "host": {
- "properties": {
- "architecture": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "containerized": {
- "type": "boolean"
- },
- "geo": {
- "properties": {
- "city_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "continent_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "location": {
- "type": "geo_point"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "hostname": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ip": {
- "type": "ip"
- },
- "mac": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "os": {
- "properties": {
- "build": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "codename": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "family": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "kernel": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "platform": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "user": {
- "properties": {
- "email": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "group": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "hash": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "http": {
- "properties": {
- "request": {
- "properties": {
- "body": {
- "properties": {
- "bytes": {
- "type": "long"
- },
- "content": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "bytes": {
- "type": "long"
- },
- "method": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "referrer": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "response": {
- "properties": {
- "body": {
- "properties": {
- "bytes": {
- "type": "long"
- },
- "content": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "bytes": {
- "type": "long"
- },
- "status_code": {
- "type": "long"
- }
- }
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "jolokia": {
- "properties": {
- "agent": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "secured": {
- "type": "boolean"
- },
- "server": {
- "properties": {
- "product": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "vendor": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "url": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "kubernetes": {
- "properties": {
- "annotations": {
- "type": "object"
- },
- "container": {
- "properties": {
- "image": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "deployment": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "labels": {
- "type": "object"
- },
- "namespace": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "node": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "pod": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "uid": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "replicaset": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "statefulset": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "labels": {
- "type": "object"
- },
- "log": {
- "properties": {
- "level": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "original": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "message": {
- "norms": false,
- "type": "text"
- },
- "network": {
- "properties": {
- "application": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "bytes": {
- "type": "long"
- },
- "community_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "direction": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "forwarded_ip": {
- "type": "ip"
- },
- "iana_number": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "packets": {
- "type": "long"
- },
- "protocol": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "transport": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "observer": {
- "properties": {
- "geo": {
- "properties": {
- "city_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "continent_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "location": {
- "type": "geo_point"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "hostname": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ip": {
- "type": "ip"
- },
- "mac": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "os": {
- "properties": {
- "family": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "kernel": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "platform": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "serial_number": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "vendor": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "organization": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "os": {
- "properties": {
- "family": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "kernel": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "platform": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "process": {
- "properties": {
- "args": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "created": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "entity_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "executable": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "hash": {
- "properties": {
- "sha1": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "pid": {
- "type": "long"
- },
- "ppid": {
- "type": "long"
- },
- "start": {
- "type": "date"
- },
- "thread": {
- "properties": {
- "id": {
- "type": "long"
- }
- }
- },
- "title": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "working_directory": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "related": {
- "properties": {
- "ip": {
- "type": "ip"
- }
- }
- },
- "server": {
- "properties": {
- "address": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "bytes": {
- "type": "long"
- },
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "geo": {
- "properties": {
- "city_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "continent_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "location": {
- "type": "geo_point"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "ip": {
- "type": "ip"
- },
- "mac": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "packets": {
- "type": "long"
- },
- "port": {
- "type": "long"
- },
- "user": {
- "properties": {
- "email": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "group": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "hash": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "service": {
- "properties": {
- "ephemeral_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "state": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "socket": {
- "properties": {
- "entity_id": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "source": {
- "properties": {
- "address": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "bytes": {
- "type": "long"
- },
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "geo": {
- "properties": {
- "city_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "continent_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "location": {
- "type": "geo_point"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "ip": {
- "type": "ip"
- },
- "mac": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "packets": {
- "type": "long"
- },
- "path": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "port": {
- "type": "long"
- },
- "user": {
- "properties": {
- "email": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "group": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "hash": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "system": {
- "properties": {
- "audit": {
- "properties": {
- "host": {
- "properties": {
- "architecture": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "boottime": {
- "type": "date"
- },
- "containerized": {
- "type": "boolean"
- },
- "hostname": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ip": {
- "type": "ip"
- },
- "mac": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "os": {
- "properties": {
- "codename": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "family": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "kernel": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "platform": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "timezone": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "offset": {
- "properties": {
- "sec": {
- "type": "long"
- }
- }
- }
- }
- },
- "uptime": {
- "type": "long"
- }
- }
- },
- "newsocket": {
- "properties": {
- "egid": {
- "type": "long"
- },
- "euid": {
- "type": "long"
- },
- "gid": {
- "type": "long"
- },
- "internal_version": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "kernel_sock_address": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "uid": {
- "type": "long"
- }
- }
- },
- "package": {
- "properties": {
- "arch": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "entity_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "installtime": {
- "type": "date"
- },
- "license": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "release": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "size": {
- "type": "long"
- },
- "summary": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "url": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "socket": {
- "properties": {
- "egid": {
- "type": "long"
- },
- "euid": {
- "type": "long"
- },
- "gid": {
- "type": "long"
- },
- "internal_version": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "kernel_sock_address": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "uid": {
- "type": "long"
- }
- }
- },
- "user": {
- "properties": {
- "dir": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "gid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "group": {
- "properties": {
- "gid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "password": {
- "properties": {
- "last_changed": {
