From 44d0a2af5bf4cfe7833c7bc81e613fd8129e81b4 Mon Sep 17 00:00:00 2001 From: Madison Caldwell Date: Fri, 30 Jul 2021 13:55:54 -0400 Subject: [PATCH] Mapping updates --- .../common/assets/field_maps/ecs_field_map.ts | 5 ++ .../rule_types/field_maps/alerts.ts | 59 ++++++++++++++++++- 2 files changed, 62 insertions(+), 2 deletions(-) diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/ecs_field_map.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/ecs_field_map.ts index 7ed76328ba919..ff81e05851f7e 100644 --- a/x-pack/plugins/rule_registry/common/assets/field_maps/ecs_field_map.ts +++ b/x-pack/plugins/rule_registry/common/assets/field_maps/ecs_field_map.ts @@ -660,6 +660,11 @@ export const ecsFieldMap = { array: false, required: false, }, + 'event.agent_id_status': { + type: 'keyword', + array: false, + required: false, + }, 'event.category': { type: 'keyword', array: true, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/alerts.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/alerts.ts index dea987df674cf..bcfe967c96f3a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/alerts.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/alerts.ts @@ -51,13 +51,18 @@ export const alertsFieldMap: FieldMap = { 'kibana.alert.original_event.agent_id_status': { type: 'keyword', array: false, - required: true, + required: false, }, 'kibana.alert.original_event.category': { type: 'keyword', array: true, required: true, }, + 'kibana.alert.original_event.code': { + type: 'keyword', + array: false, + required: false, + }, 'kibana.alert.original_event.created': { type: 'date', array: false, @@ -73,6 +78,16 @@ export const alertsFieldMap: FieldMap = { array: false, required: false, }, + 'kibana.alert.original_event.end': { + type: 'date', + array: false, + required: false, + }, + 'kibana.alert.original_event.hash': { + type: 'keyword', + array: false, + required: false, + }, 'kibana.alert.original_event.id': { type: 'keyword', array: false, @@ -94,7 +109,7 @@ export const alertsFieldMap: FieldMap = { required: true, }, 'kibana.alert.original_event.original': { - type: 'text', + type: 'keyword', array: false, required: true, }, @@ -103,16 +118,56 @@ export const alertsFieldMap: FieldMap = { array: false, required: true, }, + 'kibana.alert.original_event.provider': { + type: 'keyword', + array: false, + required: true, + }, + 'kibana.alert.original_event.reason': { + type: 'keyword', + array: false, + required: false, + }, + 'kibana.alert.original_event.reference': { + type: 'keyword', + array: false, + required: false, + }, + 'kibana.alert.original_event.risk_score': { + type: 'float', + array: false, + required: false, + }, + 'kibana.alert.original_event.risk_score_norm': { + type: 'float', + array: false, + required: false, + }, 'kibana.alert.original_event.sequence': { type: 'long', array: false, required: true, }, + 'kibana.alert.original_event.start': { + type: 'date', + array: false, + required: false, + }, + 'kibana.alert.original_event.timezone': { + type: 'keyword', + array: false, + required: false, + }, 'kibana.alert.original_event.type': { type: 'keyword', array: true, required: true, }, + 'kibana.alert.original_event.url': { + type: 'keyword', + array: false, + required: false, + }, 'kibana.alert.original_time': { type: 'date', array: false,