- "type": "date"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "shell": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "uid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "user_information": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- }
- }
- },
- "tags": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "url": {
- "properties": {
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "fragment": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "original": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "password": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "path": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "port": {
- "type": "long"
- },
- "query": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "scheme": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "username": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "user": {
- "properties": {
- "audit": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "effective": {
- "properties": {
- "group": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "email": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "entity_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "filesystem": {
- "properties": {
- "group": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "full_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "group": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "hash": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name_map": {
- "type": "object"
- },
- "saved": {
- "properties": {
- "group": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "selinux": {
- "properties": {
- "category": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "level": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "role": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "user": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "terminal": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "user_agent": {
- "properties": {
- "device": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "original": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "os": {
- "properties": {
- "family": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "kernel": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "platform": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "settings": {
- "index": {
- "lifecycle": {
- "indexing_complete": "true",
- "name": "auditbeat-8.0.0",
- "rollover_alias": "auditbeat-8.0.0"
- },
- "mapping": {
- "total_fields": {
- "limit": "10000"
- }
- },
- "number_of_replicas": "0",
- "number_of_shards": "1",
- "query": {
- "default_field": [
- "message",
- "tags",
- "agent.ephemeral_id",
- "agent.id",
- "agent.name",
- "agent.type",
- "agent.version",
- "client.address",
- "client.domain",
- "client.geo.city_name",
- "client.geo.continent_name",
- "client.geo.country_iso_code",
- "client.geo.country_name",
- "client.geo.name",
- "client.geo.region_iso_code",
- "client.geo.region_name",
- "client.mac",
- "client.user.email",
- "client.user.full_name",
- "client.user.group.id",
- "client.user.group.name",
- "client.user.hash",
- "client.user.id",
- "client.user.name",
- "cloud.account.id",
- "cloud.availability_zone",
- "cloud.instance.id",
- "cloud.instance.name",
- "cloud.machine.type",
- "cloud.provider",
- "cloud.region",
- "container.id",
- "container.image.name",
- "container.image.tag",
- "container.name",
- "container.runtime",
- "destination.address",
- "destination.domain",
- "destination.geo.city_name",
- "destination.geo.continent_name",
- "destination.geo.country_iso_code",
- "destination.geo.country_name",
- "destination.geo.name",
- "destination.geo.region_iso_code",
- "destination.geo.region_name",
- "destination.mac",
- "destination.user.email",
- "destination.user.full_name",
- "destination.user.group.id",
- "destination.user.group.name",
- "destination.user.hash",
- "destination.user.id",
- "destination.user.name",
- "ecs.version",
- "error.code",
- "error.id",
- "error.message",
- "event.action",
- "event.category",
- "event.dataset",
- "event.hash",
- "event.id",
- "event.kind",
- "event.module",
- "event.original",
- "event.outcome",
- "event.timezone",
- "event.type",
- "file.device",
- "file.extension",
- "file.gid",
- "file.group",
- "file.inode",
- "file.mode",
- "file.owner",
- "file.path",
- "file.target_path",
- "file.type",
- "file.uid",
- "geo.city_name",
- "geo.continent_name",
- "geo.country_iso_code",
- "geo.country_name",
- "geo.name",
- "geo.region_iso_code",
- "geo.region_name",
- "group.id",
- "group.name",
- "host.architecture",
- "host.geo.city_name",
- "host.geo.continent_name",
- "host.geo.country_iso_code",
- "host.geo.country_name",
- "host.geo.name",
- "host.geo.region_iso_code",
- "host.geo.region_name",
- "host.hostname",
- "host.id",
- "host.mac",
- "host.name",
- "host.os.family",
- "host.os.full",
- "host.os.kernel",
- "host.os.name",
- "host.os.platform",
- "host.os.version",
- "host.type",
- "host.user.email",
- "host.user.full_name",
- "host.user.group.id",
- "host.user.group.name",
- "host.user.hash",
- "host.user.id",
- "host.user.name",
- "http.request.body.content",
- "http.request.method",
- "http.request.referrer",
- "http.response.body.content",
- "http.version",
- "log.level",
- "log.original",
- "network.application",
- "network.community_id",
- "network.direction",
- "network.iana_number",
- "network.name",
- "network.protocol",
- "network.transport",
- "network.type",
- "observer.geo.city_name",
- "observer.geo.continent_name",
- "observer.geo.country_iso_code",
- "observer.geo.country_name",
- "observer.geo.name",
- "observer.geo.region_iso_code",
- "observer.geo.region_name",
- "observer.hostname",
- "observer.mac",
- "observer.os.family",
- "observer.os.full",
- "observer.os.kernel",
- "observer.os.name",
- "observer.os.platform",
- "observer.os.version",
- "observer.serial_number",
- "observer.type",
- "observer.vendor",
- "observer.version",
- "organization.id",
- "organization.name",
- "os.family",
- "os.full",
- "os.kernel",
- "os.name",
- "os.platform",
- "os.version",
- "process.args",
- "process.executable",
- "process.name",
- "process.title",
- "process.working_directory",
- "server.address",
- "server.domain",
- "server.geo.city_name",
- "server.geo.continent_name",
- "server.geo.country_iso_code",
- "server.geo.country_name",
- "server.geo.name",
- "server.geo.region_iso_code",
- "server.geo.region_name",
- "server.mac",
- "server.user.email",
- "server.user.full_name",
- "server.user.group.id",
- "server.user.group.name",
- "server.user.hash",
- "server.user.id",
- "server.user.name",
- "service.ephemeral_id",
- "service.id",
- "service.name",
- "service.state",
- "service.type",
- "service.version",
- "source.address",
- "source.domain",
- "source.geo.city_name",
- "source.geo.continent_name",
- "source.geo.country_iso_code",
- "source.geo.country_name",
- "source.geo.name",
- "source.geo.region_iso_code",
- "source.geo.region_name",
- "source.mac",
- "source.user.email",
- "source.user.full_name",
- "source.user.group.id",
- "source.user.group.name",
- "source.user.hash",
- "source.user.id",
- "source.user.name",
- "url.domain",
- "url.fragment",
- "url.full",
- "url.original",
- "url.password",
- "url.path",
- "url.query",
- "url.scheme",
- "url.username",
- "user.email",
- "user.full_name",
- "user.group.id",
- "user.group.name",
- "user.hash",
- "user.id",
- "user.name",
- "user_agent.device.name",
- "user_agent.name",
- "user_agent.original",
- "user_agent.os.family",
- "user_agent.os.full",
- "user_agent.os.kernel",
- "user_agent.os.name",
- "user_agent.os.platform",
- "user_agent.os.version",
- "user_agent.version",
- "agent.hostname",
- "error.type",
- "cloud.project.id",
- "host.os.build",
- "kubernetes.pod.name",
- "kubernetes.pod.uid",
- "kubernetes.namespace",
- "kubernetes.node.name",
- "kubernetes.replicaset.name",
- "kubernetes.deployment.name",
- "kubernetes.statefulset.name",
- "kubernetes.container.name",
- "kubernetes.container.image",
- "jolokia.agent.version",
- "jolokia.agent.id",
- "jolokia.server.product",
- "jolokia.server.version",
- "jolokia.server.vendor",
- "jolokia.url",
- "raw",
- "file.origin",
- "file.selinux.user",
- "file.selinux.role",
- "file.selinux.domain",
- "file.selinux.level",
- "user.audit.id",
- "user.audit.name",
- "user.effective.id",
- "user.effective.name",
- "user.effective.group.id",
- "user.effective.group.name",
- "user.filesystem.id",
- "user.filesystem.name",
- "user.filesystem.group.id",
- "user.filesystem.group.name",
- "user.saved.id",
- "user.saved.name",
- "user.saved.group.id",
- "user.saved.group.name",
- "user.selinux.user",
- "user.selinux.role",
- "user.selinux.domain",
- "user.selinux.level",
- "user.selinux.category",
- "source.path",
- "destination.path",
- "auditd.message_type",
- "auditd.session",
- "auditd.result",
- "auditd.summary.actor.primary",
- "auditd.summary.actor.secondary",
- "auditd.summary.object.type",
- "auditd.summary.object.primary",
- "auditd.summary.object.secondary",
- "auditd.summary.how",
- "auditd.paths.inode",
- "auditd.paths.dev",
- "auditd.paths.obj_user",
- "auditd.paths.obj_role",
- "auditd.paths.obj_domain",
- "auditd.paths.obj_level",
- "auditd.paths.objtype",
- "auditd.paths.ouid",
- "auditd.paths.rdev",
- "auditd.paths.nametype",
- "auditd.paths.ogid",
- "auditd.paths.item",
- "auditd.paths.mode",
- "auditd.paths.name",
- "auditd.data.action",
- "auditd.data.minor",
- "auditd.data.acct",
- "auditd.data.addr",
- "auditd.data.cipher",
- "auditd.data.id",
- "auditd.data.entries",
- "auditd.data.kind",
- "auditd.data.ksize",
- "auditd.data.spid",
- "auditd.data.arch",
- "auditd.data.argc",
- "auditd.data.major",
- "auditd.data.unit",
- "auditd.data.table",
- "auditd.data.terminal",
- "auditd.data.grantors",
- "auditd.data.direction",
- "auditd.data.op",
- "auditd.data.tty",
- "auditd.data.syscall",
- "auditd.data.data",
- "auditd.data.family",
- "auditd.data.mac",
- "auditd.data.pfs",
- "auditd.data.items",
- "auditd.data.a0",
- "auditd.data.a1",
- "auditd.data.a2",
- "auditd.data.a3",
- "auditd.data.hostname",
- "auditd.data.lport",
- "auditd.data.rport",
- "auditd.data.exit",
- "auditd.data.fp",
- "auditd.data.laddr",
- "auditd.data.sport",
- "auditd.data.capability",
- "auditd.data.nargs",
- "auditd.data.new-enabled",
- "auditd.data.audit_backlog_limit",
- "auditd.data.dir",
- "auditd.data.cap_pe",
- "auditd.data.model",
- "auditd.data.new_pp",
- "auditd.data.old-enabled",
- "auditd.data.oauid",
- "auditd.data.old",
- "auditd.data.banners",
- "auditd.data.feature",
- "auditd.data.vm-ctx",
- "auditd.data.opid",
- "auditd.data.seperms",
- "auditd.data.seresult",
- "auditd.data.new-rng",
- "auditd.data.old-net",
- "auditd.data.sigev_signo",
- "auditd.data.ino",
- "auditd.data.old_enforcing",
- "auditd.data.old-vcpu",
- "auditd.data.range",
- "auditd.data.res",
- "auditd.data.added",
- "auditd.data.fam",
- "auditd.data.nlnk-pid",
- "auditd.data.subj",
- "auditd.data.a[0-3]",
- "auditd.data.cgroup",
- "auditd.data.kernel",
- "auditd.data.ocomm",
- "auditd.data.new-net",
- "auditd.data.permissive",
- "auditd.data.class",
- "auditd.data.compat",
- "auditd.data.fi",
- "auditd.data.changed",
- "auditd.data.msg",
- "auditd.data.dport",
- "auditd.data.new-seuser",
- "auditd.data.invalid_context",
- "auditd.data.dmac",
- "auditd.data.ipx-net",
- "auditd.data.iuid",
- "auditd.data.macproto",
- "auditd.data.obj",
- "auditd.data.ipid",
- "auditd.data.new-fs",
- "auditd.data.vm-pid",
- "auditd.data.cap_pi",
- "auditd.data.old-auid",
- "auditd.data.oses",
- "auditd.data.fd",
- "auditd.data.igid",
- "auditd.data.new-disk",
- "auditd.data.parent",
- "auditd.data.len",
- "auditd.data.oflag",
- "auditd.data.uuid",
- "auditd.data.code",
- "auditd.data.nlnk-grp",
- "auditd.data.cap_fp",
- "auditd.data.new-mem",
- "auditd.data.seperm",
- "auditd.data.enforcing",
- "auditd.data.new-chardev",
- "auditd.data.old-rng",
- "auditd.data.outif",
- "auditd.data.cmd",
- "auditd.data.hook",
- "auditd.data.new-level",
- "auditd.data.sauid",
- "auditd.data.sig",
- "auditd.data.audit_backlog_wait_time",
- "auditd.data.printer",
- "auditd.data.old-mem",
- "auditd.data.perm",
- "auditd.data.old_pi",
- "auditd.data.state",
- "auditd.data.format",
- "auditd.data.new_gid",
- "auditd.data.tcontext",
- "auditd.data.maj",
- "auditd.data.watch",
- "auditd.data.device",
- "auditd.data.grp",
- "auditd.data.bool",
- "auditd.data.icmp_type",
- "auditd.data.new_lock",
- "auditd.data.old_prom",
- "auditd.data.acl",
- "auditd.data.ip",
- "auditd.data.new_pi",
- "auditd.data.default-context",
- "auditd.data.inode_gid",
- "auditd.data.new-log_passwd",
- "auditd.data.new_pe",
- "auditd.data.selected-context",
- "auditd.data.cap_fver",
- "auditd.data.file",
- "auditd.data.net",
- "auditd.data.virt",
- "auditd.data.cap_pp",
- "auditd.data.old-range",
- "auditd.data.resrc",
- "auditd.data.new-range",
- "auditd.data.obj_gid",
- "auditd.data.proto",
- "auditd.data.old-disk",
- "auditd.data.audit_failure",
- "auditd.data.inif",
- "auditd.data.vm",
- "auditd.data.flags",
- "auditd.data.nlnk-fam",
- "auditd.data.old-fs",
- "auditd.data.old-ses",
- "auditd.data.seqno",
- "auditd.data.fver",
- "auditd.data.qbytes",
- "auditd.data.seuser",
- "auditd.data.cap_fe",
- "auditd.data.new-vcpu",
- "auditd.data.old-level",
- "auditd.data.old_pp",
- "auditd.data.daddr",
- "auditd.data.old-role",
- "auditd.data.ioctlcmd",
- "auditd.data.smac",
- "auditd.data.apparmor",
- "auditd.data.fe",
- "auditd.data.perm_mask",
- "auditd.data.ses",
- "auditd.data.cap_fi",
- "auditd.data.obj_uid",
- "auditd.data.reason",
- "auditd.data.list",
- "auditd.data.old_lock",
- "auditd.data.bus",
- "auditd.data.old_pe",
- "auditd.data.new-role",
- "auditd.data.prom",
- "auditd.data.uri",
- "auditd.data.audit_enabled",
- "auditd.data.old-log_passwd",
- "auditd.data.old-seuser",
- "auditd.data.per",
- "auditd.data.scontext",
- "auditd.data.tclass",
- "auditd.data.ver",
- "auditd.data.new",
- "auditd.data.val",
- "auditd.data.img-ctx",
- "auditd.data.old-chardev",
- "auditd.data.old_val",
- "auditd.data.success",
- "auditd.data.inode_uid",
- "auditd.data.removed",
- "auditd.data.socket.port",
- "auditd.data.socket.saddr",
- "auditd.data.socket.addr",
- "auditd.data.socket.family",
- "auditd.data.socket.path",
- "geoip.continent_name",
- "geoip.city_name",
- "geoip.region_name",
- "geoip.country_iso_code",
- "hash.blake2b_256",
- "hash.blake2b_384",
- "hash.blake2b_512",
- "hash.md5",
- "hash.sha1",
- "hash.sha224",
- "hash.sha256",
- "hash.sha384",
- "hash.sha3_224",
- "hash.sha3_256",
- "hash.sha3_384",
- "hash.sha3_512",
- "hash.sha512",
- "hash.sha512_224",
- "hash.sha512_256",
- "hash.xxh64",
- "event.origin",
- "user.entity_id",
- "user.terminal",
- "process.entity_id",
- "socket.entity_id",
- "system.audit.host.timezone.name",
- "system.audit.host.hostname",
- "system.audit.host.id",
- "system.audit.host.architecture",
- "system.audit.host.mac",
- "system.audit.host.os.platform",
- "system.audit.host.os.name",
- "system.audit.host.os.family",
- "system.audit.host.os.version",
- "system.audit.host.os.kernel",
- "system.audit.package.entity_id",
- "system.audit.package.name",
- "system.audit.package.version",
- "system.audit.package.release",
- "system.audit.package.arch",
- "system.audit.package.license",
- "system.audit.package.summary",
- "system.audit.package.url",
- "system.audit.user.name",
- "system.audit.user.uid",
- "system.audit.user.gid",
- "system.audit.user.dir",
- "system.audit.user.shell",
- "system.audit.user.user_information",
- "system.audit.user.password.type",
- "fields.*"
- ]
- },
- "refresh_interval": "5s"
- }
- }
- }
-}
diff --git a/x-pack/test/security_solution_cypress/es_archives/auditbeat_for_exceptions2/data.json.gz b/x-pack/test/security_solution_cypress/es_archives/auditbeat_for_exceptions2/data.json.gz
deleted file mode 100644
index 0fdcb7d783ea6..0000000000000
Binary files a/x-pack/test/security_solution_cypress/es_archives/auditbeat_for_exceptions2/data.json.gz and /dev/null differ
diff --git a/x-pack/test/security_solution_cypress/es_archives/auditbeat_for_exceptions2/mappings.json b/x-pack/test/security_solution_cypress/es_archives/auditbeat_for_exceptions2/mappings.json
deleted file mode 100644
index 4e5c6e9955310..0000000000000
--- a/x-pack/test/security_solution_cypress/es_archives/auditbeat_for_exceptions2/mappings.json
+++ /dev/null
@@ -1,3577 +0,0 @@
-{
- "type": "index",
- "value": {
- "aliases": {
- "exceptions-8.0.0": {
- "is_write_index": false
- },
- "beats": {
- },
- "siem-read-alias": {
- }
- },
- "index": "exceptions-8.0.0-2019.08.30-000021",
- "mappings": {
- "_meta": {
- "beat": "auditbeat",
- "version": "8.0.0"
- },
- "date_detection": false,
- "dynamic_templates": [
- {
- "labels": {
- "mapping": {
- "type": "keyword"
- },
- "match_mapping_type": "string",
- "path_match": "labels.*"
- }
- },
- {
- "container.labels": {
- "mapping": {
- "type": "keyword"
- },
- "match_mapping_type": "string",
- "path_match": "container.labels.*"
- }
- },
- {
- "fields": {
- "mapping": {
- "type": "keyword"
- },
- "match_mapping_type": "string",
- "path_match": "fields.*"
- }
- },
- {
- "docker.container.labels": {
- "mapping": {
- "type": "keyword"
- },
- "match_mapping_type": "string",
- "path_match": "docker.container.labels.*"
- }
- },
- {
- "strings_as_keyword": {
- "mapping": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "match_mapping_type": "string"
- }
- }
- ],
- "properties": {
- "@timestamp": {
- "type": "date"
- },
- "agent": {
- "properties": {
- "ephemeral_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "hostname": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "auditd": {
- "properties": {
- "data": {
- "properties": {
- "a0": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "a1": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "a2": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "a3": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "a[0-3]": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "acct": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "acl": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "action": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "added": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "addr": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "apparmor": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "arch": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "argc": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "audit_backlog_limit": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "audit_backlog_wait_time": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "audit_enabled": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "audit_failure": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "banners": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "bool": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "bus": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cap_fe": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cap_fi": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cap_fp": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cap_fver": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cap_pe": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cap_pi": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cap_pp": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "capability": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cgroup": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "changed": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cipher": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "class": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cmd": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "compat": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "daddr": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "data": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "default-context": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "device": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "dir": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "direction": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "dmac": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "dport": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "enforcing": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "entries": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "exit": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "fam": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "family": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "fd": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "fe": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "feature": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "fi": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "file": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "flags": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "format": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "fp": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "fver": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "grantors": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "grp": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "hook": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "hostname": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "icmp_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "igid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "img-ctx": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "info": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "inif": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ino": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "inode_gid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "inode_uid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "invalid_context": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ioctlcmd": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ip": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ipid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ipx-net": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "items": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "iuid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "kernel": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "kind": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ksize": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "laddr": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "len": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "list": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "lport": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "mac": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "macproto": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "maj": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "major": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "minor": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "model": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "msg": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "nargs": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "net": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new-chardev": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new-disk": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new-enabled": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new-fs": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new-level": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new-log_passwd": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new-mem": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new-net": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new-range": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new-rng": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new-role": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new-seuser": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new-vcpu": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new_gid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new_lock": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new_pe": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new_pi": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new_pp": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "nlnk-fam": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "nlnk-grp": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "nlnk-pid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "oauid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "obj": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "obj_gid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "obj_uid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ocomm": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "oflag": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-auid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-chardev": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-disk": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-enabled": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-fs": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-level": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-log_passwd": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-mem": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-net": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-range": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-rng": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-role": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-ses": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-seuser": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old-vcpu": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old_enforcing": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old_lock": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old_pa": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old_pe": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old_pi": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old_pp": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old_prom": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old_val": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "op": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "operation": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "opid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "oses": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "outif": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "pa": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "parent": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "path": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "pe": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "per": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "perm": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "perm_mask": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "permissive": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "pfs": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "pi": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "pp": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "printer": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "profile": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "prom": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "proto": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "qbytes": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "range": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "reason": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "removed": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "res": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "resrc": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "rport": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sauid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "scontext": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "selected-context": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "seperm": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "seperms": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "seqno": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "seresult": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ses": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "seuser": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sig": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sigev_signo": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "smac": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "socket": {
- "properties": {
- "addr": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "family": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "path": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "port": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "saddr": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "spid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sport": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "state": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "subj": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "success": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "syscall": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "table": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "tclass": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "tcontext": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "terminal": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "tty": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "unit": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "uri": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "uuid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "val": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ver": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "virt": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "vm": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "vm-ctx": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "vm-pid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "watch": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "message_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "paths": {
- "properties": {
- "cap_fe": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cap_fi": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cap_fp": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cap_fver": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "dev": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "inode": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "item": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "mode": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "nametype": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "obj_domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "obj_level": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "obj_role": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "obj_user": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "objtype": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ogid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ouid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "rdev": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "result": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sequence": {
- "type": "long"
- },
- "session": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "summary": {
- "properties": {
- "actor": {
- "properties": {
- "primary": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "secondary": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "how": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "object": {
- "properties": {
- "primary": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "secondary": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- }
- }
- },
- "client": {
- "properties": {
- "address": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "bytes": {
- "type": "long"
- },
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "geo": {
- "properties": {
- "city_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "continent_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "location": {
- "type": "geo_point"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "ip": {
- "type": "ip"
- },
- "mac": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "packets": {
- "type": "long"
- },
- "port": {
- "type": "long"
- },
- "user": {
- "properties": {
- "email": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "group": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "hash": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "cloud": {
- "properties": {
- "account": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "availability_zone": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "instance": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "machine": {
- "properties": {
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "project": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "provider": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "container": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "image": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "tag": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "labels": {
- "type": "object"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "runtime": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "destination": {
- "properties": {
- "address": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "bytes": {
- "type": "long"
- },
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "geo": {
- "properties": {
- "city_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "continent_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "location": {
- "type": "geo_point"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "ip": {
- "type": "ip"
- },
- "mac": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "packets": {
- "type": "long"
- },
- "path": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "port": {
- "type": "long"
- },
- "user": {
- "properties": {
- "email": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "group": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "hash": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "docker": {
- "properties": {
- "container": {
- "properties": {
- "labels": {
- "type": "object"
- }
- }
- }
- }
- },
- "ecs": {
- "properties": {
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "error": {
- "properties": {
- "code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "message": {
- "norms": false,
- "type": "text"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "event": {
- "properties": {
- "action": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "category": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "created": {
- "type": "date"
- },
- "dataset": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "duration": {
- "type": "long"
- },
- "end": {
- "type": "date"
- },
- "hash": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "kind": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "module": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "origin": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "original": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "outcome": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "risk_score": {
- "type": "float"
- },
- "risk_score_norm": {
- "type": "float"
- },
- "severity": {
- "type": "long"
- },
- "start": {
- "type": "date"
- },
- "timezone": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "fields": {
- "type": "object"
- },
- "file": {
- "properties": {
- "ctime": {
- "type": "date"
- },
- "device": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "extension": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "gid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "group": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "inode": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "mode": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "mtime": {
- "type": "date"
- },
- "origin": {
- "fields": {
- "raw": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "owner": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "path": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "selinux": {
- "properties": {
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "level": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "role": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "user": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "setgid": {
- "type": "boolean"
- },
- "setuid": {
- "type": "boolean"
- },
- "size": {
- "type": "long"
- },
- "target_path": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "uid": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "flow": {
- "properties": {
- "complete": {
- "type": "boolean"
- },
- "final": {
- "type": "boolean"
- }
- }
- },
- "geo": {
- "properties": {
- "city_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "continent_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "location": {
- "type": "geo_point"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "geoip": {
- "properties": {
- "city_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "continent_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "location": {
- "type": "geo_point"
- },
- "region_name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "group": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "hash": {
- "properties": {
- "blake2b_256": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "blake2b_384": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "blake2b_512": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "md5": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha1": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha224": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha256": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha384": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha3_224": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha3_256": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha3_384": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha3_512": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha512": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha512_224": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha512_256": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "xxh64": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "host": {
- "properties": {
- "architecture": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "containerized": {
- "type": "boolean"
- },
- "geo": {
- "properties": {
- "city_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "continent_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "location": {
- "type": "geo_point"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "hostname": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ip": {
- "type": "ip"
- },
- "mac": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "os": {
- "properties": {
- "build": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "codename": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "family": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "kernel": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "platform": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "user": {
- "properties": {
- "email": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "group": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "hash": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "http": {
- "properties": {
- "request": {
- "properties": {
- "body": {
- "properties": {
- "bytes": {
- "type": "long"
- },
- "content": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "bytes": {
- "type": "long"
- },
- "method": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "referrer": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "response": {
- "properties": {
- "body": {
- "properties": {
- "bytes": {
- "type": "long"
- },
- "content": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "bytes": {
- "type": "long"
- },
- "status_code": {
- "type": "long"
- }
- }
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "jolokia": {
- "properties": {
- "agent": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "secured": {
- "type": "boolean"
- },
- "server": {
- "properties": {
- "product": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "vendor": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "url": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "kubernetes": {
- "properties": {
- "annotations": {
- "type": "object"
- },
- "container": {
- "properties": {
- "image": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "deployment": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "labels": {
- "type": "object"
- },
- "namespace": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "node": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "pod": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "uid": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "replicaset": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "statefulset": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "labels": {
- "type": "object"
- },
- "log": {
- "properties": {
- "level": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "original": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "message": {
- "norms": false,
- "type": "text"
- },
- "network": {
- "properties": {
- "application": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "bytes": {
- "type": "long"
- },
- "community_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "direction": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "forwarded_ip": {
- "type": "ip"
- },
- "iana_number": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "packets": {
- "type": "long"
- },
- "protocol": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "transport": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "observer": {
- "properties": {
- "geo": {
- "properties": {
- "city_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "continent_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "location": {
- "type": "geo_point"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "hostname": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ip": {
- "type": "ip"
- },
- "mac": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "os": {
- "properties": {
- "family": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "kernel": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "platform": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "serial_number": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "vendor": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "organization": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "os": {
- "properties": {
- "family": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "kernel": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "platform": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "process": {
- "properties": {
- "args": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "created": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "entity_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "executable": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "hash": {
- "properties": {
- "sha1": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "pid": {
- "type": "long"
- },
- "ppid": {
- "type": "long"
- },
- "start": {
- "type": "date"
- },
- "thread": {
- "properties": {
- "id": {
- "type": "long"
- }
- }
- },
- "title": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "working_directory": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "related": {
- "properties": {
- "ip": {
- "type": "ip"
- }
- }
- },
- "server": {
- "properties": {
- "address": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "bytes": {
- "type": "long"
- },
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "geo": {
- "properties": {
- "city_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "continent_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "location": {
- "type": "geo_point"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "ip": {
- "type": "ip"
- },
- "mac": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "packets": {
- "type": "long"
- },
- "port": {
- "type": "long"
- },
- "user": {
- "properties": {
- "email": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "group": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "hash": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "service": {
- "properties": {
- "ephemeral_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "state": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "socket": {
- "properties": {
- "entity_id": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "source": {
- "properties": {
- "address": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "bytes": {
- "type": "long"
- },
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "geo": {
- "properties": {
- "city_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "continent_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "location": {
- "type": "geo_point"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "ip": {
- "type": "ip"
- },
- "mac": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "packets": {
- "type": "long"
- },
- "path": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "port": {
- "type": "long"
- },
- "user": {
- "properties": {
- "email": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "group": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "hash": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "system": {
- "properties": {
- "audit": {
- "properties": {
- "host": {
- "properties": {
- "architecture": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "boottime": {
- "type": "date"
- },
- "containerized": {
- "type": "boolean"
- },
- "hostname": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ip": {
- "type": "ip"
- },
- "mac": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "os": {
- "properties": {
- "codename": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "family": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "kernel": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "platform": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "timezone": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "offset": {
- "properties": {
- "sec": {
- "type": "long"
- }
- }
- }
- }
- },
- "uptime": {
- "type": "long"
- }
- }
- },
- "newsocket": {
- "properties": {
- "egid": {
- "type": "long"
- },
- "euid": {
- "type": "long"
- },
- "gid": {
- "type": "long"
- },
- "internal_version": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "kernel_sock_address": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "uid": {
- "type": "long"
- }
- }
- },
- "package": {
- "properties": {
- "arch": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "entity_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "installtime": {
- "type": "date"
- },
- "license": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "release": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "size": {
- "type": "long"
- },
- "summary": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "url": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "socket": {
- "properties": {
- "egid": {
- "type": "long"
- },
- "euid": {
- "type": "long"
- },
- "gid": {
- "type": "long"
- },
- "internal_version": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "kernel_sock_address": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "uid": {
- "type": "long"
- }
- }
- },
- "user": {
- "properties": {
- "dir": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "gid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "group": {
- "properties": {
- "gid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "password": {
- "properties": {
- "last_changed": {
- "type": "date"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "shell": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "uid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "user_information": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- }
- }
- },
- "tags": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "url": {
- "properties": {
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "fragment": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "original": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "password": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "path": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "port": {
- "type": "long"
- },
- "query": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "scheme": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "username": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "user": {
- "properties": {
- "audit": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "effective": {
- "properties": {
- "group": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "email": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "entity_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "filesystem": {
- "properties": {
- "group": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "full_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "group": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "hash": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name_map": {
- "type": "object"
- },
- "saved": {
- "properties": {
- "group": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "selinux": {
- "properties": {
- "category": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "level": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "role": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "user": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "terminal": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "user_agent": {
- "properties": {
- "device": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "original": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "os": {
- "properties": {
- "family": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "kernel": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "platform": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "settings": {
- "index": {
- "lifecycle": {
- "indexing_complete": "true",
- "name": "auditbeat-8.0.0",
- "rollover_alias": "auditbeat-8.0.0"
- },
- "mapping": {
- "total_fields": {
- "limit": "10000"
- }
- },
- "number_of_replicas": "0",
- "number_of_shards": "1",
- "query": {
- "default_field": [
- "message",
- "tags",
- "agent.ephemeral_id",
- "agent.id",
- "agent.name",
- "agent.type",
- "agent.version",
- "client.address",
- "client.domain",
- "client.geo.city_name",
- "client.geo.continent_name",
- "client.geo.country_iso_code",
- "client.geo.country_name",
- "client.geo.name",
- "client.geo.region_iso_code",
- "client.geo.region_name",
- "client.mac",
- "client.user.email",
- "client.user.full_name",
- "client.user.group.id",
- "client.user.group.name",
- "client.user.hash",
- "client.user.id",
- "client.user.name",
- "cloud.account.id",
- "cloud.availability_zone",
- "cloud.instance.id",
- "cloud.instance.name",
- "cloud.machine.type",
- "cloud.provider",
- "cloud.region",
- "container.id",
- "container.image.name",
- "container.image.tag",
- "container.name",
- "container.runtime",
- "destination.address",
- "destination.domain",
- "destination.geo.city_name",
- "destination.geo.continent_name",
- "destination.geo.country_iso_code",
- "destination.geo.country_name",
- "destination.geo.name",
- "destination.geo.region_iso_code",
- "destination.geo.region_name",
- "destination.mac",
- "destination.user.email",
- "destination.user.full_name",
- "destination.user.group.id",
- "destination.user.group.name",
- "destination.user.hash",
- "destination.user.id",
- "destination.user.name",
- "ecs.version",
- "error.code",
- "error.id",
- "error.message",
- "event.action",
- "event.category",
- "event.dataset",
- "event.hash",
- "event.id",
- "event.kind",
- "event.module",
- "event.original",
- "event.outcome",
- "event.timezone",
- "event.type",
- "file.device",
- "file.extension",
- "file.gid",
- "file.group",
- "file.inode",
- "file.mode",
- "file.owner",
- "file.path",
- "file.target_path",
- "file.type",
- "file.uid",
- "geo.city_name",
- "geo.continent_name",
- "geo.country_iso_code",
- "geo.country_name",
- "geo.name",
- "geo.region_iso_code",
- "geo.region_name",
- "group.id",
- "group.name",
- "host.architecture",
- "host.geo.city_name",
- "host.geo.continent_name",
- "host.geo.country_iso_code",
- "host.geo.country_name",
- "host.geo.name",
- "host.geo.region_iso_code",
- "host.geo.region_name",
- "host.hostname",
- "host.id",
- "host.mac",
- "host.name",
- "host.os.family",
- "host.os.full",
- "host.os.kernel",
- "host.os.name",
- "host.os.platform",
- "host.os.version",
- "host.type",
- "host.user.email",
- "host.user.full_name",
- "host.user.group.id",
- "host.user.group.name",
- "host.user.hash",
- "host.user.id",
- "host.user.name",
- "http.request.body.content",
- "http.request.method",
- "http.request.referrer",
- "http.response.body.content",
- "http.version",
- "log.level",
- "log.original",
- "network.application",
- "network.community_id",
- "network.direction",
- "network.iana_number",
- "network.name",
- "network.protocol",
- "network.transport",
- "network.type",
- "observer.geo.city_name",
- "observer.geo.continent_name",
- "observer.geo.country_iso_code",
- "observer.geo.country_name",
- "observer.geo.name",
- "observer.geo.region_iso_code",
- "observer.geo.region_name",
- "observer.hostname",
- "observer.mac",
- "observer.os.family",
- "observer.os.full",
- "observer.os.kernel",
- "observer.os.name",
- "observer.os.platform",
- "observer.os.version",
- "observer.serial_number",
- "observer.type",
- "observer.vendor",
- "observer.version",
- "organization.id",
- "organization.name",
- "os.family",
- "os.full",
- "os.kernel",
- "os.name",
- "os.platform",
- "os.version",
- "process.args",
- "process.executable",
- "process.name",
- "process.title",
- "process.working_directory",
- "server.address",
- "server.domain",
- "server.geo.city_name",
- "server.geo.continent_name",
- "server.geo.country_iso_code",
- "server.geo.country_name",
- "server.geo.name",
- "server.geo.region_iso_code",
- "server.geo.region_name",
- "server.mac",
- "server.user.email",
- "server.user.full_name",
- "server.user.group.id",
- "server.user.group.name",
- "server.user.hash",
- "server.user.id",
- "server.user.name",
- "service.ephemeral_id",
- "service.id",
- "service.name",
- "service.state",
- "service.type",
- "service.version",
- "source.address",
- "source.domain",
- "source.geo.city_name",
- "source.geo.continent_name",
- "source.geo.country_iso_code",
- "source.geo.country_name",
- "source.geo.name",
- "source.geo.region_iso_code",
- "source.geo.region_name",
- "source.mac",
- "source.user.email",
- "source.user.full_name",
- "source.user.group.id",
- "source.user.group.name",
- "source.user.hash",
- "source.user.id",
- "source.user.name",
- "url.domain",
- "url.fragment",
- "url.full",
- "url.original",
- "url.password",
- "url.path",
- "url.query",
- "url.scheme",
- "url.username",
- "user.email",
- "user.full_name",
- "user.group.id",
- "user.group.name",
- "user.hash",
- "user.id",
- "user.name",
- "user_agent.device.name",
- "user_agent.name",
- "user_agent.original",
- "user_agent.os.family",
- "user_agent.os.full",
- "user_agent.os.kernel",
- "user_agent.os.name",
- "user_agent.os.platform",
- "user_agent.os.version",
- "user_agent.version",
- "agent.hostname",
- "error.type",
- "cloud.project.id",
- "host.os.build",
- "kubernetes.pod.name",
- "kubernetes.pod.uid",
- "kubernetes.namespace",
- "kubernetes.node.name",
- "kubernetes.replicaset.name",
- "kubernetes.deployment.name",
- "kubernetes.statefulset.name",
- "kubernetes.container.name",
- "kubernetes.container.image",
- "jolokia.agent.version",
- "jolokia.agent.id",
- "jolokia.server.product",
- "jolokia.server.version",
- "jolokia.server.vendor",
- "jolokia.url",
- "raw",
- "file.origin",
- "file.selinux.user",
- "file.selinux.role",
- "file.selinux.domain",
- "file.selinux.level",
- "user.audit.id",
- "user.audit.name",
- "user.effective.id",
- "user.effective.name",
- "user.effective.group.id",
- "user.effective.group.name",
- "user.filesystem.id",
- "user.filesystem.name",
- "user.filesystem.group.id",
- "user.filesystem.group.name",
- "user.saved.id",
- "user.saved.name",
- "user.saved.group.id",
- "user.saved.group.name",
- "user.selinux.user",
- "user.selinux.role",
- "user.selinux.domain",
- "user.selinux.level",
- "user.selinux.category",
- "source.path",
- "destination.path",
- "auditd.message_type",
- "auditd.session",
- "auditd.result",
- "auditd.summary.actor.primary",
- "auditd.summary.actor.secondary",
- "auditd.summary.object.type",
- "auditd.summary.object.primary",
- "auditd.summary.object.secondary",
- "auditd.summary.how",
- "auditd.paths.inode",
- "auditd.paths.dev",
- "auditd.paths.obj_user",
- "auditd.paths.obj_role",
- "auditd.paths.obj_domain",
- "auditd.paths.obj_level",
- "auditd.paths.objtype",
- "auditd.paths.ouid",
- "auditd.paths.rdev",
- "auditd.paths.nametype",
- "auditd.paths.ogid",
- "auditd.paths.item",
- "auditd.paths.mode",
- "auditd.paths.name",
- "auditd.data.action",
- "auditd.data.minor",
- "auditd.data.acct",
- "auditd.data.addr",
- "auditd.data.cipher",
- "auditd.data.id",
- "auditd.data.entries",
- "auditd.data.kind",
- "auditd.data.ksize",
- "auditd.data.spid",
- "auditd.data.arch",
- "auditd.data.argc",
- "auditd.data.major",
- "auditd.data.unit",
- "auditd.data.table",
- "auditd.data.terminal",
- "auditd.data.grantors",
- "auditd.data.direction",
- "auditd.data.op",
- "auditd.data.tty",
- "auditd.data.syscall",
- "auditd.data.data",
- "auditd.data.family",
- "auditd.data.mac",
- "auditd.data.pfs",
- "auditd.data.items",
- "auditd.data.a0",
- "auditd.data.a1",
- "auditd.data.a2",
- "auditd.data.a3",
- "auditd.data.hostname",
- "auditd.data.lport",
- "auditd.data.rport",
- "auditd.data.exit",
- "auditd.data.fp",
- "auditd.data.laddr",
- "auditd.data.sport",
- "auditd.data.capability",
- "auditd.data.nargs",
- "auditd.data.new-enabled",
- "auditd.data.audit_backlog_limit",
- "auditd.data.dir",
- "auditd.data.cap_pe",
- "auditd.data.model",
- "auditd.data.new_pp",
- "auditd.data.old-enabled",
- "auditd.data.oauid",
- "auditd.data.old",
- "auditd.data.banners",
- "auditd.data.feature",
- "auditd.data.vm-ctx",
- "auditd.data.opid",
- "auditd.data.seperms",
- "auditd.data.seresult",
- "auditd.data.new-rng",
- "auditd.data.old-net",
- "auditd.data.sigev_signo",
- "auditd.data.ino",
- "auditd.data.old_enforcing",
- "auditd.data.old-vcpu",
- "auditd.data.range",
- "auditd.data.res",
- "auditd.data.added",
- "auditd.data.fam",
- "auditd.data.nlnk-pid",
- "auditd.data.subj",
- "auditd.data.a[0-3]",
- "auditd.data.cgroup",
- "auditd.data.kernel",
- "auditd.data.ocomm",
- "auditd.data.new-net",
- "auditd.data.permissive",
- "auditd.data.class",
- "auditd.data.compat",
- "auditd.data.fi",
- "auditd.data.changed",
- "auditd.data.msg",
- "auditd.data.dport",
- "auditd.data.new-seuser",
- "auditd.data.invalid_context",
- "auditd.data.dmac",
- "auditd.data.ipx-net",
- "auditd.data.iuid",
- "auditd.data.macproto",
- "auditd.data.obj",
- "auditd.data.ipid",
- "auditd.data.new-fs",
- "auditd.data.vm-pid",
- "auditd.data.cap_pi",
- "auditd.data.old-auid",
- "auditd.data.oses",
- "auditd.data.fd",
- "auditd.data.igid",
- "auditd.data.new-disk",
- "auditd.data.parent",
- "auditd.data.len",
- "auditd.data.oflag",
- "auditd.data.uuid",
- "auditd.data.code",
- "auditd.data.nlnk-grp",
- "auditd.data.cap_fp",
- "auditd.data.new-mem",
- "auditd.data.seperm",
- "auditd.data.enforcing",
- "auditd.data.new-chardev",
- "auditd.data.old-rng",
- "auditd.data.outif",
- "auditd.data.cmd",
- "auditd.data.hook",
- "auditd.data.new-level",
- "auditd.data.sauid",
- "auditd.data.sig",
- "auditd.data.audit_backlog_wait_time",
- "auditd.data.printer",
- "auditd.data.old-mem",
- "auditd.data.perm",
- "auditd.data.old_pi",
- "auditd.data.state",
- "auditd.data.format",
- "auditd.data.new_gid",
- "auditd.data.tcontext",
- "auditd.data.maj",
- "auditd.data.watch",
- "auditd.data.device",
- "auditd.data.grp",
- "auditd.data.bool",
- "auditd.data.icmp_type",
- "auditd.data.new_lock",
- "auditd.data.old_prom",
- "auditd.data.acl",
- "auditd.data.ip",
- "auditd.data.new_pi",
- "auditd.data.default-context",
- "auditd.data.inode_gid",
- "auditd.data.new-log_passwd",
- "auditd.data.new_pe",
- "auditd.data.selected-context",
- "auditd.data.cap_fver",
- "auditd.data.file",
- "auditd.data.net",
- "auditd.data.virt",
- "auditd.data.cap_pp",
- "auditd.data.old-range",
- "auditd.data.resrc",
- "auditd.data.new-range",
- "auditd.data.obj_gid",
- "auditd.data.proto",
- "auditd.data.old-disk",
- "auditd.data.audit_failure",
- "auditd.data.inif",
- "auditd.data.vm",
- "auditd.data.flags",
- "auditd.data.nlnk-fam",
- "auditd.data.old-fs",
- "auditd.data.old-ses",
- "auditd.data.seqno",
- "auditd.data.fver",
- "auditd.data.qbytes",
- "auditd.data.seuser",
- "auditd.data.cap_fe",
- "auditd.data.new-vcpu",
- "auditd.data.old-level",
- "auditd.data.old_pp",
- "auditd.data.daddr",
- "auditd.data.old-role",
- "auditd.data.ioctlcmd",
- "auditd.data.smac",
- "auditd.data.apparmor",
- "auditd.data.fe",
- "auditd.data.perm_mask",
- "auditd.data.ses",
- "auditd.data.cap_fi",
- "auditd.data.obj_uid",
- "auditd.data.reason",
- "auditd.data.list",
- "auditd.data.old_lock",
- "auditd.data.bus",
- "auditd.data.old_pe",
- "auditd.data.new-role",
- "auditd.data.prom",
- "auditd.data.uri",
- "auditd.data.audit_enabled",
- "auditd.data.old-log_passwd",
- "auditd.data.old-seuser",
- "auditd.data.per",
- "auditd.data.scontext",
- "auditd.data.tclass",
- "auditd.data.ver",
- "auditd.data.new",
- "auditd.data.val",
- "auditd.data.img-ctx",
- "auditd.data.old-chardev",
- "auditd.data.old_val",
- "auditd.data.success",
- "auditd.data.inode_uid",
- "auditd.data.removed",
- "auditd.data.socket.port",
- "auditd.data.socket.saddr",
- "auditd.data.socket.addr",
- "auditd.data.socket.family",
- "auditd.data.socket.path",
- "geoip.continent_name",
- "geoip.city_name",
- "geoip.region_name",
- "geoip.country_iso_code",
- "hash.blake2b_256",
- "hash.blake2b_384",
- "hash.blake2b_512",
- "hash.md5",
- "hash.sha1",
- "hash.sha224",
- "hash.sha256",
- "hash.sha384",
- "hash.sha3_224",
- "hash.sha3_256",
- "hash.sha3_384",
- "hash.sha3_512",
- "hash.sha512",
- "hash.sha512_224",
- "hash.sha512_256",
- "hash.xxh64",
- "event.origin",
- "user.entity_id",
- "user.terminal",
- "process.entity_id",
- "socket.entity_id",
- "system.audit.host.timezone.name",
- "system.audit.host.hostname",
- "system.audit.host.id",
- "system.audit.host.architecture",
- "system.audit.host.mac",
- "system.audit.host.os.platform",
- "system.audit.host.os.name",
- "system.audit.host.os.family",
- "system.audit.host.os.version",
- "system.audit.host.os.kernel",
- "system.audit.package.entity_id",
- "system.audit.package.name",
- "system.audit.package.version",
- "system.audit.package.release",
- "system.audit.package.arch",
- "system.audit.package.license",
- "system.audit.package.summary",
- "system.audit.package.url",
- "system.audit.user.name",
- "system.audit.user.uid",
- "system.audit.user.gid",
- "system.audit.user.dir",
- "system.audit.user.shell",
- "system.audit.user.user_information",
- "system.audit.user.password.type",
- "fields.*"
- ]
- },
- "refresh_interval": "5s"
- }
- }
- }
-}
diff --git a/x-pack/test/security_solution_cypress/es_archives/auditbeat_for_exceptions3/data.json.gz b/x-pack/test/security_solution_cypress/es_archives/auditbeat_for_exceptions3/data.json.gz
deleted file mode 100644
index b378aa64d5ec8..0000000000000
Binary files a/x-pack/test/security_solution_cypress/es_archives/auditbeat_for_exceptions3/data.json.gz and /dev/null differ
diff --git a/x-pack/test/security_solution_cypress/es_archives/exceptions/data.json b/x-pack/test/security_solution_cypress/es_archives/exceptions/data.json
index bc3c1c302c685..f8152c27084df 100644
--- a/x-pack/test/security_solution_cypress/es_archives/exceptions/data.json
+++ b/x-pack/test/security_solution_cypress/es_archives/exceptions/data.json
@@ -6,7 +6,7 @@
"source": {
"@timestamp": "2019-09-01T00:41:06.527Z",
"agent": {
- "name": "bond"
+ "name": "foo"
},
"unique_value": {
"test": "test field"
diff --git a/x-pack/test/security_solution_cypress/es_archives/exceptions_2/data.json b/x-pack/test/security_solution_cypress/es_archives/exceptions_2/data.json
new file mode 100644
index 0000000000000..ae2e267abc7cf
--- /dev/null
+++ b/x-pack/test/security_solution_cypress/es_archives/exceptions_2/data.json
@@ -0,0 +1,26 @@
+{
+ "type": "doc",
+ "value": {
+ "id": "_aZE5nwBOpWiDweSth_E",
+ "index": "exceptions-0001",
+ "source": {
+ "@timestamp": "2019-09-02T00:41:06.527Z",
+ "agent": {
+ "name": "foo"
+ },
+ "unique_value": {
+ "test": "test field 2"
+ },
+ "user" : [
+ {
+ "name" : "foo",
+ "id" : "123"
+ },
+ {
+ "name" : "bar",
+ "id" : "456"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/x-pack/test/security_solution_cypress/es_archives/exceptions_2/mappings.json b/x-pack/test/security_solution_cypress/es_archives/exceptions_2/mappings.json
new file mode 100644
index 0000000000000..3b5cc2dae545c
--- /dev/null
+++ b/x-pack/test/security_solution_cypress/es_archives/exceptions_2/mappings.json
@@ -0,0 +1,50 @@
+{
+ "type": "index",
+ "value": {
+ "aliases": {
+ "exceptions": {
+ "is_write_index": false
+ }
+ },
+ "settings": {
+ "index": {
+ "refresh_interval": "5s"
+ }
+ },
+ "index": "exceptions-0001",
+ "mappings": {
+ "properties": {
+ "@timestamp": {
+ "type": "date"
+ },
+ "agent": {
+ "properties": {
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "unique_value": {
+ "properties": {
+ "test": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "user": {
+ "type": "nested",
+ "properties": {
+ "first": {
+ "type": "keyword"
+ },
+ "last": {
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+}